VMware ESXi Ransomware Attacks: 5 Things To Know
The ESXiArgs ransomware campaign has succeeded at compromising thousands of servers running VMware’s ESXi hypervisor — though the lack of sophistication of the attacks could make recovery easier for victims, a security researcher tells CRN.
A Widespread Threat
The “ESXiArgs” ransomware campaign, which targets servers running unpatched versions of the VMware ESXi hypervisor, has now struck thousands of servers across the U.S., Canada and Europe since reports of the attacks first emerged late last week. On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an advisory on the attacks that puts the number of compromised servers worldwide at 3,800. The attacks are exploiting a two-year-old vulnerability that affects older versions of VMware ESXi and is tracked at CVE-2021-21974, according to researchers.
[Related: ‘No Warranty’: ESXiArgs Ransomware Decryptor Is Not To Be Used Lightly]
“Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware,” CISA and the FBI said in the joint advisory. The ESXiArgs ransomware works by encrypting configuration files located on ESXi servers, “potentially rendering virtual machines (VMs) unusable,” the advisory says.
In another indicator of the severity of the situation, CISA took an unusual step for a government agency in releasing a decryptor script that aims to aid recovery from the ESXiArgs ransomware. Ultimately, “from a campaign standpoint, the ESXiArgs campaign seems to be pretty successful,” said Erick Galinkin, principal researcher at cybersecurity firm Rapid7, in an interview with CRN.
According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were unpatched as of Tuesday against CVE-2021-21974, a vulnerability first disclosed in 2021. The vulnerability affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code. The targets in the ESXiArgs attacks are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, according to Wiz.
Meanwhile, other attackers besides those carrying out the ESXiArgs campaign have now been found to be exploiting the vulnerability in VMware ESXi, as well, Galinkin said.
What follows are five key things to know about the VMware ESXi ransomware attacks.