Updated February 10, 2023
All we hear all day long at work is how awful ransomware is, and how ransomware ruins your life – ransomware, ransomware, ransomware! It’s a stretch to make Brady Bunch jokes in 2023, but I really do feel like Jan re: ransomware. I’m so utterly and completely tired of talking about it and dealing with it, but for some reason, the people making money on it don’t care. Diatribe over, let’s get into it again and talk about VMware ESXi vulnerabilities that are being targeted by – you guessed it – ransomware.
The one saving grace that a lot of people run into when they get ransomware is that the ransom actors miss SOMETHING. Whether that’s the backup server, the core ERP server, the DR environment, or the SAN snapshots, it’s hard to get everything when you’re having to manually go from server to server. What if however, you can run ransomware code on one system and get essentially the whole environment? It makes it a lot easier. That’s what’s been happening with a recent string of ESXi based ransomwares.
Affecting VMware ESXi versions 6.0, 6.5, 6.7, and 7.0, the ESXiArgs ransomware encrypts at the VMware level to encrypt every VM that exists on that host/cluster/vcenter. That means instead of having to encrypt 10, 50, or 10,000 VMs one by one through self-propagating worms or manual effort, the malicious actor can just run the encryption at one place and wreck thousands of VMs – which is so much more efficient for them, and so awful for us.
The good news is that ESXi, of its own accord, is actually a well locked down system, as long as you keep it updated, don’t expose it to the internet, and keep your passwords safe. In fact, the recent spell of ransomware attacks are exploiting VMware ESXi vulnerabilities that have been patched since February 2021 – two years ago.
VMware patching isn’t something a lot of people think about anymore. Once VMware got all the core features that the average consumer needs in their hypervisor and it got stable, people became complacent. Since ESXi impacts the whole environment, people also became leery of doing an upgrade that could impact EVERYTHING, and questioned if they would notice any benefits from it. VMware didn’t do themselves any favors with the utterly horrible launch of vSphere 7 – which took over a year to even become stable enough to recommend an upgrade to. However, those dark times are finally past us.
VMware 7 is a very stable OS, and has a lot of bug fixes in it, including protection from this particular ransomware. Further, only vSphere 7 and 8 are supported by VMware right now, which is even more reason to move off of 6x. Jumping all the way to 8 may be a bit premature right now, as not every ecosystem software is certified as being compatible. For example, most mainstream backup softwares do not yet support it, but 7 is mature and stable, so getting there is definitely worth it if for no other reason than to help protect against an ‘easy button’ for malicious actors.
The Cybersecurity and Infrastructure Security Agency (CISA) has provided a recovery script for businesses affected by the ESXiArgs ransomware.
CISA advises enterprises to study the script to see whether it is appropriate for their environment before implementing it.
This script aims to produce new configuration files that provide access to the VMs rather than deleting the encrypted configuration files. While CISA attempts to make sure scripts like this one are secure and useful, this script is provided without any warranties, either implicit or explicit.
Use this script only after you have carefully considered how it can impact your system. CISA disclaims responsibility for any harm this script may cause.
Businesses can access the recovery script here.
If you are actively experiencing an attack, visit our Ransomware Remediation page and contact us immediately