ESXiArgs Ransomware Targets VMware Servers in Europe — Urgent Action Required

Risk

A new wave of ESXiArgs ransomware attacks has hit vulnerable VMware servers across Europe, posing a significant risk to affected organizations. Researchers at Censys have identified over 1951 hosts infected with the ransomware in the past few days, with the campaign targeting servers in the United Kingdom, France, Germany, and the Netherlands.

Exploitation

The ESXiArgs ransomware is a heap-overflow issue in OpenSLP service used in ESXi versions 7.0, 6.7, and 6.5. An attacker with access to port 427 within the same network segment as ESXi may be able to trigger this vulnerability, leading to remote code execution. The ongoing infections suggest that many organizations have not updated their software, leaving them vulnerable to attack. The attacks exploit the CVE-2021–21974 vulnerability, which allows attackers to execute arbitrary code remotely.

Monitoring

To keep track of the infections and take prompt action to prevent further damage, Google has provided a monitoring link (https://lookerstudio.google.com/u/0/reporting/b9e20c7d-a4f7-471b-81aa-32904a203dfb/page/HXuED) that will enable organizations to monitor the spread of the ESXiArgs ransomware and take swift action to protect their systems. Additionally, Shodan has identified a monitoring link (https://beta.shodan.io/search?query=html%3A%22We+hacked+your+company+successfully%22+title%3A%22How+to+Restore+Your+Files%22) that shows ransomware messages with the phrase “We hacked your company successfully” and “How to Restore Your Files” in the title. This highlights the severity of the situation and the need for immediate action to protect vulnerable systems.

Remediation

To protect against the ESXiArgs ransomware campaign, organizations must ensure that their VMware ESXi servers are up to date with the latest security patches. The vulnerability exploited by the ransomware campaign was addressed by VMware in February 2021, and vulnerable versions of the software are now out of date.

Additionally, organizations can filter access in the firewall, where applicable, to prevent unauthorized access to vulnerable ESXi servers. Disabling SSH access, if enabled, may also help to mitigate the risk of attack until patches can be applied.

By taking these steps, organizations can reduce their risk of falling victim to the ESXiArgs ransomware campaign and prevent the loss of valuable data.

Stay vigilant, stay safe, and take prompt remediation measures to protect your systems from these ongoing ransomware attacks.