CISA Alert AA23-039A: ESXiArgs Ransomware targets vulnerable ESXi servers

The Red Report 2024

The Top 10 MITRE ATT&CK Techniques Used by Adversaries

DOWNLOAD

In the first week of February 2023, CISA, FBI, and CERT-FR published security advisories on ESXiArgs ransomware that exploits known vulnerabilities in unpatched VMware ESXi servers [1][2]. CISA estimates that more than 3800 servers are infected, mainly located in France, Germany, the US, Canada, and the Netherlands.

Picus Threat Library already had attack simulations for vulnerabilities exploited by the ESXiArgs ransomware. In this blog, we explain how ESXiArgs ransomware works and how threat actors abuse these vulnerabilities for ransomware attacks.

Simulate Ransomware Threats with 14-Day Free Trial of Picus Platform

ESXiArgs Ransomware

ESXiArgs ransomware is a ransomware variant that mainly targets organizations using unpatched or end-of-life (EOL) versions of VMware ESXi servers. ESXiArgs ransomware attacks were first observed in October 2022, and the number of attacks dramatically increased in February 2023. The ransomware threat actors mainly target organizations in France, Germany, the United States, Canada, and the Netherlands. 

There are multiple ransomware variants that are named ESXiArgs ransomware. These variants show similar traits.

  • The initial access vector is VMware ESXi software.
    • The ransomware threat actors exploit a known critical remote code execution vulnerability. CVE-2021-21972 was disclosed two years ago and had a CVSS score of 9.8 (Critical). Organizations that use outdated or unpatched ESXi versions are potential targets for the ESXiArgs ransomware attacks.
    • Even though some organizations patched vulnerable ESXi servers or disabled SLP service, they were infected with ESXiArgs ransomware. Although the initial access method is not determined, all infected organizations were using VMware ESXi software that had publicly facing ESXi hypervisors.
  • The encryption method changes slightly between variants.
    • Earlier variants do not encrypt a large portion of the data if the file size is over 128 MB. Although encrypted data could not be decrypted without the key, researchers were able to devise a method to recover virtual machines in some cases.
    • Newer variants of ESXiArgs ransomware now encrypt 50% of the data if the file size is over 128 MB. This change practically makes the infected systems unrecoverable.
  • ESXiArgs ransomware does not exfiltrate data from infected systems and only uses a single extortion method with a hybrid encryption approach.
    • The secret key for file encryption is generated by using OpenSSL's secure CPRNG RAND_pseudo_bytes function. After encryption, the secret key is encrypted with a public RSA key named "public.pem".
  • ESXiArgs ransomware encrypts files with certain extensions given below.
    • .vmdk, .vmxf, .vmsd, .vmsn, .vmss, .vswp, .nvram, .vmem

What should organizations do?

ESXiArgs ransomware exploits an unauthenticated remote code execution vulnerability discovered two years ago. CVE-2021-21972 affects ESXi versions given below and has a CVSS score of 9.8 (Critical). 

Affected Product

Vulnerable Versions

Patched Versions

VMware ESXi

version 7.x

version 6.7.x

version 6.5.x

version 7.0U1c or later

version 6.7U3l or later

version 6.5U3n or later

Although exploiting CVE-2021-21972 was not the only initial access method, the common initial access vector observed in ESXiArgs ransomware attacks was VMware ESXi servers. For this reason, organizations are recommended to:

  • update their ESXi servers to the latest version
  • disable the Service Location Protocol (SLP) of ESXi servers
  • ensure that their ESXi hypervisor is not exposed to the public internet

How Picus Helps Simulate ESXiArgs Ransomware Attacks?

We also strongly suggest simulating ESXiArgs ransomware attacks to test the effectiveness of your security controls against ransomware attacks using the Picus The Complete Security Validation Platform. You can also test your defenses against hundreds of other ransomware, such as BlackByte, Maui, and Zeppelin, within minutes with a 14-day free trial of the Picus Platform.

Picus Threat Library includes the following threats for ESXiArgs ransomware

Threat ID

Threat Name

Attack Module

93000

ESXi Args Ransomware Download Threat

Network Infiltration

57787

ESXi Args Ransomware Email Threat

Email Infiltration (Phishing)

Moreover, Picus Threat Library contains 150+ threats containing 1500+ web application and vulnerability exploitation attacks in addition to 3500+ endpoint, malware, email, and data exfiltration threats as of today.

Picus also provides actionable mitigation content. Picus Mitigation Library includes prevention signatures to address ESXiArgs ransomware and other ransomware attacks in preventive security controls. Currently, Picus Labs validated the following signatures for ESXiArgs ransomware:

Security Control

Signature ID

Signature Name

Check Point NGFW

09CB1BEA6

Ransomware.Linux.ESXiArgs.TC.3b5aJOSg

Cisco Firepower

 

Auto.11B1B2.261543.in02

Forcepoint NGFW

 

File_Malware-Blocked

Fortigate AV

10123319

Python/ESXiArgs.VMVS!tr.ransom

Fortigate AV

10123245

ELF/Filecoder.85D3!tr.ransom

Palo Alto NGFW

571137464

trojan/Linux.uselvb423.a

Start simulating emerging threats today and get actionable mitigation insights with a 14-day free trial of Picus The Complete Security Validation Platform.

References

[1] "ESXiArgs Ransomware Virtual Machine Recovery Guidance." [Online]. Available: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a. [Accessed: Feb. 23, 2023]

[2] "[MàJ] Campagne d'exploitation d'une vulnérabilité affectant VMware ESXi – CERT-FR." [Online]. Available: https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/. [Accessed: Feb. 23, 2023]