‘Nevada Group’ hackers target thousands of computer networks

A mysterious and unidentified group of hackers have sought to paralyse the computer networks of almost 5,000 victims across the US and Europe, in one of the most widespread ransomware attacks on record.

The hacking unit, initially nicknamed the Nevada Group by security researchers, began a series of attacks that started around three weeks ago by exploiting an easily fixed vulnerability in a piece of code that is ubiquitous in cloud servers.

The Financial Times contacted several victims identified from the publicly available information. Most declined to comment, saying they had been asked by law enforcement to do so. They include universities in the US and Hungary, shipping and construction firms in Italy and manufacturers in Germany.

Authorities have yet to identify the perpetrators, guessing only from their recruiting announcements on the web that it is a mix of Russian and Chinese hackers.

The hackers have demanded a surprisingly small ransom to release their hold over computer networks — as little as two bitcoins (around $50,000) in some cases, according to copies of their ransomware notes that were briefly visible. By contrast, a rival gang demanded $80mn from the UK’s Royal Mail in another recent and high-profile attack.

This ease with which this new group has fanned across vast swaths of the west’s internet infrastructure underlines the nature of much of the ransomware threatening businesses around the world. Most of the attacks are relatively simple, yield small sums and often go unnoticed.

In a scene that features rival, and often feuding, ransomware gangs, this unknown newcomer is “a solid new threat in our landscape in the near future”, said Shmuel Gihon, at Israeli cyber security firm CyberInt.

He warned that the simplicity and breadth of the attack could spawn copycats. “The scale of this campaign is one of the biggest we have seen, (and since it is ongoing), the real problem is that veteran groups see the potential damage they can do.”

The ransomware campaign is now referred to as the ESXiArgs, after the loophole it exploits — though there is some confusion as to whether it and the Nevada Group are the same or copying off each other.

In February 2021, US cloud software group VMware found a vulnerability that would allow hackers to gain access to computer networks running its software, and released a patch that would fix the problem.

Two years later, the ESXiArgs hackers have found a way to scan the internet to find VMware customers who had — either through incompetence, laziness or plain ignorance — yet to patch their networks, and seized control of thousands of them.

VMware declined to comment other than to email links to a blog offering technical advice.

The largest number of victims are clustered in France — with 2,000 known to have been targeted in that country alone. These are mostly networks that are hosted on the cheapest service sold by Europe’s biggest cloud provider, OVHCloud, and accessed using VMware’s product. An OVHCloud spokesperson said the company was providing technical support to its customers and co-operating with law enforcement.

At OVH, the compromised networks were in a cluster of customers that have rented “bare-metal servers” — essentially mirror copies of the data firms used to keep on-site, without any additional cyber security services, meaning that they would have to be individually patched.

“It takes maximum a few hours to do this in most settings, maybe a weekend for a complicated or ancient network,” said one IT engineer who was helping one French firm recover, speaking on the condition of anonymity. “Why it wasn’t done is an easy guess.”

Many were not patched, leaving them vulnerable to the malware, according a person familiar with the investigations at OVHCloud.

“It’s a very simple server. Decades ago, you maybe had one in your building, and then you just copied that data into the cloud, but you kept using it the same way you did,” the person said.

For reasons researchers still do not fully understand, the attackers then left their ransom notes publicly visible — rather than hidden inside the network — with publicly traceable bitcoin wallets.

That has allowed researchers at Censys, a company that helps others reduce their vulnerability to hacking, to track 4,468 likely victims, with France, the US, UK and Germany making up the vast majority.

A week into the attacks, the US Cybersecurity and Infrastructure Security Agency (CISA), released a relatively simple, makeshift workaround, which allowed some victims to regain access to their data.

Within hours, the attackers tweaked their malware, blunting the solution completely, and snaring hundreds more victims.

“It’s been interesting to watch the actors behind it respond in near-real time to mitigations and research provided by the security community,” said Censys Security. “The timing of these changes speaks to the actor’s capability.”

CISA said it “is working with our public and private sector partners to assess the effects of these reported incidents and providing assistance where needed.”