Why Ransomware Attacks On VMware ESXi Customers Were ‘Bound To Happen’

A significant number of VMware ESXi servers were not only unpatched against a two-year-old vulnerability, but were also accessible via the internet—together posing a massive risk that attackers are now exploiting.


Amid widespread ransomware attacks against customers that use the VMware ESXi hypervisor, many have pointed the finger at the fact that the servers were not patched against a two-year-old vulnerability.

Arguably though, an even bigger misstep was the second condition that’s enabled attackers to succeed in the “ESXiArgs” ransomware campaign: The fact that the unpatched servers were also accessible via the internet.

[Related: VMware ESXi Ransomware Attacks: 5 Things To Know]

Sponsored post

Why is that potentially the bigger misstep? It’s because, infamously, patching software is easier said than done. It’s a tedious process that requires downtime for an organization’s IT systems.

But when it comes to deciding whether to make a virtual machine (VM) server internet-facing, the decision should be a lot simpler. “Don’t put your VM server on the internet,” said Erick Galinkin, principal researcher at cybersecurity firm Rapid7, in an interview with CRN.

Galinkin’s research—using Rapid7’s scanning tools and data from its Project Sonar surveys—found that 18,581 internet-connected VMware ESXi servers remained vulnerable to the ESXi flaw being exploited in the attacks as of late January. The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and FBI released an advisory Wednesday that estimated the number of compromised servers worldwide at 3,800.

Robby Hill, CEO of Florence, S.C.-based MSP HillSouth, told CRN he questions why a business would ever think it made sense to put its ESXi servers on the internet. VM servers are the core of an organization’s server infrastructure, he said, and their only utility is providing the execution of the VMs.

“They should never be exposed to the public,” Hill said. “It seems like this was almost bound to happen by designing the setup at these companies so poorly.”

Galinkin said his best guess is that some organizations utilize services that “want to talk to your VMs, and it’s just more convenient to put it on the internet.”

This is often the culprit when it comes to misconfigurations—people will make a decision based on the need to solve a certain problem at hand, without thinking about the larger ramifications for security, he said.

“Not that it should, but when you’re trying to push a business use case, sometimes all the kicking and screaming of a security person is outweighed by the business justification,” Galinkin said.

Decryptor No Longer Effective?

In an indicator of the severity of the situation, CISA took an unusual step for a government agency this week in releasing a decryptor script that aims to aid recovery from the ESXiArgs ransomware.

However, a report from Bleeping Computer suggested that the latest wave of attacks in the campaign are using a modified version of the ransomware that aims to more fully encrypt a victim’s data. That makes it likely the decryptor script will no longer work for victims of the latest ESXiArgs ransomware attacks, according to the report.

According to cybersecurity vendor Wiz, 12 percent of servers running the VMware ESXi hypervisor were unpatched as of earlier this week against CVE-2021-21974, a vulnerability first disclosed in 2021. The attacks began in early February and have targeted organizations in countries including the U.S., Canada, France and Germany, according to cybersecurity vendor Censys. Infections peaked on Feb. 3, the firm said.

The vulnerability affects the OpenSLP service in older versions of ESXi and can be exploited to enable remote execution of code. The targets in the ESXiArgs attacks are “primarily” VMware ESXi servers that run versions of the hypervisor prior to 7.0 U3i, according to Wiz.

More Attackers Have Jumped In

While the ESXiArgs campaign—which has yet to be attributed to any certain group—is the most widespread campaign currently targeting unpatched VMware ESXi servers, the group behind those attacks is not alone.

Another ransomware strain, RansomExx2, which is written in Rust and targets Linux systems, has also been observed by Rapid7 to have been exploiting the two-year-old ESXi vulnerability, Galinkin said.

In addition, “we’ve seen exploitation of the vulnerability that doesn’t lead to ransomware,” he said. “ESXiArgs has been much more widespread based on community reporting but based on our individual telemetry and resources, and intelligence sources, [the vulnerability] seems to be getting used pretty widely.”

In an advisory Monday, VMware noted that there’s a correlation between the ESXiArgs attacks and servers that are either at end-of-support or “significantly out of date.” The company disabled the OpenSLP service in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, the company noted.

VMware said that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities” and that it also continues to recommend that customers disable the OpenSLP service in ESXi if they continue to use the older versions of the hypervisor.