RansomExx ransomware group targets VMWare ESXi vulnerabilities

[German]A warning for administrators of VMWare ESXi systems. The RansomExx ransomware gang appears to be involved in several incidents where vulnerabilities in VMWare ESXi instances have been exploited to attack virtual machines and encrypt their virtual disks.


I became aware of the issue via the following tweet from Catalin Cimpanu. He has compiled the details in this ZDNet article.

RansomExx Ransomware incidents

According to security researchers, there is evidence that the attackers used the two vulnerabilities CVE-2019-5544 and CVE-2020-3992 in the VMware ESXi virtualization solution to encrypt the hard drives. Both vulnerabilities affect the Service Location Protocol (SLP) , which allows multiple devices on the same network to discover each other. The protocol is also used in VMware ESXi.

ZDNet writes, the vulnerabilities allow an attacker to send malicious SLP requests to an ESXi device on the same network and take control of it. This works even if the attacker has not managed to compromise the VMWare vCenter server to which ESXi instances normally log on. A first attack was reported in October 2020 on reddit.com in the post Witnessed my first ESXi ransomware. Crypts VMs at datastore level:

I always had thought it wasn't possible, but here it is.

A customer's environment went entirely offline and all VMs were powered off by the reports we were getting. Some started to think it was a SAN issue since it was so massive and didn't spare any VMs.

Then, we saw 200 VMs abruptly shutdown and then all files on the datastore get encrypted (vmdk, vmx, logs, the works). The ransom note was left at datastore level.

The attack was directed, using a RaaS (Ransomware as a Service) code, because all files were encrypted with the company name on the extension of the crypted files. The ransom note also mentions the company name directly.

There was a Windows 2012R2 server outside VMware which seems to be the ground zero. Since it had access to the ESXi management URL, the mess may have started there.

Start locking your ESXi management access guys, things will get rough. this customer didn't segregate ESXi management from the VMs.

​EDIT: Post-mortem posted here

The post-mortem artcle has the information, that three users in the company clicked on a mail attachment with a Trojan and thus installed it. This meant that the malware was on the same network and could attack and encrypt the virtual drives of VMware ESXi machines. Further details may be found in the ZDNet article. It is important to provide the VMware ESXi installations with the available security updates to be immune against this kind of attacks.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security, Virtualization and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *