A massive ransomware campaign exploiting a 2-year-old vulnerability in VMWare ESXi servers has seen more than 3,200 servers attacked since Friday. An unknown threat actor is exploiting the flaw to deliver a new ransomware variant dubbed ESXiArgs, named after the .args extension used for encrypted files. The new ransomware uses the sosemanuk algorithm to encrypt files, which is relatively rare. This algorithm was used by Babuk ransomware, suggesting an ESXi ransomware variant was developed based on the leaked source code of Babuk.
The speed at which the attacks are being conducted has come as a surprise. The campaign was first detected by the French Computer Emergency Response Team (CERT-FR) on Friday, mostly targeting vulnerable VMWare ESXi hypervisors of OVHcloud customers. Initially, the majority of attacks were conducted in France, with attacks subsequently being reported in Italy, Finland, the United States, Canada, and beyond. When CERT-FR issued an urgent announcement about the campaign, around 100 servers had been attacked, but by Monday more than 3,200 are believed to have been targeted, according to Censys.
The campaign exploits a heap overflow vulnerability from 2021 in the OpenSLP service, tracked as CVE-2021-21974. VMware developed a patch to fix the vulnerability in February 2021, yet despite the vulnerability having a CVSS severity score of 8.8/10, many organizations had not applied the patch and are vulnerable to attack. If vulnerable ESXi servers are exposed to the Internet, the vulnerability can be exploited in a low-complexity attack to execute arbitrary code, which in this campaign sees ESXiArgs ransomware deployed.
Due to the speed at which the vulnerability is being exploited, immediate patching is strongly recommended, but it should be assumed that vulnerable ESXi servers have already been compromised and malicious code delivered, so system scans should be conducted to search for suspicious activity in addition to patching.
The vulnerability affects the following ESXi versions:
- ESXi versions 7.x for build ESXi70U1c-17325551
- ESXi versions 6.7.x for build ESXi670-202102401-SG
- ESXi versions 6.5.x for build ESXi650-202102101-SG
CERT-FR said the versions being targeted in this campaign appear to be ESXi hypervisor versions 6.x to 6.7, through the OpenSLP port 427, although immediate patching is strongly recommended for all vulnerable versions. As a workaround, the vulnerable Service Location Protocol (SLP) service should be disabled on any hypervisor that has not yet been updated to block incoming attacks.