Overview
Recently, the French Computer Emergency Response Team (CERT-FR) has warned about a massive ransomware attack that is targeting unpatched VMware ESXi servers. The attack is primarily targeting ESXi servers in versions before 7.0 U3i through the OpenSLP port (427).
The ransomware encrypts files with .vmxf, .vmx, .vmdk, .vmsd, and .nvram extensions and creates a .args file for each encrypted document with metadata. The attackers claim to have stolen data, but one victim reported that no data was infiltrated in their case. The ransomware leaves ransom notes named “ransom.html” and “How to Restore Your Files.html” on locked systems.
Affected Versions
ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670–202102401-SG
ESXi versions 6.5.x prior to ESXi650–202102101-SG
Technical Details
The attack is exploiting a two-year-old remote code execution vulnerability known as CVE-2021–21974, which is caused by a heap overflow issue in the OpenSLP service.
When the server is breached, the following files are stored in the /tmp folder:
- encrypt – The encryptor elf executable.
- encrypt.sh – A shell script that acts as the logic for the attack, performing various tasks before executing the encryptor.
- public.pem – A public RSA key used to encrypt the key that encrypts a file.
- Motd – The ransom note in text form that will be copied to /etc/motd so it is shown on login.
- index.html – The ransom note in HTML form that will replace VMware ESXi’s home page.
ESXiArgs is likely based on leaked Babuk source code, which has been previously used by other ESXi ransomware campaigns, such as CheersCrypt and the Quantum/Dagon group’s PrideLocker encryptor. The encryptor is executed by a shell script file that launches it with various command line arguments. Furthermore, this does not appear to be related to the Nevada ransomware, as previously mentioned by OVHcloud.
Key-Notes:
- Data has not been exfiltrated.
- It’s confirmed that this ransomware campaign also installed a Python backdoor for ESXI at ‘/store/packages/vmtools.py’.
- Disabling the SSH does NOT kill the existing SSH session.
Possible Workarounds:
- If you have ‘Thin Provisioned’ — First Solution
- If you have ‘Thick Provisioned’ — Second Solution (Updated on 6th Feb — Only if you are not able to boot virtual servers due to the failure of the operating system.)
- For snapshots or SESPARSE Files
- Recover VMDK files by R-Studio
- Latest Update: “CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac,” explains CISA. “This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.”
ESXiArgs-Recover: A tool to recover from ESXiArgs ransomware
NEW ESXIARGS RANSOMWARE VERSION PREVENTS VMWARE ESXI RECOVERY
Unfortunately, a second ESXiArgs ransomware wave started and includes a modified encryption routine that encrypts more extensive amounts of data, making it much harder, to recover. Even more concerning, the admin who shared the new samples said they had SLP disabled on their server but were still breached again. They also checked for the vmtool.py backdoor seen in previous attacks, and it was not found which becomes even more confusing as to how the server was breached.
BleepingComputer still recommends attempting to recover encrypted ESXi servers using CISA’s recovery script. However, it will likely no longer work if you were infected in the second wave of attacks using the new encryption routine. Hopefully, the backups will only help.
Article: https://www.bleepingcomputer.com/news/security/new-esxiargs-ransomware-version-prevents-vmware-esxi-recovery/
Forum Support: https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-37
References:
How to recreate a missing VMDK — VMWARE
How ESXi Ransomware works
Recommendations
· Disable the vulnerable Open Service Location Protocol (SLP) service or apply the patch that has been available since February 23, 2021 or restrict access to trusted IP addresses only. (https://kb.vmware.com/s/article/76372)
· Update your ESXi with the latest security patches available.
· Scan the systems that have not been updated for signs of compromise.
· Ensure only necessary services are active and filtered with ACL to trusted IP addresses only.
· Conduct regular backups of important data to ensure that it can be recovered in case of a ransomware attack.
· Implement a robust security solution that includes advanced threat protection and endpoint security to prevent future attacks.
· Provide regular security awareness training to employees to reduce the risk of falling prey to social engineering attacks.
· Monitor the network for unusual activity and respond quickly to any potential security incidents.
Conclusion
The massive ransomware attack targeting unpatched VMware ESXi servers highlights the importance of keeping systems updated and secure. By implementing the steps outlined in this response plan, organizations can reduce the risk of falling victim to similar attacks in the future.
Let’s meet again on yet another interesting content. Happy hunting 🙂
