VMWare ESXi Servers Targeted by Ransomware Gangs

Following several reports from security firms and cyber security publications it is apparent several ransomware gangs are actively exploiting a two-year-old vulnerability that allows for remote code execution on VMWare ESXi servers. One of the initial warnings was issued by the French Computer Emergency Response Team (CERT-FR) wh warned users of the above-mentioned servers that threat actors were abusing CVE-2021-21972.

News of the vulnerability broke in February 2021, where researchers described the flaw as a critical remote code execution (RCE) vulnerability in the vCenter Server virtual infrastructure management platform that may allow attackers to potentially take control of affected systems.

VMWare ESXi Servers targeted by ransomware

Ultimately, the flaw resides in a heap overflow issue in the OpenSLP service that can be exploited by unauthenticated threat actors in relatively low-complexity attacks.

The flaw was rated with a 9.8 out of 10  in terms of severity according to VMware's security advisory. The flaw has been patched and network administrators are advised strongly to double-check that if they make use of ESXi servers it has been patched. If unpatched admins can also disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors.

According to Julian Levrard, a security researcher with OVHCloud the ransomware strain used in the wild looked related to the Nevada ransomware strain. Levrard said,

“According to experts from the ecosystem as well as autorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those assumptions…The attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port (427).”

This assertion that the threat actor was either using  Nevada or a modified version thereof was quickly backtracked by OVHCloud, noting in an update,

“In the previous version of the post, we made the assumption the attack was linked to the Nevada Ransomware which was a mistake. No material can lead us to attribute this attack to any group. Attribution is never easy and we leave security researchers to make their own conclusions.”

Given that attribution is incredibly difficult it is completely understandable that mistakes can be made and often the truth is stranger than fiction.

While researchers looked to see who was responsible on the very first day of attacks seen in the wild the threat actor, likely threat actors given how modern ransomware operations operate have already encrypted approximately 120 ESXi servers. Researchers were soon to realize they were dealing with a new ransomware operation.

ESXiArgs Ransomware

The new ransomware has been given the name ESXiArgs based on its primary target, at least for now, being vulnerable EXSi servers and the file after encryption that contains the metadata, named .args.

Currently, the ransomware adds the following extensions to encrypted files .vmxf, .vmx, .vmdk, .vmsd, and .nvram. On Bleeping Computer’s forum other information has been shared to assist victims. Bleeping Computer notes,

“Overall, the ransomware campaign has not seen much success considering the large number of encrypted devices, with the Ransomwhere ransom payment tracking service reporting only four ransom payments for a total of $88,000…The lack of ransom payments is likely due to a VMware ESXi recovery guide created by security researcher Enes Sonmez, allowing many admins to rebuild their virtual machines and recover their data for free.”

For those looking to determine if threat actors distributing the new ransomware have breached your network, the malware will add the following files to /tmp:

  • encrypt - The encryptor ELF executable.
  • encrypt.sh - A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
  • public.pem - A public RSA key used to encrypt the key that encrypts a file.
  • motd - The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server's original file will be copied to /etc/motd1.
  • index.html - The ransom note in HTML form that will replace VMware ESXi's home page. The server's original file will be copied to index1.html in the same folder.

EXSiArgs is not the only ransomware strain seen to target the above-mentioned vulnerability. The malware developers behind the Royal ransomware strain have added a Linux version which researchers believe is to target vulnerable EXSi servers. The Linux version was discovered by Will Thomas who noted that it is executed via the command line. Some of the ransomware’s commands include:

  • -stopvm> stops all running VMs so they can be encrypted
  • -vmonly - Only encrypt virtual machines
  • -fork - current functionality is yet to be determined
  • -logs - current functionality is yet to be determined
  • -id: id must be 32 characters

To help protect VMWare clients the company has advised the following,

“Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs)...With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi."

▼ Show Discussion

About the author:

Karolis Liucveikis

Karolis Liucveikis - experienced software engineer, passionate about behavioral analysis of malicious apps.

Author and general operator of PCrisk's "Removal Guides" section. Co-researcher working alongside Tomas to discover the latest threats and global trends in the cyber security world. Karolis has experience of over five years working in this branch. He attended KTU University and graduated with a degree in Software Development in 2017. Extremely passionate about technical aspects and behavior of various malicious applications. Contact Karolis Liucveikis.

PCrisk security portal is brought by a company RCS LT. Joined forces of security researchers help educate computer users about the latest online security threats. More information about the company RCS LT.

Our malware removal guides are free. However, if you want to support us you can send us a donation.

About PCrisk

PCrisk is a cyber security portal, informing Internet users about the latest digital threats. Our content is provided by security experts and professional malware researchers. Read more about us.

Malware activity

Global malware activity level today:

Medium threat activity

Increased attack rate of infections detected within the last 24 hours.

Virus and malware removal

This page provides information on how to avoid infections by malware or viruses and is useful if your system suffers from common spyware and malware attacks.

Learn about malware removal