Full Report
On 2023-02-03, a campaign was reported, involving an unknown actor, gaining initial access via 1-day vulnerability, to achieve RansomOp. The following tools were observed: Babuk.
Analysis Summary
# Incident Report: ESXi Ransomware Campaign (Babuk Variant)
## Executive Summary
On February 3, 2023, reports emerged of a widespread ransomware campaign targeting VMware ESXi servers globally by exploiting a known vulnerability. An unknown threat actor utilized a variant of the Babuk ransomware to encrypt virtual machine files, resulting in significant operational disruptions for organizations maintaining unpatched infrastructure.
## Incident Details
- **Discovery Date:** 2023-02-03
- **Incident Date:** Beginning early February 2023
- **Affected Organization:** Multiple Global Organizations
- **Sector:** Cross-sector (Any utilizing VMware ESXi)
- **Geography:** Global (Significant activity in Europe and North America)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa February 3, 2023
- **Vector:** Exploitation of a 1-day vulnerability (CVE-2021-21974)
- **Details:** Attackers targeted the OpenSLP service in VMware ESXi, which contained a heap overflow vulnerability allowing for unauthenticated remote code execution.
### Lateral Movement
- **Details:** Following initial access to the ESXi hypervisor, the actor moved vertically to the storage layer, targeting the operational files of hosted virtual machines.
### Data Exfiltration/Impact
- **Details:** The primary impact was the encryption of high-value files, specifically those with extensions `.vmdk`, `.vmx`, and `.vmsn`. No significant evidence of data exfiltration was initially associated with the core automated campaign, indicating a pure "RansomOp" (Ransomware Operation).
### Detection & Response
- **How it was discovered:** Administrative teams identified server outages and the presence of ransom notes on ESXi data stores.
- **Response actions taken:** National cybersecurity agencies issued emergency guidance; organizations began patching OpenSLP services and restoring from offline backups.
## Attack Methodology
- **Initial Access:** Exploitation of CVE-2021-21974 (OpenSLP heap overflow).
- **Persistence:** Direct command execution on the ESXi shell.
- **Defense Evasion:** Targeting Linux-based hypervisors which often have fewer endpoint security solutions compared to Windows environments.
- **Impact:** Encryption of virtual disks using a Babuk ransomware builder variant.
## Impact Assessment
- **Financial:** High potential costs related to recovery efforts and business downtime.
- **Data Breach:** Critical data availability loss; integrity of virtual machines compromised.
- **Operational:** Total shutdown of virtualized environments and guest operating systems.
- **Reputational:** High for organizations found to be running two-year-old unpatched vulnerabilities on internet-facing infrastructure.
## Indicators of Compromise
- **File indicators:**
- `encrypt` (The ELF executable)
- `motd` (The ransom note deposited in the Message of the Day)
- Extension: `.args`, `.ext`, or similar appended to encrypted volumes.
- **Behavioral indicators:**
- Unexpected CPU spikes on ESXi hosts.
- Termination of `vmx` processes.
- Unusual traffic on Port 427.
## Response Actions
- **Containment:** Disabling the Service Location Protocol (SLP) service on ESXi hosts.
- **Eradication:** Removal of the malicious "encrypt" binaries and ransom notes from the `/tmp` and `/vmfs` directories.
- **Recovery:** Restoring virtual machine flat files from backups. In some cases, partial recovery was possible by rebuilding header files if the flat file was not fully encrypted.
## Lessons Learned
- **Patch Management:** The exploitation of a vulnerability that had a patch available since 2021 highlights critical failures in lifecycle management.
- **Attack Surface:** Exposing management interfaces (like ESXi shells or SLP) directly to the internet is a high-risk configuration.
- **Backup Integrity:** Organizations with air-gapped or immutable backups recovered significantly faster than those with connected backups that were also targeted.
## Recommendations
- **Immediate Patching:** Update ESXi hosts to the latest supported versions.
- **Disable OpenSLP:** If not required, disable the SLP service via the ESXi command line.
- **Network Segmentation:** Ensure ESXi management interfaces are not accessible from the public internet and are restricted to a management VPN or VLAN.
- **Security Hardening:** Implement firewall rules (ESXi firewall) to restrict access to ports like 427.