A Week of Rampant Ransomware: Breaking Down Ion, VMware Attacks

A stretch of recent ransomware incidents impacted semiconductor manufacturer MKS Instruments, the Ion Markets derivatives platform, and VMware ESXi servers across the globe. Here's what IT leaders should know.

Brian T. Horowitz, Contributing Reporter

February 8, 2023

5 Min Read
pale blue ghostly padlock on a dark blue background
Wavebreakmedia Ltd IFE-210813 / Alamy Stock Photo

UPDATED FEB. 9 -- Ransomware seems like it’s everywhere. Just in the last week, several attacks compromised corporate security in which cybercriminals used malicious software to block access to files or computer systems until victims pay a sum of money.

In fact, ransomware increased by 13% in one year, according to the 2022 Verizon Data Breach Investigations Report (DBIR). The jump was larger than the previous five years combined, according to Verizon.

Recent attacks targeted production systems in regulated industries like manufacturing and finance. Here's a rundown of the latest ransomware incidents and what steps IT leaders should take to mitigate and prevent these threats.

Attack on the Ion Markets Derivatives Platform

Financial data firm Ion paid a ransom for an attack that disrupted the trading and clearing of financial derivatives, according to Reuters. Russian ransomware group LockBit conducted the attack, according to the news outlet.

The incident, which began Jan. 31, affected “scores of brokers,” the news outlet said. but Ion said its Fidessa trading platform was unaffected by the attack.

A US Treasury Department senior official told Bloomberg that the ransomware attack doesn’t present a “systemic risk to the financial sector.”

However, ABN AMRO Clearing and Intesa Sanpaolo, a large bank in Italy, were impacted. In fact, brokers had to turn back the clock and enter trades manually in spreadsheets during the outage, Reuters reported.

“The incident is contained to a specific environment, all the affected servers are disconnected, and remediation of services is ongoing,” Ion said in a Jan. 31 statement.

Ion began resuming cleared derivatives platform services for clients on Tuesday night, Feb. 7, according to Reuters.

VMware VMW.N ESXI Attacks Across Globe

A ransomware attack impacted VMware’s ESXi, which is a type-1 hypervisor that helps companies deploy and serve virtual computers. CERT-FR, the French national government computer security incident response team, published the advisory on Feb. 3. The attack affected about 2,400 VMware ESXi servers, per BleepingComputer.

It occurred because hackers used exploit code available since at least May 2021, according to CERT-FR. The ransomware targets ESXi hypervisors in version 6.x and before 6.7. The ransomware bug targets products that are out of date or end of general support (EOGS), according to a VMware blog post.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks,” the company stated in its post.

To address the threat, VMware advised customers to upgrade vSphere components to versions that address the latest vulnerabilities. It also advised disabling the OpenSLP service in ESXi.

The US Cybersecurity and Infrastructure Agency (CISA) has released a recovery tool for victims of the "ESXiArgs" ransomware. The recovery tool is available for free on GitHub.

Additionally, to overcome this attack, CERT-FR recommends the following steps:

  1. Isolate the impacted server.

  2. Reinstall the hypervisor in a version that the publisher supports (ESXi 7.x or ESXi 8.x).

  3. Apply all security patches and check for vendor advisories.

  4. Disable unneeded services on the hypervisor, including SLP service.

“Attackers spreading ransomware often use insecure remote access technologies,” explains Dr. Johannes Ullrich, a SANS faculty fellow and dean of research for SANS Technology Institute, which offers cybersecurity undergraduate and graduate programs. “Examples include Remote Desktop Protocol (RDP) servers with weak passwords, unpatched VPN servers and unpatched virtualization management systems like VMware.”

Ullrich adds that hypervisors like the one from VMware can be tough to patch.

“Patching them requires offloading workloads or, in some cases, may require significant downtime if offloading is not an option,” Ullrich says. “Similarly, patching remote access tools will often disconnect users from the network and cause significant downtime.”

MKS Instruments Suffers Production Halt

The VMware VMW.N.ESXI threat impacted production-related systems for semiconductor manufacturer MKS Instruments, per Reuters and US News and World Report. As a result of the attack, MKS halted some operations.

As of press time Feb. 8, the MKS website was down with this message, “Unfortunately, www.mks.com is experiencing an unscheduled outage. Please check back again at a later time.”

Guarding Against Ransomware

Here are some steps to take to avoid ransomware threats.

Improve Security Hygiene

Protecting ransomware will require companies to ramp up their security hygiene, particularly in the case of the VMware attack, in which systems were unpatched for two years, says John Pescatore, director of emerging security trends at the SANS Institute, a organization that provides cybersecurity training and certifications.

Pescatore also recommends that IT operations set up cloud systems that employ “widely available hardened images to either stop the remainder of attacks or make them much easier to detect and minimize damage.”

Use Multifactor Authentication

Reusable passwords cause a majority of ransomware attacks, Pescatore notes. To combat these threats, he recommends using multifactor authentication. “Educating users is necessary but not sufficient. Think of reusable passwords like asbestos or mold and move quickly to get rid of them!” Pescatore says.

Test Backup Systems

Companies must test backup systems as part of steps to protect against ransomware, according to Pescatore. “Just adding backup systems does not assure success against ransomware,” Pescatore says. “Actually moving operations to backups has to be tested regularly, just like switching to backup power gets tested.”

Limit the Attack Surface

Minimize the attack surface to limit the number of exposed systems, Ullrich advises.

“Administrative consoles to firewalls, security gateways, and hypervisors should only be accessible via a VPN or from specific trusted systems,” Ullrich says. “The functionality of exposed systems should be reduced to the bare minimum to reduce the chance of a vulnerability in an unused feature or module causing a breach.” Once companies properly configure and protect systems, they can reduce the probability of an incident, Ullrich adds.

Update Incident Response Plans

Companies should keep their incident response plans and procedures current to include information on the latest ransomware infections, advises Keatron Evans, principal cybersecurity adviser at Infosec Institute, a Cengage group cybersecurity training company.

“Many organizations assume incorrectly that their existing response procedures will account for ransomware, and usually it's not the case,” Evans says.

“Remember ransomware is a symptom of some other security control failing and allowing the threat actors into the environment to deploy the ransomware,” Evans adds. “Staying patched, using multifactor authentication and keeping users educated on security threats remain the most effective measures to prevent compromise that would lead to ransomware being deployed.”

What to Read Next:

T-Mobile’s $350M Settlement and the Future of Data Breach Consequences

What Does a New, $45M Cyber Catastrophe Bond Mean for the Cyber Insurance Industry?

Royal Mail Posts Progress on Deliveries Following Cyber Incident Disruption

About the Author

Brian T. Horowitz

Contributing Reporter

Brian T. Horowitz is a technology writer and editor based in New York City. He started his career at Computer Shopper in 1996 when the magazine was more than 900 pages per month. Since then, his work has appeared in outlets that include eWEEK, Fast Company, Fierce Healthcare, Forbes, Health Data Management, IEEE Spectrum, Men’s Fitness, PCMag, Scientific American and USA Weekend. Brian is a graduate of Hofstra University. Follow him on Twitter: @bthorowitz.


Never Miss a Beat: Get a snapshot of the issues affecting the IT industry straight to your inbox.

You May Also Like


More Insights