• Global ransomware attack targets VMware ESXi servers

    Home » Forums » Cyber Security Information and Advisories » Cyber Security for Business users » Global ransomware attack targets VMware ESXi servers

    • This topic has 6 replies, 3 voices, and was last updated 1 month ago.


    Attackers are exploiting a known vulnerability to target hundreds of servers in France, the USA, Germany, Finland, Italy, and other countries.

    France’s Computer Emergency Response Team (CERT-FR) was among the first to notice the massive ransomware campaign, as hundreds of affected VMware ESXi servers were using French cloud service provider OVHcloud.

    “[…] these campaigns seem to exploit the CVE-2021-21974 vulnerability, which has been patched since February 23, 2021. This vulnerability affects the Service Location Protocol (SLP) service and allows an attacker to execute arbitrary code remotely,” CERT-FR said on February 3.

    According to a ransomware note obtained by Darkfeed, a deep web monitoring feed, the attackers don’t direct victims to a ransomware leak site, as is a custom in the cyber underworld, instead providing the address to an encrypted messaging service…

    ..Security researchers scramble for fixes to decrypt the thousands of irresponsive services worldwide. According to cybersecurity expert Matthiey Gari, the attackers only encrypt the config files, allowing defenders to mitigate the damage somewhat…

    • This topic was modified 1 month, 2 weeks ago by Alex5723.
    Viewing 4 reply threads
    • #2532278

      This is just not a vulnerability in any real sense.

      A malicious actor residing within the same network segment as ESXi who has access to port 427 may be able to trigger the heap-overflow issue in OpenSLP

      No ESXi host will have a network segment open to the internet. An attacker must have already compromised the internal network of the host = your business is already toast.

      cheers, Paul

      1 user thanked author for this post.
      • #2532285

        If the servers are not open to the internet so how “allows an attacker to execute arbitrary code remotely”?

        So, in hundreds of enterprises all over the world, hundred of “malicious actor residing within the same network segment” took advantage of CVE-2021-21974 for ransomware attacks?

    • #2532319

      An ESXi host lives on your internal network.
      It hosts virtual machines, which have their own network, potentially with access to the internet.
      To get from the internet to the VM network and then onto the internal network is not possible unless the IT folk are brain dead morons – which I have to admit to have met. 🙁

      cheers, Paul

    • #2532565

      Cybersecurity and Infrastructure Security Agency CISA

      We released an ESXiArgs ransomware recovery script on GitHub to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks: https://github.com/cisagov/ESXiArgs-Recover #StopRansomware..


      ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.

      CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.


    • #2534933

      New ESXiArgs encryption routine outmaneuvers recovery methods

      In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines (VMs) has come up with a new variant that can no longer be decrypted with the recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA)…

      1 user thanked author for this post.
    • #2535038


      [Moderator edit] changed link to point to the original source, Censys. Please try to post original data, not piggyback sites that are doing it for the clicks.
      Also removed the quote as it is duplication with no benefit.

      * _ the metaverse is poisonous _ *
      1 user thanked author for this post.
    Viewing 4 reply threads
    Reply To: Global ransomware attack targets VMware ESXi servers

    You can use BBCodes to format your content.
    Your account can't use all available BBCodes, they will be stripped before saving.

    Your information: