VMware ESXi servers targeted by ESXiArgs ransomware

Security flaw and attack on VMware ESXi servers

VMware ESXi servers targeted by ESXiArgs ransomwareCloud computing company servers infected with ransomware worldwide

A massive wave of attacks is aimed at VMware ESXi servers that are still unpatched for a two-year-old remote code execution vulnerability. Administrators, hosting companies, and the French Computer Emergency Response Team (CERT-FR) have all issued warnings about these attacks. The attackers are taking advantage of the CVE-2021-21974[1] security flaw, which is caused by a heap overflow in the OpenSLP service and can be used by unauthenticated threat actors in low-complexity attacks.

The attack primarily targets ESXi servers running prior to 7.0 U3i and uses the OpenSLP[2] port (427). Administrators must disable the Service Location Protocol (SLP) service on unpatched ESXi hypervisors to prevent incoming attacks. CERT-FR[3] highly recommends applying the patch as soon as possible but also advises scanning unpatched systems for signs of compromise.

The attack was discovered by Italian cybersecurity experts who uncovered the campaign that targets various European countries. The report disclosed the potential dangers and all the details of this attack that affects particular servers. According to experts, most attacks were in France.

ESXiArgs Ransomware

Some believe the attacks are linked to the Nevada ransomware. The ransom notes seen in this attack, however, do not appear to be related to the Nevada ransomware and instead appear to be from a new ransomware family.

The ESXiArgs ransomware encrypts files with the extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram on compromised ESXi servers and creates a .args file with metadata for each encrypted document. Although the threat actors behind this attack claim to have stolen data, one victim reported that this was not the case in their incident.

The victims have also found ransom notes named “ransom.html” and “How to Restore Your Files.html” on locked systems. ID Ransomware's Michael Gillespie[4] is currently tracking the ransomware under the name 'ESXiArgs,' but until a sample is found, it is not possible to determine if it has any weaknesses in the encryption.

Details of the attack

When the server is breached, the following files are stored in the /tmp folder:

  • Encrypt: The encryptor ELF executable.
  • Encrypt.sh: A shell script that acts as the logic for the attack and performs various tasks before executing the encryptor.
  • Public.pem: A public RSA key used to encrypt the key that encrypts a file.
  • Motd: The ransom note in text form that will be copied to /etc/motd and displayed on login. The server's original file will be copied to /etc/motd1.
  • Index.html: The ransom note in HTML form that will replace VMware ESXi's home page. The server's original file will be copied to index1.html in the same folder.

The encryptor uses a public RSA key to encrypt the key that encrypts a file, and according to Michael Gillespie of ID Ransomware, the encryption is secure, meaning no cryptography bugs allow decryption. He has determined that the encryption is likely RSA-2048 based on analyzing encrypted files, but the code accepts any valid PEM.

When the encryptor is executed, the following steps occur:

  1. The encrypt.sh script generates a new RSA key pair and saves the public key to public.pem.
  2. The encryptor is executed and uses the newly generated public RSA key to encrypt the key that encrypts each file.
  3. The encrypted files are then renamed with the .args extension and the ransom note is displayed in both text and HTML form.
About the author
Gabriel E. Hall
Gabriel E. Hall - Passionate web researcher

Gabriel E. Hall is a passionate malware researcher who has been working for 2-spyware for almost a decade.

Contact Gabriel E. Hall
About the company Esolutions