View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 6, 2023

VMware ESXi servers targeted in ransomware wave

Hackers are using an old vulnerability to deploy their malware. Users should patch urgently to protect their systems.

By Ryan Morrison

A global ransomware attack is targeting VMware ESXi servers by exploiting a known two-year-old software vulnerability. VMware says it issued a patch for this bug in February 2021 when it was first discovered and urged customers to apply the patch if they have not already done so.

VMWare says a patch was released for the vulnerability in February 2021 and urged customers to apply the patch as soon as possible (Photo: Pavel Kapysh/Shutterstock)
VMWare says a patch was released for the vulnerability in February 2021 and urged customers to apply the patch as soon as possible (Photo: Pavel Kapysh/Shutterstock)

First reported by Italy’s National Cybersecurity Agency (ACN) on Sunday, hackers are apparently targeting the vulnerability through unsecured servers. Attacks have been detected in Italy, France, Finland and the US so far, with thousands of users thought to have been hit.

ESXi by VMware is a virtualisation product that is part of the vSphere range. The enterprise-class hypervisor is designed for deploying and serving virtual computers, abstracting the CPU, storage and networking resources of a physical host computer into virtual machines.

The latest attack uses an exploit known as CVE-2021-21974 that is caused by a heap overflow issue. It can be exploited by unauthenticated users making “low-complexity attacks”. This new campaign has had a significant impact due to the number of unpatched machines, Italian officials warned.

It is targeting ESXi hypervisors on versions before 7.0 U3i through the OpenSLP port 427. To block the attack admins have to disable the vulnerable service location protocol service on ESXi hypervisors not currently patched. It is also recommended all unpatched machines are scanned to look for signs of compromise.

VMware ESXi ransomware: patch urgently

French cloud provider OVHCloud wrote in a blog post that the malware seems to exhibit specific behaviours including using an OpenSLP vulnerability, targeting virtual machine files and trying to shut down the virtual machines.

“Encryption is using a public key deployed by the malware,” the company wrote. “The encryption process is specifically targeting virtual machines files and the malware tries to shut down virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.”

Content from our partners
Scan and deliver
GenAI cybersecurity: "A super-human analyst, with a brain the size of a planet."
Cloud, AI, and cyber security – highlights from DTX Manchester

Nobody has claimed responsibility for the attack but researchers suspect it is part of a new ransomware family being dubbed ESXiArgs. It encrypts .vmxf, vmx, vmdk, .vmsd and .nvram files and creates a .args file for each encrypted document. OVHCloud wrote that it doesn’t appear that any data has been stolen.

According to Bleeping Computer, servers hit with the attack have been left a ransomware note demanding just over two bitcoins be added to a wallet in return for the decryption key. It warns that if money isn’t sent within three days the price will be raised, files published online and customers notified.

Enes Sonmez & Ahmet Aykac from YoreGroup Tech Team wrote a guide to solving the problem and recovering virtual machines. They wrote: “Users are highly recommended to update their systems as soon as possible to reduce the risk of exploitation. To further protect against RCE attacks, it is also important to follow best practices for network security and to keep all systems up-to-date with the latest security patches.”

Read more: Data and digital transformation budgets hit rise in cyberattacks

Topics in this article : ,
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.