A new ESXiArgs ransomware is actively targeting VMware ESXi servers that are unpatched against a two-year-old remote code execution vulnerability known as CVE-2021-21974. The vulnerability originates from a heap overflow problem within the OpenSLP service, leaving it open to exploitation by attackers who do not require authentication. The ESXiArgs ransomware infects ESXi servers and also encrypts files with extensions such as .vmxf, .nvram, .vmx, .vmdk, .vmsd, and generating a separate .args file containing metadata for each encrypted file. To avoid these sorts of attacks, installing a vulnerability management tool to protect your IT infrastructure is essential.
The ransomware has been found to attack ESXi hypervisors in versions 6. x and before 6.7. To guard against such attacks, administrators should install the available patch and deactivate the susceptible Service Location Protocol (SLP) service on ESXi hypervisors that have not yet undergone updating. Vulnerability Management system can resolve these issues.
Affected Products from ESXiArgs Ransomware
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
A new ransomware campaign has emerged, targeting ESXi servers and encrypting files with the extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. The ransomware creates an encrypted document a .args file for each with metadata likely needed for decryption. The threat actors behind the attack claim to have stolen data, but some victims have reported that they did not infiltrate any data.
Many individuals who have fallen victim to these attacks have discovered ransom notes with the names “ransom.html” and also “How to Restore Your Files.html” on their encrypted systems. Some victims have reported that the ransom notes are plaintext files.
Investigations of the attack have shown that the ransom notes do not appear to be related to the Nevada Ransomware. They appear from a new ransomware family.
The ESXiArgs Ransomware breaches the server and deposits the following files in the /tmp directory:
- encrypt – The encryptor ELF executable.
- encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor.
- public.pem – A public RSA key used to encrypt the key that encrypts a file.
- motd – We will copy the ransom note in text form to /etc/motd to show it on login. We will also copy the server’s original file to /etc/motd1.
- index.html – The ransom note in HTML form that will replace VMware ESXi’s home page. The program will copy the server’s original file to index1.html in the same folder.
A shell script file initiates the encryption process by running it with several command line parameters, including the public RSA key file, the file to be encrypted, the segments of data that will remain unencrypted, the size of an encryption block, and the size of the file.
Once you start encrypt.sh, the script will modify the configuration files (.vmx) of the ESXi virtual machine by changing the strings ‘.vmdk’ and ‘.vswp’ to ‘1.vmdk’ and ‘1.vswp’.
The script then terminates all running virtual machines by force-terminating (kill -9) all processes containing the string ‘vmx‘
Then the script gets a list of all ESXi volumes and searches for .vmdk, .vmx, .vmfx, .nvram .. etc
For each found file, the script will create a [file_name].args file in the same folder, which contains the computed and file sizes.
The script will then use the ‘encrypt’ executable to encrypt the files based on the computed parameters.
After the encryption, the script will replace the ESXi index.html file and the server’s motd file with the ransom notes.
Finally, the script performs cleanup activities like deleting logs, removing a Python backdoor installed, and modifying multiple files. The script updates configuration files and starts SSH at the end.
Administrators need to deactivate the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that require an update to prevent incoming assaults like ESXiArgs Ransomware.