ESXiArgs Ransomware Attack Targets VMware Servers Worldwide

Home/Compromised, Data Breach, Exploitation, Internet Security, Ransomware, Security Advisory, Security Update/ESXiArgs Ransomware Attack Targets VMware Servers Worldwide

ESXiArgs Ransomware Attack Targets VMware Servers Worldwide

The vulnerability, tracked as CVE-2021-21974, is caused by a stack overflow issue in the OpenSLP service that unauthenticated threat actors in low-complexity attacks can exploit. 

What is ESXiArgs Ransomware ?

ESXiArgs is a ransomware attack that targets VMware ESXi servers globally. It uses an exploit to gain access to the servers and then encrypts the virtual machines hosted on them. The attackers then demand a ransom payment for the decryption of the data. The attack appears to be carried out by a well-funded and organized group and is highly effective, as ESXi servers are often used in critical infrastructure and can be difficult to secure.

CVE-2021-21974 affected systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

At least 120 VMware ESXi servers worldwide vulnerable to CVE-2021-21974 have already been compromised in this ransomware campaign, according to a Shodan search

Ransomware infects ESXi servers and encrypts files with extensions such as .vmxf, .vmx, .vmdk, .vmsd, and .nvram. For each encrypted file, the ransomware creates a .args file that contains metadata necessary for decryption.

The attackers claim to have stolen data, but one victim reported otherwise. The victim found no evidence of data theft as the infected machine had low daily usage, and no outbound data transfer was seen in the last 90 days.

Mitigation and remediation

In cases where patching CVE-2021-21974 will take time, note that VMware also published workarounds to help with mitigating the risk of exploitation.  As mentioned in the OVHcloud recommendations, the corresponding KB (76372) can be found here:

Conducting a full system scan to identify potential security breaches is highly recommended.Conduct regular backup practices and keep those backups offline or in a separate network.

Turn on the automatic software update feature on your computer, mobile, and other connected devices wherever possible and pragmatic.

Indicators of Compromise (IOCs)


Follow Us on: Twitter, InstagramFacebook to get the latest security news!

About the Author:

FirstHackersNews- Identifies Security

Leave A Comment

Subscribe to our newsletter to receive security tips everday!