VMware ESXi enjoys ample attention from threat actors, and recently many ransomware groups have shifted their interest toward vulnerable ESXi virtual machines. A new ransomware named ESXiArgs and the Royal Ransomware’s Linux variant are the latest threats to join this trend.

ESXiArgs’s campaign

Threat actors are actively targeting a two-year-old RCE vulnerability (CVE-2021-21974) that affects ESXi hypervisors version 6.x and prior to 6.7, apparently through the OpenSLP port (427).
  • Experts found approximately 3,200 compromised VMware ESXi servers worldwide to be impacted by this recent campaign.
  • CERT-FR and SingCERT issued separate warnings against this massive automated ransomware campaign targeting VMware ESXi hypervisors globally, with a focus on Europe. Both authorities recommended applying the patch as soon as possible.

Royal Ransomware’s campaign

A new Linux Royal ransomware variant is discovered targeting VMware ESXi VMs specifically.
  • It is executed using the command line and comes with support for multiple flags that will give the ransomware operators some control over the encryption process.
  • When encrypting files, it will add the .royal_u extension to all encrypted files on the VM.

The latest samples have been detected by 23 out of 62 malware scanning engines on VirusTotal.

More on ESXiArgs ransomware

The encryptor is executed by a shell script file (encrypt.sh) that launches it with various command line arguments.
  • The arguments include the public RSA key file (public.pem), the file to encrypt, the data details that will not be encrypted, the size of an encryption block, and the file size.
  • The script encrypts files with specific extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata.
  • After the encryption, the script will replace VMware ESXi's home page index.html and the server's motd file with the ransom notes. Finally, the script performs a cleanup of various Linux configuration files and a potential backdoor.

ESXiArgs connected to Babuk

  • Experts discovered that ESXiArgs is possibly based on leaked Babuk source code, similar to other ESXi ransomware campaigns such as CheersCrypt and the Quantum/Dagon group's PrideLocker encryptor.
  • While the ransom note for Cheerscrypt and ESXiArg are very similar, the encryption method is different, which makes it unclear if this is a new variant or just a shared Babuk codebase.

Conclusion

Last year, many ransomware groups such as Black Basta, Hive, RedAlert, GwisinLocker, and Cheers targeted ESXi VMs. Experts estimate ransomware gangs, including the new ones such as ESXiArgs will continue to pose threats to ESXi VMs. To stay protected, organizations are advised to properly patch their appliances and perform a full system scan to detect any signs of compromise.
Cyware Publisher

Publisher

Cyware