Fraud Management & Cybercrime , Ransomware

BlackBasta Blamed for Global Attacks on VMware ESXi Servers

Italy, Germany, France, US and Canada Investigating Hacks of Unpatched Servers
BlackBasta Blamed for Global Attacks on VMware ESXi Servers

The Italian cybersecurity agency says at least a dozen hacks against unpatched VMware ESXi servers in the country are likely tied to the BlackBasta ransomware group. Investigators say the ransomware campaign may have hit thousands of organizations worldwide since Thursday.

See Also: Gartner 2024 Magic Quadrant: Enterprise Wired and Wireless LAN Infrastructure

The first attack in Italy began Thursday in Rome against energy company Acea. The company, which generates and supplies electricity and supplies natural gas, has since restored the functionality of its IT systems, according to the Agency for National Cybersecurity, or ACN, speaking to an Italian news agency on Sunday.

The Italian ACN blamed BlackBasta for the attacks, and in a statement given to Italian publication Nova News, Acea confirmed the attack had been carried out by BlackBasta.

ACN did not provide more details on the BlackBasta activities other than that the group is actively targeting unpatched ESXi servers throughout the country.

BlackBasta is a ransomware-as-a-service organization that surfaced in February 2022, deploying double-extortion ransomware attacks against victims. It is believed to have its roots in the now-defunct Conti ransomware group, but BlackBasta code is novel and was rereleased in November with numerous updates aimed at evading antivirus and EDR detection.

2-Year-Old Vulnerability

The vulnerability tracked as CVE-2021-21974 is two years old, and it affects VMware's ESXi servers designed to run virtual machines. VMware released patches for the machines in February 2021.

According to ACN, the campaign is estimated to have targeted thousands of organizations across the world, including at least a dozen cases in Italy. The agency added these numbers could be far higher as some organizations may be unaware that they have been compromised (see: Massive Ransomware Campaign Targets VMware ESXi Servers).

The massive exploitation of the flaw was first flagged Friday by the French CERT, which said an unidentified ransomware campaign was using automated solutions for large-scale compromises.

Speaking to Information Security Media Group, a VMware spokesperson says a group that it dubbed ESXiArgs is behind the campaign. The company did not immediately respond to a request for comment seeking clarification if ESXiArgs is in fact BlackBasta or an affiliate.

The ACN advised vulnerable VMware ESXi users to immediately patch the flaw to avoid potential compromise, adding that attackers are now increasingly targeting vulnerable networks in France, Finland, the United States and Canada. Organizations also are advised to scan systems for the malware. Germany's cybersecurity agency, BSI, issued an alert on Monday.

Deep web monitoring firm DarkFeed tweeted on Monday that VMware ESXi ransomware attacks are continuing to spread globally and said the greatest number of cases are being reported from France. As of Monday, it says, there were 188 instances of compromise there, followed by Germany with 91 cases and the United States with 69.

About the Author

Akshaya Asokan

Akshaya Asokan

Senior Correspondent, ISMG

Asokan is a U.K.-based senior correspondent for Information Security Media Group's global news desk. She previously worked with IDG and other publications, reporting on developments in technology, minority rights and education.

Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing, you agree to our use of cookies.