ESXiArgs Ransomware: Someone is encrypting an unpatched VMware ESXi 6.X servers that are open to the internet.

Warnings are being issued by administrators, hosting providers, and the French Computer Emergency Response Team (CERT-FR) that attackers are actively targeting VMware ESXi servers that are vulnerable due to a two-year-old unpatched remote code execution flaw. The ultimate goal of these attackers is to install ransomware on these systems.

The vulnerability tracked as CVE-2021-21974 is a critical security flaw found in the OpenSLP service of VMware ESXi. The vulnerability allows unauthenticated attackers to carry out remote code execution attacks on affected systems. The issue is caused by a heap overflow, which occurs when the system tries to process excessive data that exceeds the designated memory allocation for the process. As a result, attackers can take control of the affected system, execute arbitrary code, and potentially steal sensitive information or install malware, such as ransomware. Therefore, it is essential to patch VMware ESXi servers to protect against this vulnerability.

“As per current investigations, these attack campaigns appear to be exploiting the vulnerability CVE-2021-21974, for which a patch has been available since 23 February 2021,” CERT-FR said.

The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7.

To prevent incoming attacks, administrators are advised to deactivate the susceptible Service Location Protocol (SLP) service on ESXi hypervisors that have not yet been patched. The French Computer Emergency Response Team (CERT-FR) strongly emphasizes the importance of applying the update as soon as feasible but also stresses the need to scan unpatched systems for signs of compromise.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

Today, French cloud provider OVHcloud released a report connecting the current surge of attacks aimed at VMware ESXi servers to the Nevada ransomware campaign.

“According to experts from the ecosystem as well as authorities, they might be related to Nevada ransomware and are using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those assumptions,” OVHcloud CISO Julien Levrard said.

“The attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port (427).”

A Shodan search reveals that a minimum of 120 VMware ESXi servers globally have already fallen victim to this ransomware operation

New ESXiArgs ransomware

Contrarily, the ransom notes observed in this attack do not seem to have any connection to the Nevada Ransomware and seem to stem from a new ransomware family.

Over the past four hours, victims affected by this campaign have taken to BleepingComputer’s forum to report the attacks and request assistance and additional information on how to recover their lost data.

The ransomware infects files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on infected ESXi servers and generates a .args file containing metadata (likely required for decryption) for each encrypted file. Although the perpetrators of the attack claim to have obtained sensitive information, one victim reported in the BleepingComputer forums that this was not the case in their particular incident.

Michael Gillespie of ID Ransomware is currently monitoring the ransomware under the moniker ‘ESXiArgs,’ however, he informed BleepingComputer that without a sample, it is impossible to determine if the encryption has any vulnerabilities.

If you have any new information or a sample of the malware, please share it so that researchers can analyze it and potentially identify any weaknesses.

🔥Subscribe to the channel:🔥

🚨Read my blog:

👊My Podcast:

🔥vExpert info:

🛒 VMware EMEA store:

🛒 VMware US store:

🛒 VMware APAC store:

Please leave the comment