{"id":1747,"date":"2023-08-09T06:44:00","date_gmt":"2023-08-09T06:44:00","guid":{"rendered":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=1747"},"modified":"2023-08-09T07:04:28","modified_gmt":"2023-08-09T07:04:28","slug":"massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide","status":"publish","type":"page","link":"https:\/\/cert-mu.govmu.org\/cert-mu\/?page_id=1747","title":{"rendered":"Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide"},"content":{"rendered":"\t\t<div data-elementor-type=\"wp-page\" data-elementor-id=\"1747\" class=\"elementor elementor-1747\" data-elementor-post-type=\"page\">\n\t\t\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-166eefda ct-section-stretched elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"166eefda\" data-element_type=\"section\" data-settings=\"{&quot;background_background&quot;:&quot;classic&quot;}\">\n\t\t\t\t\t\t\t<div class=\"elementor-background-overlay\"><\/div>\n\t\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-314d1d\" data-id=\"314d1d\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t<div class=\"elementor-column elementor-col-50 elementor-top-column elementor-element elementor-element-514ff558 elementor-hidden-tablet elementor-hidden-phone\" data-id=\"514ff558\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap\">\n\t\t\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<section class=\"elementor-section elementor-top-section elementor-element elementor-element-4e3e8fb elementor-section-boxed elementor-section-height-default elementor-section-height-default\" data-id=\"4e3e8fb\" data-element_type=\"section\">\n\t\t\t\t\t\t<div class=\"elementor-container elementor-column-gap-default\">\n\t\t\t\t\t<div class=\"elementor-column elementor-col-100 elementor-top-column elementor-element elementor-element-93566b9\" data-id=\"93566b9\" data-element_type=\"column\">\n\t\t\t<div class=\"elementor-widget-wrap elementor-element-populated\">\n\t\t\t\t\t\t<div class=\"elementor-element elementor-element-d08b013 elementor-widget elementor-widget-heading\" data-id=\"d08b013\" data-element_type=\"widget\" data-widget_type=\"heading.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t<h2 class=\"elementor-heading-title elementor-size-default\">Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide<\/h2>\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t<div class=\"elementor-element elementor-element-7d0347e elementor-widget elementor-widget-text-editor\" data-id=\"7d0347e\" data-element_type=\"widget\" data-widget_type=\"text-editor.default\">\n\t\t\t\t<div class=\"elementor-widget-container\">\n\t\t\t\t\t\t\t\t\t<p><strong>Updated:\u00a0<\/strong>9 February 2023<\/p><p>The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.<\/p><p>Organisations impacted by ESXiArgs are recommended to evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment.<\/p><p>Organizations can access the recovery script here:\u00a0<a href=\"https:\/\/github.com\/cisagov\/ESXiArgs-Recover\">https:\/\/github.com\/cisagov\/ESXiArgs-Recover<\/a><\/p><p><strong>\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013<\/strong><\/p><p><strong>Date of Issue:<\/strong><strong>\u00a0\u00a0<\/strong>06 February 2023<\/p><p><strong>Severity Level:<\/strong><strong>\u00a0<\/strong>High<\/p><p><strong>Description:<\/strong><\/p><p>Cybersecurity researchers have identified a new ransomware campaign actively targeting VMware ESXi Servers around the world. Approximately 3200 servers VMware ESXi servers worldwide have been compromised in this ransomware campaign. The ransomware dubbed as \u201cESXiArgs\u201d is being deployed by exploiting a two-year-old remote code execution vulnerability. Tracked as CVE-2021-21974, the vulnerability is caused by a heap overflow issue in the OpenSLP service and this is being exploited by unauthenticated threat actors in low-complexity attacks. A patch for this vulnerability existed since 23 February 2021. Since many servers were not upgraded, they were vulnerable and could easily be exploited by the ransomware.