CISA Alert AA23-039A: ESXiArgs Ransomware targets vulnerable ESXi servers

In the first week of February 2023, CISA, FBI, and CERT-FR published security advisories on ESXiArgs ransomware that exploits known vulnerabilities in unpatched VMware ESXi servers [1][2]. CISA estimates that more than 3800 servers are infected, mainly located in France, Germany, the US, Canada, and the Netherlands.

Picus Threat Library already had attack simulations for vulnerabilities exploited by the ESXiArgs ransomware. In this blog, we explain how ESXiArgs ransomware works and how threat actors abuse these vulnerabilities for ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

ESXiArgs Ransomware

ESXiArgs ransomware is a ransomware variant that mainly targets organizations using unpatched or end-of-life (EOL) versions of VMware ESXi servers. ESXiArgs ransomware attacks were first observed in October 2022, and the number of attacks dramatically increased in February 2023. The ransomware threat actors mainly target organizations in France, Germany, the United States, Canada, and the Netherlands.

There are multiple ransomware variants that are named ESXiArgs ransomware. These variants show similar traits.

The initial access vector is VMware ESXi software.

The ransomware threat actors exploit a known critical remote code execution vulnerability. CVE-2021-21972 was disclosed two years ago and had a CVSS score of 9.8 (Critical). Organizations that use outdated or unpatched ESXi versions are potential targets for the ESXiArgs ransomware attacks.
Even though some organizations patched vulnerable ESXi servers or disabled SLP service, they were infected with ESXiArgs ransomware. Although the initial access method is not determined, all infected organizations were using VMware ESXi software that had publicly facing ESXi hypervisors.

The encryption method changes slightly between variants.

Earlier variants do not encrypt a large portion of the data if the file size is over 128 MB. Although encrypted data could not be decrypted without the key, researchers were able to devise a method to recover virtual machines in some cases.
Newer variants of ESXiArgs ransomware now encrypt 50% of the data if the file size is over 128 MB. This change practically makes the infected systems unrecoverable.

ESXiArgs ransomware does not exfiltrate data from infected systems and only uses a single extortion method with a hybrid encryption approach.

The secret key for file encryption is generated by using OpenSSL's secure CPRNG RAND_pseudo_bytes function. After encryption, the secret key is encrypted with a public RSA key named "public.pem".

ESXiArgs ransomware encrypts files with certain extensions given below.

.vmdk, .vmxf, .vmsd, .vmsn, .vmss, .vswp, .nvram, .vmem

What should organizations do?

ESXiArgs ransomware exploits an unauthenticated remote code execution vulnerability discovered two years ago. CVE-2021-21972 affects ESXi versions given below and has a CVSS score of 9.8 (Critical).

Affected Product	Vulnerable Versions	Patched Versions
VMware ESXi	version 7.x version 6.7.x version 6.5.x	version 7.0U1c or later version 6.7U3l or later version 6.5U3n or later

Although exploiting CVE-2021-21972 was not the only initial access method, the common initial access vector observed in ESXiArgs ransomware attacks was VMware ESXi servers. For this reason, organizations are recommended to:

update their ESXi servers to the latest version
disable the Service Location Protocol (SLP) of ESXi servers
ensure that their ESXi hypervisor is not exposed to the public internet

How Picus Helps Simulate ESXiArgs Ransomware Attacks?

We also strongly suggest simulating ESXiArgs ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as BlackByte, Maui, and Zeppelin, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for ESXiArgs ransomware:

Threat ID	Threat Name	Attack Module
93000	ESXi Args Ransomware Download Threat	Network Infiltration
57787	ESXi Args Ransomware Email Threat	Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address ESXiArgs ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for ESXiArgs ransomware:

Security Control	Signature ID	Signature Name
Check Point NGFW	09CB1BEA6	Ransomware.Linux.ESXiArgs.TC.3b5aJOSg
Cisco Firepower		Auto.11B1B2.261543.in02
Forcepoint NGFW		File_Malware-Blocked
Fortigate AV	10123319	Python/ESXiArgs.VMVS!tr.ransom
Fortigate AV	10123245	ELF/Filecoder.85D3!tr.ransom
Palo Alto NGFW	571137464	trojan/Linux.uselvb423.a

Start simulating emerging threats today and get actionable mitigation insights with a  14-day free trial  of Picus The Complete Security Validation Platform.

References

[1] "ESXiArgs Ransomware Virtual Machine Recovery Guidance." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a. [Accessed: Feb. 23, 2023]

[2] "[MàJ] Campagne d'exploitation d'une vulnérabilité affectant VMware ESXi – CERT-FR." [Online]. Available: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/. [Accessed: Feb. 23, 2023]