The cyberattacks began three weeks ago and are now targeting cloud servers. Meanwhile, anonymous hackers have demanded an unusually low ransom fee to release files, the Financial Times (FT) reported on Thursday. The attack targeted various computer networks, racking up almost 5,000 victims in Europe and the U.S., including Hungarian and U.S. universities, Italian construction and shipping firms, and German manufacturers. While most victims have been asked by law enforcement not to comment at this time, it is believed that the hackers hail from Russia and China, judging from their public recruitment announcements online. “The scale of this campaign is one of the biggest we have seen,” Shmuel Gihon, a security researcher at Israeli cybersecurity firm CyberInt told FT.
Surprisingly Low Ransom Demands After an Effortless Attack
As-of-yet unknown hackers demanded two Bitcoins worth of ransom fees — about $50,000 at the time of writing — to release their grip on some of the computer networks taken hostage. Ransom demands for this hacking caliber are usually far higher, with the average ransom paid to be between $115,123 in 2019 to $312,493 in 2020, Palo Alto research said in their 2021 ransomware report. 2021 was also a record-breaking period in ransomware-related payments when U.S. banks shelled out around $1 billion, mostly to Russia-based hackers. What also surprised security experts is the effortlessness with which these hacking newcomers captured significant portions of the West’s internet infrastructure. Nevada Group is “a solid new threat in our landscape in the near future,” Gihon added, adding that the attack could spawn copycats very soon. What may happen is that “veteran groups see the potential damage they can do,” he added. “The campaign encrypts configuration files on vulnerable ESXi servers, potentially rendering clients’ virtual machines unusable. Internet-wide scans within days after the first reports surfaced showed a rapid infection rate,” cybersecurity firm CyberCube reported.
Older Servers are Extremely Vulnerable
According to Tim Adler from threat intelligence firm Information Age, French companies have been hit with 2,000 ransomware demands. Companies that rented older “bare-metal” servers — sold by Europe’s biggest cloud provider, OVHcloud, that uses VMware software — are most at risk. These servers are “essentially mirror copies of the data companies used to keep on-site, without any additional overlaid cybersecurity,” Adler said, adding that these servers must be individually patched which can take anywhere between a few hours to two days. Furthermore, up to 70,000 outdated VMware ESXi servers may be hit in this ransomware campaign, according to an analysis by CyberCube. The first reports of “the automated ransomware campaign ESXiArgs surfaced on Friday, February 3rd,” the company said.
The ‘ESXiArgs’ Automated Ransomware
At the moment, there is confusion surrounding the source of Nevada Group’s ransomware campaign. Some believe it has ties to the “ESXiArgs” campaign — connected to the Daixin Team‘s modus operandi of targeting U.S. businesses’ virtual VMWare ESXi servers back in Oct. 2022. Meanwhile, opinions have also shifted in that others believe Nevada’s ransomware is tied to the ‘Babuk’ source code used by Russian-speaking hackers, also found to be present in other ESXi server ransomware attacks. CyberCube said these events are similar to when the REvil ransomware group attacked Kaseya’s VSA remote management software, which affected hundreds of organizations around the world. The company added that, given that thousands of servers have been encrypted already, this campaign is “starting to look like it could end up being comparable to (or worse than) Kaseya.” ESXiArgs exploit a software vulnerability that is commonly found on VMware virtualization software and cloud servers. On Feb. 15, VMware published advice via a blog for those hit with a Nevada/ESXiArgs attack. “In the future, we could see threat actors innovate to include previously undisclosed zero-day vulnerabilities in this type of attack or target up-to-date version of critical cloud infrastructure such as VMWare ESXi hypervisors,” CyberCube said. It is critical that organizations protect themselves from APT groups that attack critical infrastructure. Find out all there is to know about ransomware and how to protect your systems from attack in our in-depth ransomware overview.