Global Ransomware Attack on VMware EXSi Hypervisors Continues to Spread

The fresh "ESXiArgs" malware is exploiting a 2-year-old RCE security vulnerability (tracked as CVE-2021-21974), resulting in thousands of unpatched servers falling prey to the campaign.

Dark Reading Staff, Dark Reading

February 6, 2023

2 Min Read
combination lock superimposed over computer screens
Source: Andrea Danti via Alamy Stock Photo

A global ransomware attack on VMware ESXi hypervisors is expanding, according to multiple government agencies and researchers, having already infected thousands of targets.

The attack, first flagged late Feb. 3 by the French Computer Emergency Response Team (CERT-FR), has already compromised more than 3,200 servers in Canada, France, Finland, Germany, and the US so far, according to tracking from Censys.

The avenue of compromise is an exploit for a 2-year-old remote code execution (RCE) security vulnerability (CVE-2021-21974), which affects the hypervisor's Open Service Location Protocol (OpenSLP) service.

The attack's goal appears to be the installation of a novel ransomware strain dubbed "ESXiArgs" — though the gang behind it is unknown, according to a Feb. 5 notice from French hosting provider OVHcloud, which has customers affected by the attacks.

"We [previously] made the assumption the attack was linked to the Nevada ransomware which was a mistake," according to the alert. "No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions."

The operators behind the attack are asking for around 2 Bitcoin ($23,000 at press time) to be delivered within three days of compromise; if the victims don't pay up, the ransom will increase and the gang will release sensitive data, they warned, according to a copy of the ransom note posted by a Dark Web monitor known as DarkFeed. However, cybersecurity firm Rapid7 noted in an analysis that there's no evidence of actual data exfiltration so far.

Instead, the encryption process seems to be the main goal, which is specifically targeting virtual machine files (.vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and *.vmem), according to the firm's assessment. "In some cases, encryption of files may partially fail, allowing the victim to recover data."

Also, "the malware tries to shut down virtual machines by killing the VMX process to unlock the files," Rapid7 explained; VMX, or Virtual Machine Executable, is a process that runs in the VMkernel that handles I/O commands. "This function is not systematically working as expected, resulting in files remaining locked," the alert added.

To avoid being caught up in the cyberattacks, admins should patch immediately, or, as a workaround, "the SLP can be disabled on any ESXi servers that haven’t been updated, in order to further mitigate the risk of compromise," according to the CERT-FR alert.

Also, "users and administrators are also advised to assess if the ransomware campaign-targeted port 427 can be disabled without disrupting operations,” Singapore's SingCERT advised in a notice over the weekend.

VMware remains a popular target for cybercriminals; just last week, exploit code emerged for other RCE bugs lurking in the virtualization specialist's product portfolio.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights