Widespread Ransomware Attacks On Vulnerable VMware ESXi Installations

By   Adeola Adegunwa
Writer , Informationsecuritybuzz | Feb 06, 2023 05:15 am PST

In order to propagate the ESXiArgs ransomware, attackers actively target VMware ESXi servers that have not yet gotten a patch for a two-year-old remote code execution vulnerability, according to administrators, hosting firms, with the French Computer Emergency Response Team (CERT-FR). The OpenSLP service’s heap overflow issue is the cause of the security flaw, known as CVE-2021-21974, which unauthenticated threat actors can exploit to launch simple attacks.

According to the CERT-FR, these attack activities “appears to be exploiting the vulnerability CVE-2021-21974, for which a fix has been available since February 23, 2021. “ESXi hypervisors in version 6.x and earlier would be the systems currently targeted,” the statement continued. Administrators must disable the vulnerable Service Location Protocol (SLP) service on un-updated ESXi hypervisors in order to thwart incoming attacks.


The patch should be installed as soon as feasible; however, CERT-FR also advises scanning systems that have not yet been patched for evidence of compromise.

CVE-2021-21974 affects the following systems:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

The large wave of attacks against VMware ESXi servers has been linked to the Nevada ransomware operation, according to a study released today by the French cloud service provider OVHcloud.

“Authorities and ecosystem specialists believe they could be connected to the Nevada ransomware because they use the CVE-2021-21974 vulnerability as a compromise vector. Investigations are still being conducted to support such hypotheses “Julien Levrard, CISO of OVHcloud, said.

The attack appears to be using the OpenSLP port (427), which predominantly targets ESXi servers older than 7.0 U3i.

New ESXiArgs ransomware encrypts files

But judging by the ransom notes in this attack, they don’t seem connected to the Nevada Ransomware and instead seem to be part of a brand-new ransomware family.

On infected ESXi hosts, the ransomware encrypts files with the.vmxf,.vmx,.vmdk,.vmsd, and.nvram extensions and generates an.args file with metadata for each encrypted file (likely needed for decryption).

The threat actors claimed to have stolen data in this attack. “According to the results of our investigation, no data has been compromised. We observed traffic statistics for the last 90 days and couldn’t find any indication of outgoing data transfer, “Admin” said. In our example, the hacked system had more than 500 GB of data but only used 2 Mbps regularly.

On closed systems, ransom notes with the filenames “ransom.html” and also “How to Restore Your Files.html” have also been discovered by victims. Others claimed that their notes were stored in unencrypted files.

Ransomware Targeting VMware ESXi 

Fortunately, the ransomware used in this attack is really bad. French cloud provider OVH saw the effort, and they believe that the encryption occasionally fails, but the data is not exfiltrated. Tools for decryption are already accessible.

The organization has also seen the following signs of compromise. It has been determined that the compromise vector makes use of an OpenSLP vulnerability that may be CVE-2021-21974 (still to be confirmed). The user dc-ui is identified in the logs as involved in the compromised procedure.

A public key placed by the malware in /tmp/public.pem is used for encryption. Virtual machine files (.vmdk,.vmx,.vmxf,.vmsd,.vmsn,.vswp,.vmss,.nvram, *.vmem) are specifically targeted by the encryption process, which seeks to shut down virtual machines by destroying the VMX process in order to unlock the files.

Files remain locked because this function consistently fails to operate as planned. To save the arguments supplied to the encryption code, the virus produces an argsfile (number of MB to skip, number of MB in encryption block, file size).

Users should be able to tell if they were a target of this operation and may have contracted ransomware using the information above.

In the meantime, VMware issued a security advisory on February 2 regarding an Arbitrary file deletion vulnerability in its Workstation desktop hypervisor’s version 17.x. A hostile actor with local user access to the victim’s computer might use CVE-2023-20854 to remove arbitrary files from the machine’s file system, according to its 7.8/10 security rating.


French Computer Emergency Response Team, hosting businesses, and administrators (CERT-FR) issue a warning that attackers actively target VMware ESXi servers that have not yet received a patch for a two-year-old remote code execution vulnerability in order to spread the ESXiArgs ransomware. The security weakness, identified as CVE-2021-21974, results from heap overflow problems caused by a heap overflow issue in the OpenSLP service. Unauthenticated threat actors can utilize it to launch simple attacks. According to the CERT-FR, these attack activities appear to be exploiting the vulnerability CVE-2021-21974, for which a fix has been available since February 23, 2021. “ESXi hypervisors in version 6.x and earlier would be the systems currently targeted,” the statement continued. Administrators must disable the vulnerable Service Location Protocol (SLP) service on un-updated ESXi hypervisors in order to thwart incoming attacks. The patch should be installed as soon as feasible; however, CERT-FR also advises scanning systems that have not yet been patched for evidence of compromise.

