Early Friday morning, February 3, 2023, Arctic Wolf Labs began monitoring a new ransomware campaign targeting public-facing ESXi servers. The ESXiArgs Ransomware campaign has grown exponentially over the weekend, with approximately 3,000 victims worldwide as of early-Monday morning. Based on reporting from OVH, the threat actors behind this campaign are likely leveraging a nearly two year old heap overflow vulnerability (CVE-2021-21974) in VMware ESXi’s OpenSLP service.  

What We Know about ESXiArgs

• Worldwide targeting with at least 3,000 are victim of the ESXiArgs Ransomware, servers based on reporting from services like Shodan and Censys.
  • The victim count is likely higher due to Internet search engines being a point-in-time scan and devices being taken offline for remediation before a second scan. 
• Based on the ransom note, the campaign is linked to a sole threat actor or group.
  • Each ransom note has an identical Tox ID, which is used to contact the threat actor. A Tox ID is used to add a person to a contact list within Tox Chat, a peer-to-peer (P2P) instant messaging platform. 
• Due to the relatively low ransom demand (2 BTC) and widespread, opportunistic targeting, we assess with moderate confidence this campaign is not tied to ransomware groups known for “Big Game Hunting”.
  • More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value.  
• Security Researcher Michael Gillespie from ID Ransomware has assessed the ransomware variant is likely based on Babuk source code, due to the unique usage of the Sosemanuk algorithm.
  • Babuk source code was leaked in September 2022.  
• The ransomware’s encryption process is targeting virtual machine files with the following extensions: .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem
• Although the ransom note indicates the threat actors exfiltrated data, we have not observed reporting supporting this claim. 

For more information on the ESXiArgs Ransomware go to the Arctic Wolf Blog here