Ransomware Targets ESXi Servers with CVE-2021-21974

The French National Computer Emergency Response Team (CERT) published a security advisory on the ESXiArgs ransomware on February 3, 2023.

The Service Location Protocol (SLP) used by different versions of Vmware ESXI are vulnerable to a known CVE-2021-21974. The CVE enables remote code execution by an attacker on port 427 used by OpenSLP.

After execution of the ransomware, the hypervisor’s web administration interface and its command-line interface, displayed the same message : “How to restore your files. Security Alert!!! We hacked your company successfully.“

OVH Observations

The cloud services provider OVHcloud released their observations :

• The compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974 (still to be confirmed). The logs actually show the user dcui as involved in the compromission process.
• Encryption is using a public key deployed by the malware in /tmp/public.pem
• The encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)
• The malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This function is not systematically working as expected resulting in files remaining locked.
• The malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip, number of MB in encryption block, file size)
• No data exfiltration occurred.

Affected Versions of ESXi

ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi versions 6.5.x prior to ESXi650-202102101-SG

CVE-2021-21974

CVE-2021-21974 refers to a heap overflow vulnerability found in VMware ESXi. The source of the vulnerability is an overflow in the OpenSLP service within ESXi. An attacker can take advantage of this vulnerability by sending a harmful packet to the impacted system, causing the overflow and giving the attacker the ability to run any code they desire.

Several files appear to have been dropped on the ESXi machine after exploitation, including a shell script and an ELF executable file.

Lupovis IP Block List

At Lupovis we constantly monitor internet noise and mass scanners and vulnerabilities being exploited. Within hours of the first infections, and due to the scale of the ransomware group operations, we started reporting the IPs of the scanners used.

We then kept updating the list of IPs used by the scanners as the hours progressed. If you have been unable to patch or close the OpenSLP port (427) between the internet and the servers with ESXI, yet, we strongly recommend you block the following IP addresses

• 104.152.52.55
• 43.130.10.173
• 178.62.44.152
• 46.17.96.41
• 146.0.75.2
• 193.163.125.138
• 152.89.196.211
• 104.152.52.55
• 43.130.10.173
• 193.37.255.114
• 80.82.77.139
• 80.82.77.33
• 71.6.135.131
• 185.142.236.35
• 185.142.236.36
• 146.0.75.2
• 46.17.96.41
• 178.62.44.152
• 43.130.10.173
• 104.152.52.55
• 119.42.54.188
• 185.142.236.34
• 195.144.21.56
• 71.6.167.142
• 193.163.125.138
• 71.6.199.23
• 185.165.190.17
• 93.174.95.106
• 185.165.190.34
• 193.37.255.114
• 89.248.167.131
• 152.32.219.120
• 170.106.115.55
• 172.105.73.148
• 192.241.196.48
• 192.241.200.36
• 198.199.103.238
• 91.134.185.83
• 91.134.185.88
• 92.154.95.236
• 103.75.201.219
• 104.152.52.131
• 192.241.202.27
• 192.241.223.35
• 192.241.239.28
• 151.80.91.208
• 151.80.91.209
• 151.80.91.211
• 151.80.91.213
• 151.80.91.214
• 151.80.91.215
• 151.80.91.217
• 104.152.52.233
• 106.75.190.21
• 106.75.64.29
• 107.155.50.142
• 107.170.232.9
• 151.80.91.218
• 151.80.91.219
• 151.80.91.222
• 151.80.91.223
• 162.243.141.11
• 162.62.191.220
• 162.62.33.200
• 164.92.211.90
• 170.106.115.253
• 193.163.125.175
• 193.163.125.207
• 193.163.125.231
• 193.163.125.248
• 176.58.124.251
• 192.241.214.26
• 64.62.197.122
• 64.62.197.77
• 193.163.125.123
• 193.163.125.138
• 193.163.125.5
• 193.163.125.66
• 152.89.196.211
• 5.39.220.78
• 64.62.197.137
• 64.62.197.2
• 216.218.206.66
• 64.62.197.197
• 216.218.206.67
• 216.218.206.68
• 43.131.94.145
• 89.248.163.200
• 91.134.185.82
• 91.134.185.91
• 216.218.206.69
• 184.105.139.67
• 65.49.20.66
• 184.105.247.196
• 184.105.247.252
• 184.105.247.254
• 74.82.47.3
• 65.49.20.67
• 65.49.20.68
• 184.105.139.68
• 184.105.139.69
• 184.105.139.70
• 65.49.20.69
• 184.105.247.194
• 184.105.247.195
• 74.82.47.5
• 64.62.197.47
• 64.62.197.167
• 64.62.197.227
• 64.62.197.32
• 64.62.197.62
• 64.62.197.152
• 64.62.197.182
• 64.62.197.107
• 185.181.102.18
• 109.237.97.141
• 109.237.97.124
• 185.225.73.249
• 164.70.71.140
• 64.62.197.212
• 64.62.197.17
• 64.62.197.92

Most of these IPs were on our, block list for weeks / months and are known offenders. You can get access to our blocklist API, here.

VMware also provided patches by the start of 2021; it is therefore advised to update ESXi servers to the most recent version as soon as possible.

How to decrypt the ESXiArgs ransomware ?

If you have been infected, there have been reports of decryption of the disks without paying the ransom.