‘Massive’ new ESXiArgs ransomware campaign has compromised thousands of victims

European cybersecurity authorities are warning of “massive active network exploitation” of an almost 2-year-old VMWare ESXi vulnerability by ransomware actors.

The campaign is being named ESXiArgs because the ransomware creates an additional file with the extension .args after encrypting a document. The file contains information about how to decrypt the victim document, researchers say.

Thousands of servers in Europe and North America have already been compromised, according to Censys searches for systems displaying a ransom note. The Austrian CERT warned on Monday that "at least 3,276 systems" had been affected.

As VMWare describes ESXi, the product is a “bare-metal hypervisor ... with direct access to and control of underlying resources” — offering access to critical files and allowing the attackers to disrupt an enormous range of the user's resources.

A patch for the vulnerability, assigned CVE-2021-21974, was issued in February 2021. Government agencies and cybersecurity experts are urging administrators to update unpatched servers immediately. 

The vulnerability was first discovered by Mikhail Klyuchnikov of Positive Technologies, a Russian cybersecurity firm that was sanctioned by the U.S. Department of Commerce on the grounds that it was trafficking in “cyber tools” used to hack organizations.

There is no reason to believe that Klyuchnikov’s disclosure was tied to the sanctions, nor is there any link between Klyuchnikov and the ongoing campaign. VMWare acknowledged and thanked him in its own confirmation of the vulnerability.

A working proof-of-concept exploit has been available for CVE-2021-21974 since May 2021, although it is not known whether this is the same exploit being used in the ESXiArgs campaign.

The vulnerability is being exploited “for the purpose of releasing ransomware,” stated the Italy’s National Cybersecurity Agency (ACN) late on Saturday.

France’s computer emergency response team (CERT-FR) also issued a bulletin about the campaign late on Friday to warn of the ransomware campaign.

CERT-FR’s head, Mathieu Feuillet, tweeted that the team had received “many reports related to this campaign” and stressed it was to be treated “urgently!”

Julien Levrard, the chief information security officer at French cloud computing business OVHCloud, warned that the company's technical teams had been detecting ransomware attacks on a global basis.

Levrard, who said the OVHCloud team initially believed the attack was linked to the Nevada ransomware, said the link was “a mistake” and that it could not make any attributions at the moment.
Finland's Kyberturvallisuuskeskus (Cybersecurity Center) said that the updates “should be installed immediately,” and warned: “Due to the scope of the campaign, servers that have not been updated can be assumed to be hacked.”