ESXiArgs ransomware and how HostZealot is dealing with it

ESXiArgs ransomware and how HostZealot is dealing with it

Author: HostZealot Team
2 min.

Although cyber-attacks have decreased in recent years, they have also become more sophisticated. Moreover, cybercriminals are paying attention to exploiting old vulnerabilities, relying on the fact that many users are negligent about security and the importance of software updates. In this article, we'll talk about ESXiArgs Ransomware, a malware that exploits a 2019 vulnerability.

It doesn't mean you're safe if you haven't been affected by this vulnerability yet. Protecting your virtual machines in advance is better by using the patches posted by HostZealot in their knowledge base. On this page, you will find detailed instructions on implementing patches for different VMware ESXi versions. All information is available at: 

ESXiArgs technical details

ESXiArgs is a malware that affects the VMware ESXi hypervisor — one of the most popular virtualization platforms. Its purpose is to damage the system and demand a ransom for recovery. ESXiArgs encrypts files (mostly VMware VM file types) and replaces «motd» files (used to display at login) and «index.html» (VMware ESXi home page) to place a ransom note.

The ransom page requires the victim to pay from 2 bitcoins (the amount differs depending on the organization), after which they will receive a key to decrypt the files. An early version of ESXiArgs, which the attackers used in the first wave of the attack, had a vulnerability. The malware encrypted files selectively — anything under 128 MB was encrypted automatically, but larger files were either skipped or partially encrypted. It allowed the developers to create the ESXiArgs-Recovery script. It will enable you to decrypt data that an earlier version of ESXiArgs encrypted.

In the second wave of the attack, the cybercriminals changed how the ransomware works, now using robust encryption algorithms, including AES-256 and RSA-2048. It makes it virtually impossible to recover data without a private key held by the attackers.

Determining which version of the malware has infected your server is simple. Just take a look at the ransomware message. If it says BTC wallet, more than likely, it's an early version of ESXiArgs, and you will be able to recover your data. In a later iteration of the software, the cybercriminals have hidden the wallet and suggest that the victim contact them to retrieve it.

Who is affected

The most exciting thing in this story is that the server hack uses old vulnerabilities, including CVE-2019-55441, meaning that cybersecurity specialists discovered it in 2019. In the early days of the server attack, VMware developers reported that OpenSLP (which allows computers and other devices to find services on the local area network without pre-configuration) was disabled by default back in 2021. It is how attackers attack servers that are running old software.

Hackers mainly attack servers running ESXi 6.0-6.7 hypervisor. The attack may affect some versions of vSphere 7.0, which the server owners still need to upgrade to the latest patch. As it turns out, many organizations, including hospitals, schools, universities, and large businesses, that neglect software upgrades and additional protection against cyberattacks.

The most significant non-Windows Ransomware Attack ever recorded

Ransomware usually affects ordinary users of Windows computers who have clicked on a suspicious link or installed compromised software. With ESXiArgs, we are dealing with significant ransomware attacks on the VMware ESXi platform.

It can encrypt not only files and data on specific computers but also an organization's entire network. ESXiArgs has affected nearly 4,000 organizations worldwide, and the total estimate is that attackers can encrypt files on 18,500 servers using the CVE-2021-21974 vulnerability.

Most painful for organizations will be the malware affecting the virtualization infrastructure, meaning that server owners cannot simply restore files from a backup or replace hardware. To make things work again, technicians must restore ESXi servers and virtual machines. It will require a lot more time and resources and cost the company a lot more.

But you're mistaken if you think paying hackers to regain access to the files is the way. The obtained key can be very slow. So if you have deployed a network with many virtual machines, it will take weeks to recover your server. In addition, there are many known cases of criminals receiving ransoms and not providing decryption keys to the victims. Organizations have wasted time and money without getting the expected results.

The Threat to Disclosure of Confidential Data

One of the most severe threats associated with ransomware attacks, such as ESXiArgs, is the risk of disclosing or leaking sensitive data. ESXiArgs ransomware can block access to valuable data such as financial statements and contracts. Still, more importantly, attackers can place this data in the public domain or sell it on the darknet. Many organizations rely on the confidentiality of their data to maintain a competitive edge, and disclosing this information can have severe financial and reputational consequences.