Notify of
6 Expert Comments
Oldest Most Voted
Inline Feedbacks
View all comments
Matt Aldridge
Matt Aldridge , Principal Solutions Architect
InfoSec Expert
February 9, 2023 12:21 pm

“Ransomware attacks are persistent and the most prominent threats to UK organisations, including big damage to the public sector, according to the latest report of the National Cybersecurity Centre (NCSC). The escalation of the ESXiArgs ransomware attacks is a clear indication that cyber-attacks are becoming increasingly targeted at critical virtual server infrastructure, which can often be difficult and sometimes impossible to patch – often needing to be completely replaced.
It’s now impossible for IT and security teams to address ransomware attacks like these with any single approach, process, or technology. Sensitive information held on critical infrastructure, like the impacted servers belonging to Florida’s Supreme Court or academic institutions is likely to be very valuable to organised criminals and nation-state actors alike.
Such data could command high prices on the dark web, may be used for criminal activities or sold to other unscrupulous government entities, via intermediaries, wishing to acquire information related to foreign affairs or intelligence activities. It is imperative for all organisations, but especially government agencies and educational institutions that hold sensitive data, to boost their security strategies to ensure sensitive, valuable data remains safe and protected.
To limit the impact of these attacks, companies that hold private information should ensure they have clearly defined security policies and procedures to avoid any leak of information. This starts with employee education, which underscores all effective cyber resilience and data protection strategies. Security awareness training programmes can now inform and educate employees on the latest threats in real-time, including information security, social engineering, malware, and industry-specific compliance topics. Attack simulations can also be used to automatically send users for re-education should any training issues be identified.
Secure and reliable backups of virtual machines are the final piece of the puzzle necessary to recover quickly from attacks such as this – ensure you are working with a technology provider who understands these challenges and who can supply mature, secure backup solutions to uphold your cyber resilience strategy. For those who need to rapidly migrate workloads to new environments to mitigate the risk of these attacks, consider contacting your partners about robust migration tools which are available to help do this quickly and safely, even into the cloud.”

Last edited 7 months ago by Matt Aldridge
Nigel Seddon
Nigel Seddon , Vice President EMEA West & North
InfoSec Expert
February 9, 2023 12:19 pm

With organisations already impacted by this vulnerability exploit, do these attacks represent the tip of the iceberg?

The fact that this attack comes from the exploitation of an old vulnerability, it is certain we are only seeing the tip of the iceberg when it comes to patching problems. While the patches to solve this vulnerability are out there, the sheer number of patches already available is overwhelming for teams. And with new ones being pushed out daily, it makes for a complex environment companies need to navigate. As a result, businesses don’t have the patches in place and carry the misconception that they’ll get away with it – particularly if they are a smaller company. It’s understandable that companies feel overwhelmed by the number of threats and corresponding patches. After all, implementing fixes can be time consuming and complex. But companies of all sizes need to realise that they can’t assume they’ll fly under the radar of bad actors.

Through the combination of organisations being slow to implement patches and old vulnerabilities resurfacing that companies don’t have patches in place for, the door is wide open for these attacks to keep happening. 

– Is there a risk this will continue to escalate and affect a broader pool of global businesses/organisations

Yes, especially amongst smaller organisations. As mentioned before, smaller companies have this misconception that because they’re small, they won’t get attacked and therefore there is no need to have the security in place. In addition, these smaller systems will have to be taken down in order to implement patches, resulting in the business being offline – something any organisation is rarely willing to do. However, until they are, these attacks will only continue to escalate. 

Organisations, of any size, are also notoriously slow at even noticing when an attack has taken place. If big companies can take two years to identify an attack, what about smaller companies that think they go unnoticed? This only compounded by the ongoing skills gap that lies within companies who don’t have the right training in place to support the security professionals trying to tackle these vulnerabilities. 

– What measures can be taken to mitigate threats in the wake of this vulnerability?

