A new spate of ESXiArgs ransomware infections has hit vulnerable VMware servers in the last few days, targeting servers in the United Kingdom, France, Germany, and the Netherlands.
Researchers at Censys have identified more than 500 hosts infected with the ESXiArgs ransomware in the last two days, a significant spike in what had been a relatively slow and steady progression since early February. The ransomware campaign emerged in the first few days of February and the attacks targeted VMware ESXi servers that had not been updated to address a vulnerability that VMware fixed in early 2021. The French CERT first identified the campaign, which mainly targeted servers hosted by French cloud provider OVH.
“In the current state of investigations, these attack campaigns seem to exploit the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to remotely exploit arbitrary code,” the French CERT advisory says.
Once the attacks began, researchers started looking for historical data that might indicate whether the campaign had actually begun earlier. Censys researchers were able to find a couple of VMware hosts that had been infected in October 2022 and had ransom notes that were similar to the ones used in the current campaign.
“On February 3, 2023, a ransomware campaign with the initial ESXiArgs variant began making headlines. As we examined historical trends around this campaign, we searched back to January 31, 2023, for hosts with signs of this ransomware. Prior to widely ramping up a campaign, threat actors often “test” their methods on a select few hosts, so we were hoping to understand more about the earlier stages of these attacks,” Mark Ellzey and Emily Austin of Censys wrote in an analysis.
“Two hosts appeared to have a ransom note on port 443 on January 31, 2023. Both are hosted on OVH; one appears to be running ESXi and the other a VMWare service we can’t further identify. We can’t discern which version of ESXi these hosts may be running, but we’ll note that Versions 6.5 and 6.7 reached end-of-life in October 2022.”
VMware released an update in February 2021 for the vulnerability that the ESXiArgs ransomware is targeting, and the vulnerable versions of the software are now out of date. But that clearly doesn’t mean that every organization has updated, as is evident by the ongoing ransomware infections.