VMware has issued a warning to customers to upgrade to the latest available software releases of vSphere components and to disable the OpenSLP service to address the threat of ransomware attacks targeting ESXi servers. ESXi servers that are unpatched against the OpenSLP security flaw (CVE-2021-21974) are vulnerable to attacks from unauthenticated threat actors.

This malware, known as ESXiArgs ransomware, has already impacted thousands of vulnerable targets worldwide, according to data from Censys. The attackers use the malware to encrypt important files on the ESXi server and demand a ransom in exchange for access to the data.

In this threat advisory, we will discuss the ESXiArgs ransomware attacks, their exposure and risk, and provide recommendations for mitigating the threat.

Introduction

VMware has issued a warning to customers regarding the ongoing ransomware attacks targeting vulnerable ESXi servers. The attackers use the ESXiArgs ransomware to encrypt important files on the server and demand a ransom in exchange for access to the data. The ransomware attacks are not exploiting a zero-day vulnerability and are instead targeting ESXi servers that are significantly out-of-date or have reached their End of General Support (EOGS).

What is the Threat?

The threat is the ESXiArgs ransomware attacks that are targeting vulnerable ESXi servers. The malware encrypts important files on the server, such as .vmxf, .vmx, .vmdk, .vmsd, and .nvra, and demands a ransom in exchange for access to the data. The attackers are not exploiting a zero-day vulnerability and are instead targeting ESXi servers that are significantly out-of-date or have reached their End of General Support (EOGS).

Why is it Noteworthy?

These attacks are noteworthy because they are affecting thousands of vulnerable ESXi servers worldwide and causing disruption to the normal operations of these servers. The attackers are using a secure encryptor with no cryptography bugs, making it difficult to decrypt the encrypted data without paying the ransom.

What is the Exposure or Risk?

The exposure or risk of the ESXiArgs ransomware attacks is the loss of important data and disruption to the normal operations of the ESXi server. The attackers use the malware to encrypt important files on the server, and demand a ransom in exchange for access to the data. This puts the data at risk of permanent loss if the ransom is not paid or if the decryption process fails.

What are the Recommendations?

VMware has recommended that customers upgrade to the latest available software releases of vSphere components and disable the OpenSLP service to mitigate the threat of the ESXiArgs ransomware attacks. Additionally, customers should keep their software up-to-date and follow best practices for securing their ESXi servers to reduce the risk of attack.