VMware ESXi Ransomware Attacks: 5 Things To Know

The ESXiArgs ransomware campaign has succeeded at compromising thousands of servers running VMware’s ESXi hypervisor — though the lack of sophistication of the attacks could make recovery easier for victims, a security researcher tells CRN.

A Widespread Threat

The “ESXiArgs” ransomware campaign, which targets servers running unpatched versions of the VMware ESXi hypervisor, has now struck thousands of servers across the U.S., Canada and Europe since reports of the attacks first emerged late last week. On Wednesday, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an advisory on the attacks that puts the number of compromised servers worldwide at 3,800. The attacks are exploiting a two-year-old vulnerability that affects older versions of VMware ESXi and is tracked at CVE-2021-21974, according to researchers.

[Related: ‘No Warranty’: ESXiArgs Ransomware Decryptor Is Not To Be Used Lightly]

“Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware,” CISA and the FBI said in the joint advisory. The ESXiArgs ransomware works by encrypting configuration files located on ESXi servers, “potentially rendering virtual machines (VMs) unusable,” the advisory says.

In another indicator of the severity of the situation, CISA took an unusual step for a government agency in releasing a decryptor script that aims to aid recovery from the ESXiArgs ransomware. Ultimately, “from a campaign standpoint, the ESXiArgs campaign seems to be pretty successful,” said Erick Galinkin, principal researcher at cybersecurity firm Rapid7, in an interview with CRN.

According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were unpatched as of Tuesday against CVE-2021-21974, a vulnerability first disclosed in 2021. The vulnerability affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code. The targets in the ESXiArgs attacks are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, according to Wiz.

Meanwhile, other attackers besides those carrying out the ESXiArgs campaign have now been found to be exploiting the vulnerability in VMware ESXi, as well, Galinkin said.

What follows are five key things to know about the VMware ESXi ransomware attacks.

Why The Attacks Are So Successful

A major reason for the success of the ESXiArgs ransomware campaign would appear to be the sheer volume of vulnerable targets. Rapid7’s Galinkin told CRN that his own research — using the company’s scanning tools and data from its Project Sonar surveys — found that 18,581 internet-connected VMware ESXi servers remained vulnerable to CVE-2021-21974 as of late January. “That’s a huge exposure surface,” he said, and it’s likely that “the majority of those are still vulnerable.”

Notably, ESXiArgs is not particularly sophisticated as far as ransomware attacks go, Galinkin said. With past attacks by ransomware groups such as Conti or Black Basta, “there’s a certain level of sophistication in those that we’re not necessarily seeing” with the ESXiArgs campaign, he said. Often, however, those groups have tended to carry out highly focused ransomware attacks, which are more thoroughly damaging to the victims, Galinkin said.

On the other hand, in the case of ESXiArgs, “they didn’t cover all their bases with this campaign,” he said. That’s the reason why CISA was actually able to provide a script to help victims to recover from the attacks, Galinkin said, because the attackers “essentially left a path to re-establish what you had.” A more-sophisticated and thorough attack, narrowly targeted to hit certain victims, would have been less likely to leave this type of path open, he said.

The Recovery Tool

CISA said that its ESXiArgs decryptor script is based on the findings of researchers Enes Sonmez and Ahmet Aykac, and noted that “any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it.”

“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” CISA said in its page for the tool on GitHub. “Do not use this script without understanding how it may affect your system.”

If it works effectively, the script should “let you get back to an operational state,” Rapid7’s Galinkin told CRN. The script works by allowing users to un-register their virtual machines (VMs) that’ve been encrypted by the ransomware, and then re-register them with a new configuration file, he said.

You’ll still need to have had a backup of the part of the VM that was encrypted to fully restore your system — but as long as you have that, the script “just gives you a way to function while you clean it up,” Galinkin said. He noted that he doesn’t believe CISA has ever provided a decryptor for ransomware recovery in the past.

In an advisory Monday, VMware noted that there’s a correlation between the ESXiArgs attacks and servers that are either at end-of-support or “significantly out-of-date.” For organizations that are managing VMware ESXi servers and haven’t been hit by the ESXiArgs ransomware, there are several recommended steps to take.

The most obvious, but not necessarily the easiest, is to patch servers to current versions of the ESXi software. The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said. ESXi hypervisors can also be protected by disabling the SLP (Service Location Protocol) service, CISA noted.

Another recommended step is to make sure that ESXi servers are not internet-facing. “An ESXi server usually shouldn’t even be on the internet,” Galinkin said. Generally speaking, “don’t put your VM server on the internet.”

But if it needs to be for some reason, configuring a web application firewall (WAF) to ensure that only IP addressses on your VPN have access to the server “would be a totally reasonable solution,” he said. “There are ways to configure a firewall that would actually protect you from exploitation here.”

How It Got To This Point

The two major factors for why so many servers have been vulnerable to the ESXiArgs attacks each have their own likely explanations. For starters, to have more than 18,000 servers remaining unpatched “is a pretty huge number for a two-year-old vulnerability,” Rapid7’s Galinkin said. At the same time, it’s no secret why patching rarely moves fast: “Patching is annoying. Nobody’s ever excited to patch. And it requires downtime, which is not super exciting from a business standpoint.”

Another reason for slowness of patching may simply be that, until now, unpatched ESXi servers didn’t seem like that big of a risk because the vulnerability hadn’t been exploited in the wild, Galinkin said. A rule of thumb for prioritizing patches is that vulnerabilities that are more exploitable should be patched the soonest. It just so happens that in this case, the affected servers were seen as low-risk until suddenly, late last week, they weren’t.

As for the large number of ESXi servers that are internet-facing, that could have a variety of causes. “My guess would be that there’s some business use case where you have some service that wants to talk to your VMs, and it’s just more convenient to put it on the internet,” Galinkin said. “We see that with a lot of misconfigurations. People will do things because they’re like, ‘Well, I just need to solve this problem. I just need to do this thing.’ And they’re not necessarily thinking about the potential security ramifications.”

“Not that it should, but when you’re trying to push a business use case, sometimes all the kicking and screaming of a security person is outweighed by the business justification,” he said.

More Attackers Jumping In

The ESXiArgs attacks — which have yet to be attributed to any certain group — is the most widespread campaign currently targeting unpatched VMware ESXi servers. But the group behind those attacks is not alone. Another ransomware strain, RansomExx2, which is written in Rust and targets Linux systems, has also been observed exploiting the two-year-old ESXi vulnerability by Rapid7, Galinkin said.

In addition to ESXiArgs, “we’ve seen RansomExx2 campaigns, and we’ve seen exploitation of the vulnerability that doesn’t lead to ransomware,” he said. “ESXiArgs has been much more widespread based on community reporting — but based on our individual telemetry and resources, and intelligence sources, [the vulnerability] seems to be getting used pretty widely.”