Insights, news, education and announcements from PolySwarm

ESXiArgs Ransomware

Written by The Hivemind | Feb 21, 2023 6:20:39 PM

Related Malware: Babuk
Verticals Targeted: Multiple

Executive Summary

Industry researchers recently reported on ESXiArgs ransomware, which targeted VMware ESXi servers around the globe. After CISA released a recovery script, the threat actors behind ESXiArgs distributed a new variant of the ransomware.

Key Takeaways

  • Industry researchers recently reported on ESXiArgs ransomware, which targeted VMware ESXi servers around the globe. 
  • ESXiArgs uses the unpatched security flaw CVE-2021-21974 to target VMware ESXi servers.
  • ESXiArgs appears to reuse Babuk code.
  • After CISA released a recovery script, the threat actors behind ESXiArgs distributed a new variant of the ransomware. 

What is ESXiArgs?

Industry researchers recently reported on ESXiArgs ransomware, which targeted VMware ESXi servers around the globe. Countries affected include France, US, Germany, Canada, Netherlands, UK, Finland, Poland, Tukey, and others.

Security researchers at multiple vendors and CERT-FR provided information on the ransomware, which uses the unpatched security flaw CVE-2021-21974 to target VMware ESXi servers. CVE-2021-21974 is a remote code execution vulnerability caused by a heap overflow in the OpenSLP service. It can be used by unauthenticated threat actors. While the patch for CVE-2021-21974 has been available for almost two years, some affected systems remain unpatched.

Affected system versions include the following:

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG

ESXiArgs uses the Sosemanuk algorithm, which points to the potential reuse of leaked Babuk code. CISA released an ESXiArgs recovery script in an attempt to thwart the ransomware. However, threat actors returned with an updated ESXiArgs variant capable of encrypting more data. Unlike earlier variants, the latest ESXiArgs variant does not include a Bitcoin address in the ransom note but directs victims to contact them on Tox for payment information after the threat actors apparently realized researchers were using the Bitcoin address to track payment activity.

IOCs

PolySwarm has multiple samples of ESXiArgs.

5a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c66722

11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66


You can use the following CLI command to search for all ESXiArgs samples in our portal:

$ polyswarm link list -f ESXiArgs

Don’t have a PolySwarm account? Go here to sign up for a free Community plan or to subscribe.

Contact us at hivemind@polyswarm.io | Check out our blog | Subscribe to our reports
View full post