Cyberattack debacle on VMware ESXi Server; "Recovery Script" for ESXiArgs Ransomware Victims

Sicherheit (Pexels, allgemeine Nutzung)[German]Since last weekend, cyberattacks on vulnerable ESXi servers have been ongoing worldwide and there are probably a number of people affected (in Germany, a three-digit number is said to be affected). The attackers are exploiting a vulnerability that was already closed in 2021. Cybersecurity authorities around the world are warning of this danger. The US CISA has now published a recovery script to restore VMs for victims of the ESXiArgs ransomware.


Cyberattacks on ESXi servers

Since last weekend, thousands of VMware servers worldwide have been attacked by a ransomware actor and probably successfully infected. The French CERT-FR was probably the first to issue an alert on February 3, 2023. Specifically, two security recommendations from VMware were picked up there that should be noted.

  • VMSA-2021-0002, dated January 23, 2021, describes several vulnerabilities in VMware ESXi and vCenter Server that have been closed by updates. Included is the ESXi OpenSLP Heap-Oerflow vulnerability (CVE-2021-21974) with a CVSSv3 value of 8.8. VMware recommended at the time to disable the OpenSLP service in ESXi when not in use.
  • VMSA-2020-0023, dated Nov. 24, 2020, describes several vulnerabilities, including in VMware ESXi servers. An ESXi OpenSLP remote code execution vulnerability (CVE-2020-3992, use-after-free) was addressed there (CVSSv3 value of 9.8). A malicious actor located on the management network with access to port 427 on an ESXi machine could potentially trigger a use-after-free function in the OpenSLP service resulting in remote code execution.

Subsequently, security agencies around the world are warning of this wave of cyberattacks targeting VMware's ESXi servers. Last Sunday, the Italian cyber security authority ACN warned about the wave of attacks on companies and public authorities – after all, various websites of several organizations and institutions had been affected.

It is now known that thousands of ESXi servers worldwide have been successfully attacked and infected with ransomware. I had highlighted the infections taking place within my German blog post Sicherheitsvorfälle und Patch-Erinnerungen für VMware-Administratoren (6. Feb. 2023) and included the following tweet.

Kompromittierte VMware ESXi-Server

A list of affected VMware ESXi versions can be found here. As of February 6, 2023, there is also a blog post from VMware, VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware Attacks, in which the vendor states it has no knowledge of a new 0-day vulnerability as an entry vector for the attacks. I did a search, the security firm Census lists compromised servers here – below are some numbers.


Ich habe mal gesucht, die Sicherheitsfirma Census listet hier kompromittierte Server auf – nachfolgend einige Zahlen.

  • France: 738
  • USA: 308
  • Germany: 243
  • Canada: 211
  • Great Britain: 78

According to this Bitcoin list 2,803 servers has been infected. Warning from cyber agencies states that the CVE-2021-21974 vulnerability in the ESXi server's OpenSLP service has been exploited as an entry point. The systems currently affected are ESXi hypervisors version 6.x before 6.7. According to this source, a Feb. 4, 2023 warning from cybersecurity vendor DarkFeed states that most of the servers affected in France and Germany were hosted by hosting providers OVHcloud and Hetzner, respectively. On affected systems, configuration files, but not VMDK virtual drives, are encrypted and victims find the following text:

Bleeping Computer's forum has this discussion thread, started on Feb 3, 2023, where victims discuss the infection and the consequences. I see there that the VMDKs were not encrypted and it seems to be the relatively new Nevada Ransomware. The colleagues at Bleeping Computer have gathered some more details about the encrypted files in this article.

Restore VMs manually

According to Darkfeed, security researcher Habib Karataş claims that the encryption of the disk is done in the wrong way. Darkfeed gives steps in the post to recover the encrypted and deleted config file. Security researchers Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team described an approach to recover virtual machines from unencrypted flat files in this post. However, the approach is quite complex.

CISA publishes recovery script

To help users recover their servers, CISA has released an ESXiArgs recovery script on GitHub that automates the recovery process. Colleagues at Bleeping Computer just reported on it in this article. CISA writes:

"CISA is aware that some organizations have reported success in recovering files without paying a ransom. CISA has compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac.

This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware."

The above explanation and the steps to apply the script to recover VMs can be found on the GitHub project page. The script is applied at your own risk – so you should see what it does and run it on a test system if necessary. If the script could be executed successfully, the virtual machine can be registered in VMware ESXi again afterwards.

Cookies helps to fund this blog: Cookie settings

This entry was posted in Cloud, Security, Virtualization and tagged , , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *