6 February 2023

Thousands of VMware ESXi servers hit with ESXiArgs ransomware


Thousands of VMware ESXi servers hit with ESXiArgs ransomware

Thousands of unpatched VMware ESXi servers worldwide has been targeted in a massive ransomware wave, hosting providers, the French Computer Emergency Response Team (CERT-FR), and the Italian National Cybersecurity Agency (ACN) have warned.

According to CERT-FR, attackers appear to be exploiting a two-year old remote execution vulnerability affecting VMware ESXi to deploy the ESXiArgs ransomware.

Tracked as CVE-2021-21974, the flaw is a heap-based buffer overflow issue in the OpenSLP service that can be exploited by a non-authenticated hacker for remote code execution on the underlying server. The bug affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, ESXi versions 6.5.x prior to ESXi650-202102101-SG.

Once the hackers breach an ESXi server, they encrypt files and leave a ransom note behind, asking for $50,000 in bitcoin to decrypt each infected server.

French cloud provider OVHcloud has published a technical analysis of the attacks noting that the exploitation of CVE-2021-21974 is still not confirmed. The company said it identified the following ransomware behavior after initial breach:

  • The compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dc-ui as involved in the compromission process.

  • Encryption is using a public key deployed by the malware in /tmp/public.pem

  • The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)

  • The malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.

  • The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size).

  • No data exfiltration occurred.

Initially, some reports suggested that ESXiArgs may be a version of the newly launched Nevada strain or a version of the Cheerscrypt ransomware, however, both initial assessments proved to be incorrect. So far, the ESXiArgs ransomware has not been attributed to any known group.

According to a Censys search query, more than 3,000 servers have been encrypted to date, with most of them located in France, Germany, Canada, and the US.

Back to the list

Latest Posts

Five Eyes partners detail new tactics of Russian military hackers APT29

Five Eyes partners detail new tactics of Russian military hackers APT29

In the past year, APT29 has been observed pilfering system-issued access tokens to infiltrate victim accounts.
26 February 2024
Canada's national police force targeted in a cyberattack

Canada's national police force targeted in a cyberattack

The RCMP has initiated an investigation into the incident to assess the full extent of the breach.
26 February 2024
Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

Threat actor UAC-0149 targets Armed Forces of Ukraine with Cookbox backdoor

The campaign has been ongoing since at least autumn 2023.
26 February 2024