If either you personally, or the organization you work for, have VMware servers, stop reading this right now and go find out if they are fully patched. If they aren’t, do whatever is required to get them fully patched right now, and do not stop to do literally anything else until they are patched. Yes, it’s that important.
VMware ESXi virtualization servers have not had a great deal of malware that directly targets them and is actually successful. There have been a few over the years, but in general they haven’t been under active attack enough to really rise to the top of the security to-do list, despite being an absolutely critical part of an organization’s digital infrastructure.
Among other things, this results in ESXi servers taking a long time to get patched. It’s not uncommon for organizations to have ESXi servers that are years out of date. This has been causing problems as cybercriminals realize just how vulnerable ESXi deployments really are.
This time, however, malware authors have discovered a particularly useful vulnerability. While a patch exists for this vulnerability, it’s so easy to exploit that multiple different malware authors are taking advantage—among them at least one ransomware gang.
The good news is that a recovery tool was released to help people caught up by this. The bad news? Well, ESXi servers are so critical to an organization’s operation that as soon as the tool was released, the ransomware was iterated to work around it. So none of this is going away, nor is this incident a one-off. ESXi malware is here to stay, and if your organization is not absolutely on the ball with regards to VMware patching, you’re looking at potentially a bad couple of years.
