Thousands of unpatched VMware ESXi servers hit by ransomware via old bug (CVE-2021-21974)

Late last week, unknown attackers launched a widespread ransomware attack hitting VMware ESXi hypervisors via CVE-2021-21974, an easily exploitable vulnerability that allows them to run exploit code remotely, without prior authentication.

VMware ESXi ransomware CVE-2021-21974

Patches for CVE-2021-21974, a vulnerability in ESXi’s OpenSLP service, have been provided by VMware two years ago, and this attack has revealed just how many servers are out there are still unpatched, with the SLP service still running and the OpenSLP port (427) still exposed.

The attack is ongoing

The French CERT (CERT-FR) and French cloud computing company OVH were the first to sound the alarm on Friday evening, positing that the attackers are exploiting CVE-2021-21974 and urging owners of unpatched and still unaffected servers to quickly patch or disable the SLP service.

On Sunday, the computer security incident response team of Italy’s National Cybersecurity Agency (ACN) echoed the warning.

After some initial speculation about the ransomware the attackers use to encrypt vulnerable servers, it has been confirmed that it’s a new ransomware family that has been dubbed ESXiArgs due to the targeted systems and the extension (.args) added to the encrypted virtual machines files (files with the .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem extensions). And, unfortunately, its encryption has no bugs that could be exploited.

ESXi is installed on bare-metal hosts, often rented from a cloud service provider. OVHcloud CISO Julien Levrard says that they’ve identified compromised hosts and have been notifying impacted customers, but did not say how many hosts have been hit.

Italian news agency ANSA says that “the attacks compromised dozens of IT systems in Italy in both the public and private sectors.” According to Censys, there are over 3,200 compromised servers, mostly in France, but, also in the US, Gernamy, Canada, the UK, the Netherlands, and other countries around the world.

What to do?

Admins whose ESXi servers have not been hit have probably already implemented the patch offered by VMware, have disabled the SLP service, and/or have made the servers unreacheable from the internet. If not, they may be simply lucky – but their luck will probably soon run out, so they should perform these actions.

There are many ransomware families – and other malware – out there capable of targeting VMware ESXi virtual machines and with a PoC exploit for CVE-2021-21974 being public, we can expect the threat actors wielding them to try the same trick.

Levrard says that the ransomware uses a public key deployed in /tmp/public.pem, that it tries to shut down virtual machines by killing the VMX process to unlock the files, that the attackers are not exfiltrating data before encrypting the files and that, in some cases, the encryption is only partial and data can be recovered. He pointed users to a VMDK file recovery procedure delineated by security researcher Enes Sönmez.

“We tested this procedure as well as many security experts with success on several impacted servers. The success rate is about 2/3. Be aware that following this procedure requires strong skills on ESXi environnements. Use it at your own risk and seek the help of experts to assist,” he added.

UPDATE (February 8, 2023, 07:10 a.m. ET):

The number of ESXiArgs ransomware victims has surpassed 3,800. CISA has released a recovery script for victim organizations.

Don't miss