hundreds of machines compromised, France affected

“Security alert! We have successfully hacked your business”. This is the type of message (in English), accompanied by a ransom demand, that thousands of system administrators have seen appear, while a large-scale cyberattack has been hitting most of the developed countries for three days. If it is still impossible to quantify the damage, France seems to be one of the most affected countries. It is also the CERT-FR (Computer Emergency Response Team), dependent on ANSSI, the cyberfireman of the French State, who sounded the first general alarm on Friday evening.

Almost at the same time, Octave Klaba, boss of the European cloud champion OVH, invited his customers to update their servers urgently.

As with Petya in 2016, Wannacry in 2017 or REvil in 2019, this wave of attacks is due to the massive distribution, since Friday, of ransomware called ESXiArgs. Mainly targeting VMWare virtual machines, widely used by companies or administrations to run various services, it exploits a flaw known for two years allowing the execution of arbitrary code on the machine when it is connected to the Internet.

Its most visible action is the encryption of certain key files, and the display of a page inviting the victim to pay a variable sum (often around 2 bitcoins, or €42,000 at the current price) to obtain the decryption key. Classic attitude for ransomware.

To guard against this, all you have to do is update the machine. But “applying patches alone is not enough, warns CERT-FR. Indeed, an attacker has probably already exploited the vulnerability and may have dropped malicious code. It is recommended to perform a system scan to detect any signs of compromise.

One flaw, two ransomware

Another ransomware also seems to operate in parallel: Nevada. The latter has been an emerging threat for several weeks, according to the American firm Resecurity, which has detailed its operation in a long article. [texte en anglais]. A prototype of “ransomware as a service,” Nevada is rented by its creators for a 15% ransom fee. Note that the ransomware, which appeared in December on a site of the dark web well known to Russian and Chinese cybercriminals, is designed to spare most countries of the former USSR, Russia in the lead, but also countries like Turkey, Hungary or Iran.

Apart from the fact that they exploit the same flaw, however, no link between ESXiArgs and Nevada seems established. OVH, which initially attributed the attacks on its servers to Nevada, also withdrew on Sunday. In the overwhelming majority of cases, it is ESXiArgs that is at work.

Massive internet blackout in Italy

France (and the French host OVH, which could explain France’s first place on the podium) appears by far to be the most affected country, ahead of the United States, Germany, Canada and the Kingdom -United. More than 3,200 infected machines had been identified this weekend by the Censys platform, which specializes in cyber risk analysis, including more than 1,200 in France. Figures that only reflect that of compromised machines: the number of victims is probably much higher. According to the specialized site LeMagITa site linked to the city of Biarritz would have been affected, as well as several start-ups or SMEs which see their activity paralyzed.

Coincidence: Italy experienced a giant internet outage this weekend. The network suddenly collapsed on Sunday at the start of the afternoon, the specialized site netblocks noting a drop in connectivity of 74% compared to usual levels. According to the Italian press agency Ansa, the incident would have resulted from an “international connection problem” which affected Telecom Italia, the country’s main operator. But the peninsula is also affected by the wave of cyberattacks: the ANC (Italian equivalent of ANSSI) issued an alert bulletin, and a crisis meeting was organized on Monday.

Who is behind ESXiArgs? Suspicion is obviously directed at Russia, the hub of the ransomware industry, where the lines between spooks, profit-driven cybercriminals, and patriotic hacktivists encouraged by the Kremlin are often porous.

But the attribution of an attack always proves to be an insoluble puzzle for cybersecurity researchers: at best, the trail seems to lead to a country, a linguistic zone or a modus operandi already encountered, without it being possible to find certainties. Especially since appearances can be deceiving. In the past, we have seen “ransomware” used as a front for more destructive cyberattacks. This was the case with NotPetya in 2017, which quickly emerged for what it was: a wiper – program responsible for permanently erasing data. Suspicions had already been brought to Russia at the time. But more recently, other actors seem to have used the same methods against Moscow: CryWiper, a fake ransomware that appeared last fall, only infected local Russian courts or administrations.

As it stands, however, nothing indicates that ESXiArgs pursues other objectives than to enrich its operators. Some experts even believe that it could be a campaign launched in haste, led by a lone hacker. The ransomware is far from being unstoppable: a Turkish cybersecurity specialist quickly published a method allowing, in the majority of cases, to recover encrypted data [lien en anglais pour les spécialistes].