VMware ESXi servers worldwide targeted by ransomware (8th February 2023)

Ref# AL2023_13 | Date: Feb 8th 2023


The French Computer Incident Response team (CERT-FR) issued a warning that attackers are actively targeting unpatched VMware ESXi servers to deploy a new ESXiArgs ransomware.


The recent attack campaigns against ESXi servers are seen exploiting the vulnerability CVE-2021-21974, which is believed to be the vector used to compromise the servers. The CVE-2021-21974 entails a heap-overflow vulnerability in OpenCL which is used in ESXi (7.0 before ESXi70U1c-17325551, 6.7 before ESXi670-202102401-SG, 6.5 before ESXi650-202102101-SG). Attackers can trigger a heap-overflow issue in the OpenSLP service through low-complexity attacks that results in remote code execution. However, a patch for this vulnerability was made available on the 23 of February 2021. VMware further confirmed that the attacks indeed exploit this older ESXi flaw, and it is not as a result of a zero-vulnerability.

The researchers at OVH cloud further established that the attacks primarily target ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port (427) and believed that it might be related to the quite recent Nevada ransomware. However, after further investigations on the encrypted servers and the ransom note, the attack did not seem to be related to Nevada. The files were encrypted with different extensions such as .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and a .args file was created for each encrypted file containing metadata. Ransom notes named “ransom.html” and “How to Restore Your Files.html” also accompanied the encrypted files.

Researchers are now tracking the ransomware under the name ESXiArgs ransomware. After retrieving a copy of the encryptor and associated shell script, we have a basic understanding of how the ransomware operates. When a ESXi server is breached, the following files are stored in the /tmp folder:

  • encrypt – The encryptor ELF executable.

  • encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor.

  • public.pem – A public RSA key used to encrypt the key that encrypts a file.

  • motd – The ransom note in text form that will be copied to /etc/motd so it is shown on login. The server”s original file will be copied to /etc/motd1.

  • index.html – The ransom note in HTML form that will replace VMware ESXi”s home page. The server”s original file will be copied to index1.html in the same folder.

For a file to be encrypted, the encryptor generates 32 bytes using OpenSSL”s secure CPRNG RAND_pseudo_bytes, and this key is then used to encrypt the file using Sosemanuk, a secure stream cipher. The file key is encrypted with RSA (OpenSSL”s RSA_public_encrypt), and appended to the end of the file. The Sosemanuk algorithm is usually only used in ransomware derived from the Babuk (ESXi variant) source code and even though it is modified to use RSA instead of Babuk”s Curve25519 implementation, it is suggested that ESXiArgs is likely based on leaked Babuk source code. This trend has been previously seen in use by other ESXi ransomware campaigns, such as CheersCrypt and the Quantum/Dagon group”s PrideLocker encryptor. Researchers also noted that the ransom note for ESXiArgs and Cheerscrypt are very similar however the encryption method is different, and it is unclear if this ransomware is a new variant or just a shared Babuk codebase.

Indicators of Compromise 

The file hashes associated with ESXiArgs are:


  • 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66

  • 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

  • 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66


  • F25846f8cda8b0460e1db02ba6d3836ad3721f62


  • D0d36f169f1458806053aae482af5010

  • 87b010bc90cd7dd776fb42ea5b3f85d3


  1. For this specific ESXiArgs ransomware, VMware and researchers are advising users of ESXi servers to apply the latest patch as soon as possible to mitigate this attack. Systems that were left unpatched should also be scanned for any signs of compromise.

  1. It is also highly recommended to disable the vulnerable Service Location Protocol (SLP) service on ESXi servers.

  1. The CISA has recently released a tool to help organizations attempt recovery of VMs affected by ESXiArgs. However, before using this tool CISA advises that the script should be reviewed carefully to understand its nature and determine if it is appropriate for the environment before deploying it. Tool: https://github.com/cisagov/ESXiArgs-Recover

The Guyana National CIRT recommends that users and administrators review this alert and apply it where necessary.

PDF Download: VMware ESXi servers worldwide targeted by ransomware.pdf