My advice is for companies to act now. Overestimate your preparedness, underestimate criminal competency, fail to implement patches for old and new vulnerabilities, and skip regularly scanning for threats that could be in your system for years, and you will continue to be at risk. 

Invest in the training and employees that will equip your team with the skills needed to proactively protect the business, not reactively fix it. Businesses must prioritise time and financial investment in security over other measures focused on bolstering their bottom lines. Fail to do so, and these attacks will only continue to increase and worsen. 

Last edited 7 months ago by Nigel.Seddon
Xavier Bellekens
InfoSec Expert
February 8, 2023 1:26 pm

“This massive campaign looks like the attackers behind it used scanners to run automated tests on across to internet to help them identify vulnerable VMWare ESXi servers, and then exploit the vulnerability to launch the ESXiArgs ransomware.
Over the course of the weekend, Lupovis has seen numerous new IPs scanning and exploiting the vulnerability, with attackers acting quick to catch organisations out before they have time to apply the patch. On Friday Lupovis saw 3 IPs scanning for vulnerable servers and by Monday morning this jumped to 40. On our decoys, we also saw the various IP touching most of our sectorial clusters which explains the diversity in targets in this campaign.

Interestingly enough, it seems that most of the affected servers pointed to many different wallets, i.e. definitely looking at mudding their tracks. On Saturday we reported over 150 different wallets, by having a quick look, I have now seen reports of 350 new wallets to pay the ransom.
When it comes to protecting against this vulnerability and stopping organisations getting caught up in this campaign, the VMWare patch must be applied to address this vulnerability. However, if the patch cannot be applied to systems, Lupovis recommends blocking the IP addresses below which relate to scanners that are actively working to find vulnerable servers.”

Last edited 7 months ago by xavier.belleken
Stefan van der Wal
Stefan van der Wal , Consulting Solutions Engineer, EMEA, Application Security
InfoSec Expert
February 8, 2023 1:25 pm

“The reported widespread ransomware attacks against unpatched VMware ESXi systems in Europe and elsewhere, appear to have exploited a vulnerability for which a patch was made available in 2021 – and this highlights how important it is to update key software infrastructure systems as quickly as possible. It isn’t aways easy for organizations to update software. In the case of this patch, for example, organizations need to disable temporarily essential parts of their IT infrastructure. But it is far better to face that than to be hit by a potentially damaging attack.
“Securing virtual infrastructure is vital. Virtual machines can be attractive targets for ransomware since they often run business-critical services or functions – and a successful attack could cause extensive disruption. It is particularly important to ensure that access to a virtual system’s management console is secured and can’t be easily accessed through a compromised account on the corporate network, for example.
“To fully protect virtual infrastructure, it is important to segregate it from the rest of the business network, ideally as part of a Zero Trust approach. Organizations deploying ESXi should update immediately to the latest version, if they haven’t already done so – and also do a full security scan of the servers to ensure they haven’t been compromised.”

Last edited 7 months ago by Stefan.van.der.Wal
Bernard Montel
Bernard Montel , EMEA Technical Director and Cybersecurity Strategist
InfoSec Expert
February 8, 2023 1:12 pm

“The sad truth is that we often see known vulnerabilities, with an exploit available, left unpatched. This puts organisations at incredible jeopardy of being successfully penetrated. In this case, with the 2-year old VMWare vulnerability, the threat is immense given the active exploitation.

“Virtualisation is at the heart of most organisations’ cloud strategy – whether on-premise, public or hybrid, with the hypervisor the backbone of IT. Threat actors know that targeting this level with one arrow can allow them to elevate their privileges and grant access to everything. If threat actors are able to gain access, they can push malware to infiltrate the hypervisor level and cause mass infection.

“The issue for many organisations is evaluating uptime, versus taking something offline to patch. In this case, the calculation really couldn’t be more straightforward – a few minutes of inconvenience or days of disruption.

“We know that threat actors favour known vulnerabilities impacting popular software — including Open Source, VMWare, ManageEngine, PrintNightmare and ProxyShell. Threat actors target these flaws knowing they can abuse admin rights to traverse the network and inflict damage, even holding sensitive information systems and data to ransom. For business continuity, its imperative security teams determine how to address exploited vulnerabilities while minimising the impact to the organisation instead of leaving known flaws unaddressed.”

Last edited 7 months ago by Bernard Montel

Recent Posts

Would love your thoughts, please comment.x