<\/p><p><strong>CERT-MU advises users to watch out for the vulnerability and apply workarounds accordingly.<\/strong><\/p><p><strong>Systems Affected:<\/strong><\/p><ul><li>ESXi versions 7.x prior to ESXi70U1c-17325551<\/li><li>ESXi versions 6.7.x prior to ESXi670-202102401-SG<\/li><li>ESXi versions 6.5.x prior to ESXi650-202102101-SG<\/li><\/ul><p><strong>Technical Information<\/strong><\/p><p>The ransomware encrypts files with the\u00a0<em>.vmxf, .vmx, .vmdk, .vmsd<\/em>, and\u00a0<em>.nvram<\/em>\u00a0extensions on compromised ESXi servers and creates a\u00a0<em>.args<\/em>\u00a0file for each encrypted document with metadata.<\/p><p>Victims have also found ransom notes named\u00a0<em>\u201cransom.html\u201d<\/em>\u00a0and\u00a0<em>\u201cHow to Restore Your Files.html\u201d\u00a0<\/em>on locked systems.<\/p><figure class=\"wp-block-image size-full\"><img fetchpriority=\"high\" decoding=\"async\" class=\"wp-image-1336\" src=\"https:\/\/cert-mu.govmu.org\/cert-mu\/wp-content\/uploads\/2023\/07\/massive.png\" sizes=\"(max-width: 515px) 100vw, 515px\" srcset=\"https:\/\/cert-mu.govmu.org\/cert-mu\/wp-content\/uploads\/2023\/07\/massive.png 515w, https:\/\/cert-mu.govmu.org\/cert-mu\/wp-content\/uploads\/2023\/07\/massive-300x202.png 300w\" alt=\"\" width=\"515\" height=\"346\" \/><\/figure><p><br \/><strong>Workarounds<\/strong><br \/>The following workarounds are recommended:<\/p><ul><li>To block incoming attacks, admins are advised to disable the vulnerable Service Location Protocol (SLP) service on ESXi hypervisors that have not yet been updated.<\/li><\/ul><ul><li>It is also advised to upgrade to the latest version for VMware ESXi servers. More information about the update is available on:<br \/><a href=\"https:\/\/kb.vmware.com\/s\/article\/1014165\">https:\/\/kb.vmware.com\/s\/article\/1014165<\/a><\/li><\/ul><p><strong>Report Cyber Incidents<\/strong><br \/>Report cyber security incident on the\u00a0<strong>Mauritian Cybercrime Online Reporting System (MAUCORS \u2013\u00a0<\/strong><a href=\"http:\/\/maucors.govmu.org\/\"><strong>http:\/\/maucors.govmu.org\/<\/strong><\/a><strong>)<\/strong><\/p><p><strong>Contact Information<\/strong><br \/><strong>Computer Emergency Response Team of Mauritius (CERT-MU)<\/strong><br \/><strong>Ministry of Information Technology, Communication and Innovation<\/strong><br \/>Hotline No: (+230) 800 2378<br \/>Gen. Info. :\u00a0<a href=\"mailto:contact@cert.govmu.org\">contact@cert.govmu.org<\/a><br \/>Incident:\u00a0<a href=\"mailto:incident@cert.govmu.org\">incident@cert.govmu.org<\/a><br \/>Website:\u00a0<a href=\"http:\/\/cert-mu.govmu.org\/\">http:\/\/cert-mu.govmu.org<\/a><br \/>MAUCORS:\u00a0<a href=\"http:\/\/maucors.govmu.org\/\">http:\/\/maucors.govmu.org<\/a><\/p>\t\t\t\t\t\t\t\t<\/div>\n\t\t\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/div>\n\t\t\t\t\t<\/div>\n\t\t<\/section>\n\t\t\t\t<\/div>\n\t\t","protected":false},"excerpt":{"rendered":"<p>Massive ESXiArgs Ransomware Attack Targets VMware ESXi Servers Worldwide Updated:\u00a09 February 2023 The Cybersecurity and Infrastructure Security Agency (CISA) of the United States has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable. Organisations impacted by ESXiArgs are recommended to evaluate the script and guidance provided in the accompanying README file to determine if it is fit for attempting to recover access to files in their environment. Organizations can access the recovery script here:\u00a0https:\/\/github.com\/cisagov\/ESXiArgs-Recover \u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2014\u2013 Date of Issue:\u00a0\u00a006 February 