ESXiArgs ransomware targets unpatched VMware ESXi servers
Admins, hosting providers, and the French Computer Emergency Response Team (CERT-FR) have warned of a new ransomware attack named ESXiArgs that is targeting VMware ESXi servers which have not been patched against a two-year-old remote code execution vulnerability.
The vulnerability, known as CVE-2021-21974, is caused by a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated attackers in low-complexity attacks. The flaw affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, and ESXi versions 6.5.x prior to ESXi650-202102101-SG.
To block incoming attacks, administrators are advised to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not been updated and apply the patch as soon as possible. Additionally, systems that have not been patched should also be scanned for signs of compromise.
In the ransomware campaign, the attackers encrypted files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and created a .args file for each encrypted document with metadata, which is likely needed for decryption. However, the ransom payments have been limited, with only four ransom payments reported for a total of $88,000. This could be due to a VMware ESXi recovery guide created by a security researcher, which allows administrators to rebuild their virtual machines and recover their data for free.
The attack was initially thought to be related to the Nevada ransomware operation, but subsequent investigation found that the ransomware notes seen in this attack did not appear to be related to the Nevada ransomware and appeared to be from a new ransomware family. The ESXiArgs ransomware is being tracked by Michael Gillespie of ID Ransomware, who said that until a sample is found, it is not possible to determine if it has any weaknesses in the encryption.
In conclusion, it is crucial for administrators to update their VMware ESXi servers and disable the OpenSLP service to protect against this ransomware attack. In the event of a breach, administrators are advised to retrieve a copy of the ESXiArgs encryptor and associated shell script to better understand the attack and take appropriate steps to recover their data.
The sources for this piece include an article in BleepingComputer.