The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).
The OpenSLP service contains a heap overflow bug that can be exploited by unverified threat actors in simple attacks. This security hole is identified as CVE-2021-21974 on the CVE database. 3,800 VMware ESXi servers around the world have reportedly been compromised, potentially rendering any running VMs useless, as per CISA.
Application of the patch as soon as feasible is strongly advised by CERT-FR, but it also says that systems that are not patched should be checked for indicators of compromise.
Although it has since moved to North America, the ESXiArgs ransomware appears to have begun attacking servers in Europe around February 3. Organizations should isolate impacted servers, reinstall ESXi 7. x or ESXi 8. x in a supported version, and apply any patches, according to the French computer emergency response team (CERT).
Updated ESXiArgs Ransomware
On infected ESXi hosts, the ransomware encrypts files with the. vmxf,.vmx,.vmdk,.vmsd, and. nvram extensions and produces a.args file for each encrypted document with metadata.
The research shows that ESXiArgs is based largely on stolen Babuk source code, which has previously been used by other ESXi ransomware attacks, including CheersCrypt and the PrideLocker encryptor from the Quantum/Dagon group. It is unclear whether this is a new variety or simply a shared Babuk codebase because the ransom notes for ESXiArgs and Cheerscrypt are quite similar but the encryption technique is distinct.
CISA and FBI urged owners of VMware ESXi servers to upgrade them to the most recent version, harden ESXi hypervisors by turning off the SLP service and make sure the ESXi hypervisor is not accessible through the open internet.