In recent years, we've seen a dramatic increase in ransomware attacks targeting valuable data. It is because attackers know the value of sensitive information and that organizations will try to prevent its disclosure. Attackers often threaten to release the data unless a ransom is paid publicly, increasing pressure on the affected organization to meet its demands.

The threat of data disclosure is particularly acute in industries such as healthcare and finance, where patient and customer privacy is paramount. In these industries, data breaches can lead to regulatory fines, loss of customers, and irreparable reputational damage. Even in other industries, disclosure of sensitive data can lead to a loss of trust among customers and partners, resulting in significant financial loss.

In addition, the consequences of a data breach can be long-lasting: affected organizations often face lawsuits, regulatory investigations, and reputational damage that can take years to repair. 

How Ransomware Affects Large Companies

Large companies are especially vulnerable to ransomware attacks because of their size and complexity. These organizations often have extensive IT infrastructures that are difficult to protect and monitor. This complexity makes it easier for attackers to find vulnerabilities in the network and exploit them to gain access to sensitive data.

The attacks can have severe consequences for large companies, such as:

  1. Loss of revenue and reputation due to business process downtime, unavailability of services or products to customers and partners;
  2. Loss and leakage of sensitive or confidential data, such as personal customer data, financial information, intellectual property, or sensitive data. It could result in fines, lawsuits, or regulatory penalties;
  3. Loss of trust and loyalty of customers, partners, and employees due to security breaches and insufficient protection of their data;
  4. Loss of competitiveness and ability to innovate due to damage or loss of valuable data or resources;
  5. Loss of control over their infrastructure and data due to encryption or file deletion by attackers.

The financial impact of ransomware attacks on large companies can be significant. In addition to ransomware costs, these organizations may face reduced productivity and remediation costs.

Given the severity of the threat, large companies must take a proactive approach to ransomware prevention. It includes regular vulnerability assessments, network monitoring, and employee training to make sure staff are aware of the risks and know how not to fall victim to an attack.

How to protect your server from the next Ransomware attack

After an ESXiArgs attack and other similar incidents, it is more important than ever to protect servers and other critical infrastructure from such incidents. Here are some tips to help you minimize the risk of a ransomware attack and mitigate the damage should one occur.

Keep your software up to date

Update all software — it is the most effective way to protect your server and prevent any attacks. It includes operating systems, server applications, and other software running on servers. Software vendors often release patches and updates that fix security vulnerabilities and other problems, so keeping track of these updates is essential.

Implement a firm password policy

Weak passwords are one of the most common vulnerabilities attackers use to access servers and other systems. To protect against ransomware attacks, an organization should implement a firm password policy. It should include requirements for complex passwords, regular password changes, and two-factor authentication where possible.

Train your employees

Educate users about the risks and best practices for Internet security. It includes training to recognize phishing scams, avoid downloading malware, and report suspicious activity to your IT or security department. Most break-ins occur because employees click on suspicious links, open attachments from emails from various organizations, or install unlicensed software on their computers. It is essential to explain the risks associated with these activities.

Use restricted access to different data types

If your organization has many employees with varying levels of responsibility, take the time to limit access to sensitive data to those users who don't need it. The fewer employees with access to specific files, the less likely a cybercriminal is to break into the system. The complex structure makes it almost impossible to break into your server remotely.

Don't forget about backups

Regular backups are critical to protecting your organization from the effects of a ransomware attack. Of course, it won't help in case of viruses like ESXiArgs, but nobody knows what the next attacks will be. If your servers are compromised, having up-to-date backups can make the difference between a minor inconvenience and a catastrophic data loss. Be sure to keep your backups off-site and in a safe place to prevent them from being damaged in an attack.

Develop a comprehensive incident response plan

Despite your best efforts, there is a possibility that your organization could fall victim to a ransomware attack. It is critical to have a comprehensive incident response plan. It should describe the steps to minimize damage and restore operations quickly. This plan should include procedures for isolating infected systems, restoring data from backups, and communicating with stakeholders and customers.

ESXiArgs ransomware is a hazardous malware that can cause significant damage to any organization that falls victim to it. It is essential to take proactive measures to secure your systems and educate yourself and your employees on recognizing and avoiding these threats. It is also important to regularly back up your data so that you can quickly restore it in case of an attack.

Related Articles