A new variant of ESXiArgs ransomware makes recovery much harder

Pierluigi Paganini February 09, 2023

Experts warn of new ESXiArgs ransomware attacks using an upgraded version that makes it harder to recover VMware ESXi virtual machines.

Experts spotted a new variant of ESXiArgs ransomware targeting VMware ESXi servers, authors have improved the encryption process, making it much harder to recover the encrypted virtual machines.

The new variant was spotted less than a week after the first alert was launched by CERT-FR warning of an ESXi ransomware targeting thousands of VMware servers in a global-scale campaign.

The attack exploits a heap-overflow vulnerability in VMware ESXi and is tracked as CVE-2021-21974 which was patched in February 2021. The vulnerability affects the Service Location Protocol service and allows an attacker to remotely exploit arbitrary code. VMware designated the vulnerability as “critical,” meaning it could be used by attackers to remotely execute any code they wanted on a vulnerable system and take full control of it.

The virtualization giant addressed the CVE-2021-21974 bug in February 2021.

The analysis of the encryption process implemented in the original variant allowed the researchers to discover that the ransomware doesn’t encrypt large chunks of data, allowing them to recover files containing virtual machines’ disks.

The new encryption process implemented in the most recent attacks allows the ransomware to encrypt more data in large files, according to BleepingComputer.

BleepingComputer discovered the new variant after an admin explained in an ESXiArgs support topic that he was not able to recover his virtual machines after the ESXiArgs ransomware infected his VMware ESXi servers.

One of the strangest aspects of this infection is that the servers were compromised even if the administrator had disabled the SLP.

Admins also state that the vmtool.py backdoor that was observed in the initial ransomware attacks, was not present on the systems infected with the new variant.

BleepingComputer analyzed the sample used in recent attacks and noticed that the encrypt.sh script’s ‘size_step’ routine was simply set to 1 in the new version. Cyber security expert Michael Gillespie told BleepingComputer that by setting size_step=1 the encryptor alternates between encrypting 1 MB of data and skipping 1 MB of data.

This change allowed the ransomware to encrypt larger chunks of data in the targeted files, making it impossible to recover them.

The experts also noticed that the ransom note dropped by the ESXiArgs ransomware variant doesn’t include bitcoin addresses. Victims are instructed to contact operators on TOX, the threat actors demand the payment of approximately 2 bitcoins.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXiArgs ransomware)

you might also like

leave a comment