ESXiArgs ransomware is a new ransomware that takes advantage of the Heap Overflow vulnerability of OpenSLP services used on VMware ESXi servers. The vulnerability, also known as CVE-2021-21974, enables Remote Code Execution (RCE) attacks, which have been exploited by many threat actors and discovered for over two years. ESXiArgs ransomware damage was first reported on February 3, 2023, and has continued until recently. 

What is ESXi OpenSLP?

SLP stands for Service Location Protocol, a service discovery protocol that identifies and deploys available services within a network. When installing VMware ESXi, SLP enables the TCP/427 and UDP/427 ports. As SLP services are accessible without authentication and run with root privileges, pre-authentication remote codes may run as root if ESXi SLP services are vulnerable.

As vulnerable SLPs are beginning to be exploited again, VMware ESXi recommends SLPs be removed or patched to a non-vulnerable version.

ESXi versions that are currently targeted for OpenSLP vulnerabilities are the following:

ESXi versions affected by CVE-2021-21974

–    ESXi versions 7.x prior to ESXi70U1c-17325551
–    ESXi versions 6.7.x prior to ESXi670-202102401-SG
–    ESXi versions 6.5.x prior to ESXi650-202102101-SG

Exploring VMware ESXi Servers

Criminal IP Asset Search can acquire global VMware ESXi server information that is exposed to the internet. However, information about ESXi versions 5.1 and 5.5 that are unrelated to this ESXiArgs ransomware attack is also retrieved.

Search Query: “ID_EESX_Welcome” 

27,886 results found when searching for global VMware ESXi servers with Criminal IP
27,886 results found when searching for global VMware ESXi servers with Criminal IP
Screen connected to VMware ESXi server, which was discovered with Criminal IP
Screen connected to VMware ESXi server, which was discovered with Criminal IP

Current Situation of ESXi Servers Globally Infected With ESXiArgs Ransomware

When attacked by this new ESXiArgs ransomware, the extension of specific files is changed to “.args” upon infection, making it easy to determine if one’s server is infected. The infected server encrypts all files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions, and .args files are created in each encrypted document that includes metadata.

This can be used to determine the number of ESXi servers infected with ransomware. Keywords for finding hosts infected with ESXiArgs ransomware are as follows. 

Search Query: title:”How to Restore Your Files”

3,759 hosts found to be infected with ESXiArgs ransomware
3,759 hosts found to be infected with ESXiArgs ransomware

A total of 3,759 ESXiArgs ransomware-infected servers were found at the time of writing.

One characteristic of the new ransomware attack is that the attack does not occur constantly but rather suddenly increases or stops. The number of infections reported in various cybersecurity media was about 1,000 on February 6 and about 1,900 on February 14. Although ESXi ransomware attacks are quiet as of now, 3,759 infected hosts were detected with Criminal IP, which is far more than reported in various media. 

The keyword used in the search, “How to Restore Your File”, is the title of a ransom note left by a hacker to a victim infected with ransomware. If you check the ransom note of the infected server, there is a warning saying that you should send the money within three days and not try to decrypt the file. 

Ransom note left by ESXiArgs ransomware attacker
Ransom note left by ESXiArgs ransomware attacker

The result of confirming the binary analysis results of this ransom note with VirusTotal is as follows.

Analysis of ransom note of ESXiArgs ransomware using VirusTotal
Analysis of ransom note of ESXiArgs ransomware using VirusTotal

Statistics of Countries With Ransomware-infected ESXi Servers 

Search results of infected ESXi hosts of Criminal IP can be narrowed down by adding the country filter. Infected hosts in the US are as follows, and the number of infected hosts continues to increase.  

Search Query: Title:”How to Restore Your Files” country: US

Caption: Results of searching ESXiArgs ransomware-infected servers in the US using the country filter
Results of searching ESXiArgs ransomware-infected servers in the US using the country filter

ESXi ransomware-infected server country statistics can also be checked with Element Analysis.

Currently, a total of 70 countries have been found to have servers infected with ransomware. France underwent the most damage, with a total of 1,300 servers confirmed to be infected. 

https://www.criminalip.io/intelligence/element-analysis/search?query=Title%3A%22How+to+Restore+Your+Files%22

Top 30 countries infected with ESXiArgs ransomware, with France being the outstanding leader
Top 30 countries infected with ESXiArgs ransomware, with France being the outstanding leader

How to Decrypt Ransomware Encryption & Security Patch Recommendations

The Cybersecurity and Infrastructure Security Agency (CISA) has publicized how to recover servers infected with ESXiArgs ransomware and has announced the following security recommendations. 

  • Update servers to the latest version of VMware ESXi software
  • Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and 
  • Ensure the ESXi hypervisor is not exposed to the public internet.

It is also not recommended to pay the ransom in response to the threat in the ransom note left by the attacker. Paying the ransom may encourage other attackers to distribute the ransomware.

Please refer to our article on how LockBit 3.0 ransomware attackers used the dark web for a relevant case study.

Source

Related Article:

LockBit 3.0 Ransomware Case Study: A Huge Cybersecurity Risk