A failure to install software patches has allowed hackers to spread ransomware to hundreds of vulnerable servers across the globe. 

Over the weekend, cybersecurity agencies for France(Opens in a new window) and Italy(Opens in a new window) warned about a ransomware campaign targeting enterprise servers running VMware's ESXi software. The ransomware spreads by exploiting a vulnerability that VMware originally patched two years ago. 

The vulnerability, dubbed CVE-2021-21974(Opens in a new window), can pave the way for an unauthenticated user to launch rogue computer code over VMware’s hypervisors, which can host multiple virtual machines on a physical server. 

To stop the attack, Europe’s cyber authorities are urging users to install the VMware patches for the company’s ESXi product. However, France is also warning that simply installing the patch may not be enough. “Indeed, an attacker has probably already exploited the vulnerability and may have dropped malicious code. It is recommended to perform a system scan to detect any signs of compromise,” the country’s cybersecurity agency said. 

French cloud computing provider OVHcloud reports(Opens in a new window) the attacks have been detected globally. Once a compromise occurs, the ransomware will try to encrypt all the files on the server’s virtual machines before shutting them down. 

Israeli cybersecurity firm DarkFeed published the ransomware note(Opens in a new window) the hackers are sending to victims. The attackers are demanding two bitcoins ($46,000) in ransom within three days in order to receive the decryption key. In addition, the hackers claim they’ve stolen the files from the virtual machines and plan on leaking them to the public if the victim fails to pay up. 

Security researchers have since uncovered evidence that the hackers have infected hundreds(Opens in a new window) of servers with ransomware. Another estimate from(Opens in a new window) BleepingComputer bumps that to thousands.

Fortunately, it may be possible to recover some of the files encrypted during the ransomware attack. “In some cases, encryption of files may partially fail, allowing to recover data,” OVHcloud said, citing findings(Opens in a new window) from a security researcher. “We tested this procedure as well as many security experts with success on several impacted servers. The success rate is about 2/3.”  

VMware didn’t immediately respond to a request for comment. The vulnerability affects VMware ESXi software versions 6.5, 6.7, and 7.0.