ESXiArgs: A ransomware spree targeting virtual machines worldwide

The ransomware known as ESXiArgs targets virtual machines that are hosted by the VMware ESXi hypervisor. The virtual discs of the virtual computers are encrypted by this ransomware, which then demands a ransom in return for the decryption key. Typically, the ESXiArgs ransomware attack begins with the attacker getting access to the ESXi host, either via software vulnerabilities or using stolen credentials. After gaining access to the ESXi host, the attacker can utilize a number of strategies to move laterally via the network and locate the virtual machines that need to be encrypted.

Attackers are actively focusing on unpatched VMware ESXi servers in order to use the brand-new ESXiArgs ransomware against a two-year-old remote code execution vulnerability. This attack’s ransom notes appear to be from a new ransomware family.

The ransomware encrypts files with the .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata (likely needed for decryption). After the encryption, the script replaces VMware ESXi’s home page index.html and the server’s motd file with the ransom notes. Finally, the script performs a cleanup of various Linux configuration files and a potential backdoor.

Researchers discovered that this new attack has affected 3,200 infected VMware ESXi servers worldwide. It was also discovered that ESXiArgs is possibly based on leaked Babuk source code, similar to other ESXi ransomware campaigns such as CheersCrypt and the Quantum/Dagon group’s PrideLocker encryptor.

The healthcare, financial, and government sectors are among those targeted by the ESXiArgs ransomware because they hold sensitive data on virtual machines and may be more inclined to pay a ransom to prevent data loss or business interruption. Attacks using the ESXiArgs ransomware have been documented worldwide, including North America, Europe, and Asia. Nevertheless, the targeted nations may vary depending on the attackers and their objectives.

For  more information and actionable recommendations, download SISA’s detailed technical advisory on the ESXiArgs ransomware.