Hackers Unleashed ESXiArgs Ransomware on VMWare ESXi

The VMware ransomware ESXiArgs is spreading like wildfire through the internet right now, infecting thousands of servers across the globe. CISA has come out with a script to help try and fix it, but the cybercriminals already pivoted and changed their ransomware, and that's no longer working.

A massive ransomware campaign attack going on with VMware servers. VMware servers are virtualized servers. The two big ones that are out there today are Hyper-V and VMware. That's what most people use out there today. VMware has been under attack for a very long time. They've released many patches over the last several years that were patching or taking care of various vulnerabilities discovered along the way with their product. There are a lot of companies out there that use VMware, and a big problem with this is, just like we see with Microsoft Exchange servers, a lot of these servers that companies have are accessible via the internet. And depending on how they secure, if they secure those servers at all, can determine how quickly or how easily a hacker can get into those servers.

But today, a recent wave of attacks has occurred on companies' VMware servers because of several vulnerabilities that exist with VMware. Cybercriminals were able to build tools that exploit these vulnerabilities very quickly, which is running like wildfire. We have a bunch of things going on right now that I want to update everybody on.

We already know that this, it is known as ESXiArgs ransomware, has hit almost 4,000 servers at this point. It's probably higher than that. That's what we know about. That's what we can detect. A lot of companies will be affected by this that we're going to hear about down the road that we don't really know about now. I mean, we're talking about 3,800 servers that are being impacted right now, so I'm sure somebody who sees this video will be somebody who has one of these servers that's being impacted by this event.

We need to point out that everybody thought CISA, or the US government's cybersecurity wing, came up with some script to fix this problem. And I'm going to get into that in a little bit, but we already see the hackers who are behind this pivoting, so that script is no longer effective, and we're talking about these things happening and unfolding right in front of our eyes, in less than 48 hours. So, we went from everybody knowing that the attack is underway, companies being ransomwared, and CISA coming out and providing a tool that was supposed to or at least try to, decrypt some of the encrypted servers that were running on these VMware systems. And then a few hours later, maybe less than 12 hours later, they pivoted again, the hackers, and the hackers now changed their source code so that the CISA script no longer works or decrypts the servers like they have been doing in the past.

So just like I talk about all the time on this channel, cybersecurity is very much a cat-and-mouse game at this point. Cybersecurity researchers in the FBI and CISA look at what these cybercriminals are doing. Then after they figure out what they're doing, they can build things like decryption tools, as we saw here, and then cybercriminals look at what security researchers are doing and what law enforcement's doing, and then they pivot. So, here we have a pivot of an attack as this is all transpiring, and this is spreading like wildfire, and they were able to pivot and continue their attacks on companies quickly.

A couple of things I'm going to point out with the CISA. As I mentioned, they provided a script to try to help fix this. They also go into what you need to mitigate this vulnerability in your VMware system. I will link to that in the description below if you have not seen that already, and that's what you'll follow to secure your servers if they're not already encrypted. And then, once you get them back online, you want to follow these recommendations.

But as we're also seeing, a BleepingComputer article that I'm going to link to also in the description points out that the new ESXiArgs ransomware version prevents VMware ESXi recovery. And it goes on to state that the new ESXiArgs ransomware attacks are now encrypting more extensive amounts of data, making it much harder, if not impossible, to recover encrypted VMware ESXi virtual machines. It started last Friday and encrypted over 3,000 internet-exposed VMware ESXi servers using this ransomware. Preliminary reports indicated that the devices were breached using old VMware vulnerabilities. However, some victims have stated that these things were remediated and things were disabled on their devices, and were still being breached and encrypted. So, it could very well be that we are seeing not only previous vulnerabilities being used, but there could be some zero-days involved here, and that's why we're seeing this continue on after the release of the script that CISA provided to help people with this issue.

I think people, unfortunately, got a little ahead of themselves and breathed a sigh of relief the other day when this came out from CISA, thinking that this was like the silver bullet that was going to get them back up and running. People are quickly finding out that that's not the case. I guarantee you there are also people out there who probably used the recovery tool but then didn't follow the remediation steps, and then they got hit again with this new version of the ransomware. Unfortunately, this time around, they're not going to be able to recover their servers as easily as they did with the CISA tool.

Basically, without getting into too much crazy detail, I'll link to, as I said, the article in the description below. But this is basically what security researchers are saying: the changes they made in the encrypter to alternate between encrypting one megabyte of data and skipping one megabyte of data in basically all files over 128 megs will now have 50% of their data encrypted, making them likely unrecoverable. This change also prevents the previous recovery tools from successfully recovering machines, as the flat files will have too much data encrypted to be usable. So basically, they were only encrypting a small amount of data before, and now they're encrypting a lot more, which makes the CISA tool ... renders it useless at this point.

It also made a minor change to the ransomware note by no longer including Bitcoin addresses in the ransomware note, as shown below, and it's in the article if you want to check it out. But basically, they are masking the Bitcoin address because they don't want security researchers, the removal of the Bitcoin address. Security researchers won't be able to track payments in the future, which is a big piece of cybersecurity these days. Companies out there trace where all this money goes and how it moves. It's all very interesting, and it's all information used to figure out who's behind it and who's doing what, and what they're doing. The removal of this key is now obfuscating all that information.

The article says, however, there's even a bigger concern that the admin who shared the new samples said that SLP was disabled on their server. That's one of the vulnerabilities, and one of the remediations was to disable SLP. Their server was still breached again, so it was already breached, and then they breached again. This could potentially mean a zero-day out there that's being used in these attacks because the admin said they also checked for a particular backdoor seen in previous attacks, which was not found. So, it's very confusing how this individual server was breached again.

I promise I will continue to update you on this. This isn't the last we've heard of this. This is unfolding as we speak. I wanted to get this video out there so people started to become aware. Obviously, you're probably interested in VMware and this ESXi ransomware if you're watching this video, so if you have any experience or want to share any of your comments, I'd love to hear from you below in the comments.

But VMware has been something that has been attacked a lot lately, so if you use this, if you have this in your business, please make sure you have somebody responsible for keeping this thing secure and up-to-date. Because right now, if we go to the search engine Shodan, over 2,000 servers on the internet are exposed to versions of VMware that are vulnerable to these attacks. So, we know that these servers exist out there. We know they're not patched. We know that people have these things live on the internet. That's what Shodan tells us. So please ensure you are working with somebody capable of maintaining your server and getting it up-to-date as soon as possible.

Reach out to us if you need any more information or if you have questions, you can contact us. There's information in the description below. Please remember to like and subscribe to our channel, and I will see you guys in the next video. Stay safe out there.