The ESXiArgs VMware Ransomware: What You Need To Know

glenn carstens peters npxXWgQ33ZQ unsplash

At the beginning of February, a new ransomware strain targeting VMware virtual machine servers was seen for the first time. The ESXiArgs VMware ransomware attacks a well-known vulnerability in VMware ESXi servers. Thousands of servers across the world have already been infected, and anyone using a vulnerable version of VMware ESXi should update to a patched version as soon as possible. 

What Is VMWare ESXi?

VMware ESXi is a bare-metal hypervisor that installs directly on physical servers. It allows server operators to partition hardware to run multiple virtual machines (VMs). It is part of VMware vSphere, which is a platform for managing and running enterprise workloads. 

What Is the ESXiArgs Ransomware?

ESXiArgs is ransomware that infiltrates servers, encrypts virtual machine images, and attempts to stop virtual machines from running. It then demands a bitcoin ransom. 

Early reports indicated that servers were being compromised via a vulnerability in VMware ESXI’s Open Service Location Protocol (OpenSLP), a heap-overflow vulnerability that allows an attacker to achieve remote code execution on target machines. However, it may be that the ransomware is also using a number of other software vulnerabilities. 

At the time of writing, thousands of servers have been compromised, including servers at hosting providers. As you might expect, VMware ESXi servers exposed to the open Internet are at the most risk. 

When the ransomware first hit, its developers made mistakes that allowed some victims to recover data, and a recovery script was quickly released by the Cybersecurity and Infrastructure Agency. However, a second version of ESXiArgs soon appeared, which “fixed” the issues, now making data recovery unlikely. 

How to Mitigate the Impact of ESXiArgs

The ransomware attack appears to take advantage of a known vulnerability. In fact, it’s been known for over two years, and a patch has been available for almost as long. You should update immediately if you are running a version of VMware ESXi older than the following:

  • 7.x earlier than to ESXi70U1c-17325551
  • 6.7.x earlier than ESXi670–202102401-SG
  • 6.5.x earlier than ESXi650–202102101-SG

Other potential mitigations include disabling the SLP service or blocking port 427, which the attack targets. 

As always, comprehensive and up-to-date backups are one of the best defenses against ransomware attacks. If your virtual machine images and other data are backed up in a remote location, ransomware attacks are disruptive, but you can recover the data with no lasting harm. 

On the other hand, if the data is not backed up when ransomware encrypts it, it is likely gone for good. Even if you do pay a ransom, there’s no guarantee that the attacker will honor their commitment to decrypt the data.

A comprehensive disaster recovery solution is your business’ best long-term defense against ransomware. Liberty Center One’s Virtual Disaster Recovery as a Service (DRaaS) reduces the risk of data loss with continuous data protection, one-click file and VM recovery, and recovery time objectives of under 15 minutes.

Contact a disaster recovery expert today to learn more about our DRaaS, data protection, and off-site backup solutions.