2 min

Thousands of VMware ESXi servers worldwide were hit by a ransomware attack this weekend. The attack in question uses a two-year-old vulnerability for this type of servers, according to the French Computer Emergency Response Team (CERT-FR).

According to the French cybersecurity watchdog, a ransomware attack specifically targeting VMware ESXi servers has been underway since Friday, Feb. 3. The first reports came from France, but later also from Italy, Finland, the U.S. and Canada. In total, at least 3,200 servers are affected.

The affected servers are attacked by a two-year-old remote-code vulnerability, CVE-2021-21974, which is now being exploited to spread a new ESXiArgs ransomware variant. This vulnerability creates a “heap overflow” in the OpenSLP service. Cybercriminals can easily exploit this vulnerability. A patch for this has been available since February 2021, but apparently not yet implemented everywhere.

The vulnerability CVE-2021-21974 applies to the following systems: ESXi versions 7.x for build ESXi70U1c-17325551, ESXi versions 6.7.x for build ESXi670-202102401-SG and the ESXi versions 6.5.x for build ESXi650-202102101-SG. Especially the ESXi hypervisor versions 6.x to 6.7 are said to be the real target of the global ransomware attack at this time

ESXiArgs ransomware details

This attack involves a new variant of ransomware. It has been given the name ESXiArgs. Researchers note from samples that the ransomware encrypts files with the extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram. In addition, it creates an .args file for each encrypted document with metadata. This file may be needed for final decryption.

When a server is corrupted, a number of files are placed in the temp folder. These include the actual encryption file, encrypt.sh. That performs several tasks required to install the encryptor.

In addition, this folder also contains the files motd, the ransomware message in a .text file displayed at login and index.html and the page with the ransomware note that replaces the VMware ESXi homepage. This file is named index1.html.

Sosemanuk algorithm

More in-depth research shows that to encrypt a file, the ransomware generates 32 bytes using OpenSSL’s secure CPRNG RAND pseudo bytes. This key is used to encrypt the file with Sosemanuk. The file key itself is encrypted with RSA.

The use of the Sosemanuk algorithm is particularly noteworthy, according to experts. This suggests that this new ransomware uses Babuk (ESXi variant) source code. One has now apparently modified it to use RSA instead of the Babuk Curve25519 implementation.

Patch as soon as possible

CERT-FR warns that end users running VMware EXSi servers with the aforementioned hypervisor versions should patch as soon as possible. In any case, everyone should immediately test their systems to see if the ransomware variant with the mentioned features is already present on the systems before the patches are implemented.

Tip: Cybercriminals hijack VMware ESXi with never-before-discovered technique