VMware today warned customers to install the latest security updates and disable the OpenSLP service targeted in a large-scale campaign of ransomware attacks against vulnerable, Internet-facing ESXi servers.
The company added that the attackers are not exploiting a zero-day vulnerability and that this service is disabled by default in ESXi software versions released since 2021.
Threat actors are also targeting products that are “significantly outdated” or have already reached their end of general support (EOGS), according to VMware.
“VMware has found no evidence to suggest that an unknown (0-day) vulnerability is being used to spread the ransomware used in these recent attacks,” VMware said.
“Most reports indicate that End of General Support (EOGS) and/or significantly obsolete products are targeted by known vulnerabilities that were previously addressed and disclosed in VMware Security Advisories (VMSAs).
“With this in mind, we advise customers to upgrade to the latest available supported versions of vSphere components to address currently known vulnerabilities. Additionally, VMware recommended disable OpenSLP service in ESXi.”
ESXiArgs ransomware attacks
VMware’s warning comes after unknown threat actors began encrypting unpatched VMware ESXi servers against an OpenSLP security flaw (CVE-2021-21974) that unauthenticated hackers can exploit to achieve remote code execution in low-complexity attacks.
Known as ESXiArgs ransomwarethis malware has been deployed as part of a massive wave of ongoing attacks that has already hit thousands of vulnerable targets around the world (more than 2,400 serversaccording to current Censys data).
Attackers use the malware to encrypt .vmxf, .vmx, .vmdk, .vmsd and .nvra on compromised ESXi servers and deploy ransom notes named “ransom.html” and “How to restore your files.html”.
Michael Gillespie of ID Ransomware analyzed a copy of the ESXiArgs Encryptor and told BleepingComputer that unfortunately it is a secure encryptor with no cryptography bug that would allow decryption.
Security Researcher Enes Sonmez shared a guide this may allow VMware administrators affected by these attacks to rebuild their virtual machines and recover data for free.
BleepingComputer also has more Technical details of ESXiArgs ransomware and one dedicated ESXiArgs support topic where victims report their experiences with this attack and can receive help recovering their files.