CERT-FR, French cybersecurity watchdog, published a notice last Friday disclosing a ransomware attack on VMware ESXi servers. Although France was the first to alert on the attack, the latter was also detected in other countries such as Finland, Germany, Italy, the US, and Canada; at least 3,200 servers are affected as of today. There might nevertheless be other countries victim of this vulnerability.
On its side DarkFeed, a deep web monitoring feed, informed on Twitter that many servers got encrypted with a specific ransom note. In other words, this note aims at redirecting files addresses to an encrypted messaging service.
🌐 A new #ransomware attack is spreading like crazy 🚨
Many VMware ESXi servers got encrypted in the last hours with this ransom note 🧐
What’s interesting is that the bitcoin wallet is different in every ransom note. No website for the group, only TOX id 👀 pic.twitter.com/mgyoLxbXvg
— DarkFeed (@ido_cohen2) February 3, 2023
The investigations so far demonstrate that the attack involves a new variant of ransomware, based on a two-year-old remote-code vulnerability – known as CVE-2021-21974. Researchers noticed that corrupted files integrate the following extensions: .vmx; .vmxf; .vmdk; .vmds; .nvram. On top of this, each encrypted file presents an additional document with the .args extension. The latter might be necessary for final decryption, and hence explains why this ransomware attack was named ESXiArgs.
“[ESXiArgs] seem to exploit the CVE-2021-21974 vulnerability, which has been patched since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to execute arbitrary code remotely” – CERT-FR
Overall, it is to understand that ESXiArgs provokes a heap overflow in the Open SLP service, which makes it easier for attackers to exploit this vulnerability. Besides, if such an attack emerged, this implies that the patch, mentioned in the quote above, was not implemented everywhere.
In the meantime, CERT-FR strongly recommends to run tests on systems, in order to ensure that they are not affected with this ransomware variant. To note that measures should be taken ahead of time so as to maintain continuity of service – in case tests do not go as planned. Similarly, this also regards any updates on either a product or service.