Cyber Incident Victim: Ikoula

On February 3, 2023, French cloud provider Ikoula issued a public alert via Twitter at approximately 12:40 PM CET, warning clients that servers running VMware ESXi versions 6.5 and 6.7 were actively being compromised by ransomware. The company urged immediate firewall access restrictions and SSH deactivation. This alert followed earlier reports from affected entities, including Nice Météo 06, whose co-founder confirmed ransomware encryption on their ESXi host with a 2 Bitcoin (BTC) ransom demand around 1:40 PM CET. Simultaneously, Scaleway's founder Arnaud de Bermingham amplified warnings via Twitter shortly after 2:30 PM CET, advising ESXi 6.x users to apply updates immediately as the attack proliferated rapidly.

The incident expanded globally within hours, compromising thousands of VMware ESXi servers through an automated campaign. Attackers deployed a lightweight (~49KB) executable via shell scripts, modifying encrypted files with ".args" extensions—leading security researchers to designate the ransomware "ESXiArgs." Ransom notes demanded identical payments of approximately 2 BTC within three days, though payment addresses varied per victim while retaining a consistent Tox messaging ID. By February 4, Onyphe's scan identified over 500 infected systems worldwide, with Shodan initially detecting 69 compromised hosts—25 located in France. OVHcloud infrastructure appeared disproportionately affected, with Spanish clients and German Hetzner users also reporting encrypted servers. Technical analysis suggested exploitation of unpatched vulnerabilities in ESXi versions predating 7.0 U3i, with conflicting hypotheses citing CVE-2021-21974 (via OpenSLP port 427), CVE-2020-3992, or flaws addressed in VMware's August 2022 VMSA-2022-0030 bulletin. YoreGroup's Enes Sonmez developed a functional recovery script by February 4, enabling some victims to restore files without backups, while infrastructure providers reiterated patching and network hardening recommendations.