Threat Research

Cyble – Massive Ransomware Attack Targets VMware ESXi Servers

Securonix

The ESXiArgs ransomware campaign targets VMware ESXi servers by exploiting a two-year-old OpenSLP heap overflow vulnerability (CVE-2021-21974) to deploy encryption across near 1,000 servers worldwide, with France, the US, and Germany heavily affected. The attackers rely on a shell script (encrypt.sh) and an ELF binary (encrypt) to encrypt VM-related files, replace login/branding pages, and drop ransom notes, then remove traces and cleanup after encryption. #ESXiArgs #CVE2021_21974 #OpenSLP #Shodan #TOX_ID

Keypoints

  • The ransomware targets VMware ESXi servers by exploiting CVE-2021-21974, a heap overflow in OpenSLP that enables remote code execution for on-network attackers.
  • Infections were widespread, approaching 1,000 ESXi servers globally, with France as the top affected country, followed by the United States and Germany.
  • Two primary payload components are used: a shell script (encrypt.sh) and a Linux ELF binary (encrypt) to perform encryption tasks.
  • The shell script modifies ESXi VM configurations (renaming .vmdk/.vswp files) and then kills the VMX process to proceed with encryption.
  • During encryption, files with various ESXi-related extensions are targeted, encrypted with RSA plus Sosemanuk, and a ransom note is placed in place of the original login/index page.
  • Post-encryption cleanup includes deleting logs, removing a Python backdoor-like file vmtools.py, and replacing/motd with a ransom note to demonstrate impact upon login.
  • Ransom notes direct victims to contact attackers via a TOX_ID and demand payments or data leakage assurances, illustrating typical extortion behavior.

MITRE Techniques

  • [T1059.004] Unix Shell – The ransomware uses a shell script (encrypt.sh) to orchestrate encryption and configuration changes. “The samples related to this Ransomware attack, which include two files named “encrypt.sh” and “encrypt”, responsible for encryption.”
  • [T1083] File and Directory Discovery – The malware iterates through ESXi volumes and searches for files with extensions such as “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram”, and “.vmem”.
  • [T1082] System Information Discovery – The script identifies the VM config file via “esxcli vm process list” and modifies the path to VM disks/swaps.
  • [T1036] Masquerading – By renaming config file entries, the ransomware makes it harder for victims to locate and restore original data after encryption.
  • [T1486] Data Encrypted for Impact – The ransomware encrypts files using a Linux binary “encrypt” with a public key, employing RSA and the Sosemanuk stream cipher.
  • [T1071] Application Layer Protocol – Ransom notes instruct victims to contact attackers via a TOX_ID channel for recovery or exfiltration avoidance.
  • [T1027] Obfuscated/Encrypted Files or Information – The payload’s behavior includes encrypting data and handling keys in a way designed to obscure simple restoration.
  • [T1543] Systemd Service – Persistence concept indicated in the article’s MITRE mapping as Systemd Service.

Indicators of Compromise

  • [File] encrypt.sh – Shell script used to orchestrate encryption and config changes – Encrypt.sh, encrypt
  • [SHA256] 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459 – Encrypt.sh
  • [SHA256] 11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66 – Encrypt

Read more: https://blog.cyble.com/2023/02/06/massive-ransomware-attack-targets-vmware-esxi-servers/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint