Thousands of unpatched VMware ESXi servers worldwide has been targeted in a massive ransomware wave, hosting providers, the French Computer Emergency Response Team (CERT-FR), and the Italian National Cybersecurity Agency (ACN) have warned.

According to CERT-FR, attackers appear to be exploiting a two-year old remote execution vulnerability affecting VMware ESXi to deploy the ESXiArgs ransomware.

Tracked as CVE-2021-21974, the flaw is a heap-based buffer overflow issue in the OpenSLP service that can be exploited by a non-authenticated hacker for remote code execution on the underlying server. The bug affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, ESXi versions 6.5.x prior to ESXi650-202102101-SG.

Once the hackers breach an ESXi server, they encrypt files and leave a ransom note behind, asking for $50,000 in bitcoin to decrypt each infected server.

French cloud provider OVHcloud has published a technical analysis of the attacks noting that the exploitation of CVE-2021-21974 is still not confirmed. The company said it identified the following ransomware behavior after initial breach:

• The compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dc-ui as involved in the compromission process.

• Encryption is using a public key deployed by the malware in /tmp/public.pem

• The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)

• The malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.

• The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size).

• No data exfiltration occurred.

Initially, some reports suggested that ESXiArgs may be a version of the newly launched Nevada strain or a version of the Cheerscrypt ransomware, however, both initial assessments proved to be incorrect. So far, the ESXiArgs ransomware has not been attributed to any known group.

According to a Censys search query, more than 3,000 servers have been encrypted to date, with most of them located in France, Germany, Canada, and the US.