Attackers exploit VMware ESXi RCE vulnerability to deliver ESXiArgs ransomware

French authorities and security researchers warn attackers have been exploiting two-year old VMware ESXi remote code execution (RCE) vulnerability to deliver ESXiArgs ransomware.

In February 2021, VMware patched an ESXi OpenSLP heap-overflow vulnerability (CVE-2021-21974), along with another exploited vulnerability (CVE-2021-21972), that affected thousands of exposed servers online.

“A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP service resulting in remote code execution,” VMware warned in the advisory at the time.

ESXiArgs ransomware

According to BleepingComputer, French Computer Emergency Response Team (CERT-FR) and French cloud provider OVHcloud warned of massive ransomware attacks. The latter published a new report regarding cyber attacks targeting VMware ESXi servers possibly linked with Nevada ransomware.

“According to experts from the ecosystem as well as authorities, the malware is probably using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those assumptions,” Julien Levrard of OVHcloud wrote in a blog post.

The cyberattack is primarily targeting ESXi servers in version before 7.0 U3i.

The ransomware targets and encrypts virtual machines files (e.g., with extensions “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and ”*.vmem”).

Moreover, the malware attempts to shutdown virtual machines by stopping the VMX process in order to unlock the files. However, this function sometimes fails, which may result in locked files.

The malware also creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size).

Some researchers estimate the ESXiArgs ransomware campaign has compromised 3,200 VMware ESXi servers globally.

BleepingComputer also setup a dedicated ESXiArgs support topic to allow people to report their experiences and receive help in recovery from related ransomware attacks.

New research and evidence have revealed the new attacks may be linked to a new ransomware family, ID Ransomware’s Michael Gillespie is tracking as ‘ESXiArgs.’

On a related note, another ransomware group, Vice Society, was just recently reported targeting manufacturing firms in Brazil, Argentina, Switzerland, and Israel.

Researchers found the group was using their own custom-built ransomware while still leveraging toolsets such as Cobalt Strike and malware (e.g., Zeppelin and Hello Kitty/FiveHands) to enhance their routines.

Related Articles