A new ESXiArgs ransomware is actively targeting VMware ESXi servers that are unpatched against a two-year-old remote code execution vulnerability known as CVE-2021-21974. The vulnerability originates from a heap overflow problem within the OpenSLP service, leaving it open to exploitation by attackers who do not require authentication. The ESXiArgs ransomware infects ESXi servers and also encrypts files with extensions such as .vmxf, .nvram, .vmx, .vmdk, .vmsd, and generating a separate .args file containing metadata for each encrypted file.
The ransomware has been found to attack ESXi hypervisors in versions 6.x and before 6.7. To guard against such attacks, administrators should install the available patch and deactivate the susceptible Service Location Protocol (SLP) service on ESXi hypervisors that have not yet undergone updating.
Affected Products
- ESXi versions 7.x prior to ESXi70U1c-17325551
- ESXi versions 6.7.x prior to ESXi670-202102401-SG
- ESXi versions 6.5.x prior to ESXi650-202102101-SG
ESXiArgs ransomware
A new ransomware campaign has emerged, targeting ESXi servers and encrypting files with the extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. The ransomware creates an encrypted document a .args file for each with metadata likely needed for decryption. Threat actors behind the attack claim to have stolen data, but some victims have reported that no data has been infiltrated.
Many individuals who have fallen victim to these attacks have discovered ransom notes with the names “ransom.html” and also “How to Restore Your Files.html” on their encrypted systems. Some victims have reported that the ransom notes are plaintext files.
Investigations of the attack have shown that the ransom notes do not appear to be related to the Nevada Ransomware and appear from a new ransomware family.
Upon the server being breached, the following files are deposited in the /tmp directory:
- encrypt – The encryptor ELF executable.
- encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor, as described below.
- public.pem – A public RSA key used to encrypt the key that encrypts a file.
- motd – The ransom note in text form will be copied to /etc/motd, so it is shown on login. The server’s original file will be copied to /etc/motd1.
- index.html – The ransom note in HTML form that will replace VMware ESXi’s home page. The server’s original file will be copied to index1.html in the same folder.
The encryption process is initiated by a shell script file that runs it with several command line parameters, including the public RSA key file, the file to be encrypted, the segments of data that will remain unencrypted, the size of an encryption block, and the size of the file.
Encryptor
Once the encrypt.sh starts, the script will modify the ESXi virtual machine’s configuration files (.vmx) so that the strings ‘.vmdk’ and ‘.vswp’ are changed to ‘1.vmdk’ and ‘1.vswp‘.
The script then terminates all running virtual machines by force-terminating (kill -9) all processes containing the string ‘vmx‘
Then the script gets a list of all ESXi volumes and searches for .vmdk, .vmx, .vmfx, .nvram .. etc
For each found file, the script will create a [file_name].args file in the same folder, which contains the computed and file sizes.
The script will then use the ‘encrypt’ executable to encrypt the files based on the computed parameters.
After the encryption, the script will replace the ESXi index.html file and the server’s motd file with the ransom notes.
Finally, the script performs cleanup activities like deleting logs, removing a Python backdoor installed, and modifying multiple files. The script updates configuration files and starts SSH at the end.
To prevent incoming assaults, administrators need to deactivate the Service Location Protocol (SLP) service, which is vulnerable, on ESXi hypervisors that have not been updated yet.
SanerNow Network Scanner detects this vulnerability. Use SanerNow and keep your systems updated and secure.