2023\u2026<\/p>\n","protected":false},"author":1,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-1747","page","type-page","status-publish","hentry"],"blocksy_meta":{"page_title_panel":"","has_hero_section":"disabled","bc159c5af2a03de5c75561ba297140d8":"","hero_section":"type-1","hero_elements":[{"id":"custom_title","enabled":true,"heading_tag":"h1","title":"Home"},{"id":"custom_description","enabled":true,"description_visibility":{"desktop":true,"tablet":true,"mobile":false}},{"id":"custom_meta","enabled":false,"meta_elements":[{"id":"author","enabled":true,"label":"By","has_author_avatar":"yes","avatar_size":25},{"id":"post_date","enabled":true,"label":"On","date_format_source":"default","date_format":"M j, Y"},{"id":"comments","enabled":true}],"page_meta_elements":{"joined":true,"articles_count":true,"comments":true}},{"id":"breadcrumbs","enabled":false}],"df3eb590217e0ce26e832da2c07e7ca6":"","hero_alignment1":"left","hero_alignment2":"center","hero_vertical_alignment":"center","19d24a625abe62e6d16b259439e9cba0":"","hero_structure":"narrow","a3dd00aea12a8c52bdc0775015a386ce":"","page_title_bg_type":"featured_image","custom_hero_background":{"attachment_id":null},"parallax":{"desktop":false,"tablet":false,"mobile":false},"007fc1b0d7d7ea0d9823538a36652bf9":"","hero_height":"250px","pageTitleFont":{"family":"Default","variation":"Default","size":{"desktop":"32px","tablet":"30px","mobile":"25px"},"line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"CT_CSS_SKIP_RULE","text-decoration":"CT_CSS_SKIP_RULE"},"pageTitleFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageMetaFont":{"family":"Default","variation":"n6","size":"12px","line-height":"1.3","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"uppercase","text-decoration":"CT_CSS_SKIP_RULE"},"pageMetaFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"hover":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageExcerptFont":{"family":"Default","variation":"Default","size":"CT_CSS_SKIP_RULE","line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"CT_CSS_SKIP_RULE","text-decoration":"CT_CSS_SKIP_RULE"},"pageExcerptColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"breadcrumbsFont":{"family":"Default","variation":"n6","size":"12px","line-height":"CT_CSS_SKIP_RULE","letter-spacing":"CT_CSS_SKIP_RULE","text-transform":"uppercase","text-decoration":"CT_CSS_SKIP_RULE"},"breadcrumbsFontColor":{"default":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"initial":{"color":"CT_CSS_SKIP_RULEDEFAULT"},"hover":{"color":"CT_CSS_SKIP_RULEDEFAULT"}},"pageTitleOverlay":{"default":{"color":"rgba(41, 51, 60, 0.2)"}},"pageTitleBackground":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"#EDEFF2"}}},"806cf646dc975203c3ef573b498d2a6c":"","page_structure_type":"default","content_style":"inherit","vertical_spacing_source":"custom","content_area_spacing":"none","background":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"CT_CSS_SKIP_RULE"}}},"content_background":{"background_type":"color","background_pattern":"type-1","background_image":{"attachment_id":null,"x":0,"y":0},"background_repeat":"no-repeat","background_size":"auto","background_attachment":"scroll","patternColor":{"default":{"color":"#e5e7ea"}},"backgroundColor":{"default":{"color":"#ffffff"}}},"content_boxed_spacing":{"desktop":"40px","tablet":"35px","mobile":"20px"},"content_boxed_radius":{"top":"3px","bottom":"3px","left":"3px","right":"3px","linked":true},"content_boxed_shadow":{"blur":18,"spread":-6,"v_offset":12,"h_offset":0,"inset":false,"enable":true,"color":{"color":"rgba(34, 56, 101, 0.04)"}},"19c6ff9349ac0932d7247f0e755658ea":"","disable_featured_image":"no","disable_header":"no","disable_footer":"no","styles_descriptor":{"styles":{"desktop":"","tablet":"","mobile":""},"google_fonts":[]}},"_links":{"self":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1747","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1747"}],"version-history":[{"count":4,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1747\/revisions"}],"predecessor-version":[{"id":1781,"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=\/wp\/v2\/pages\/1747\/revisions\/1781"}],"wp:attachment":[{"href":"https:\/\/cert-mu.govmu.org\/cert-mu\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1747"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}