CONFERENCE On Demand: Cyber AI & Automation Summit - Watch Now
Connect with us

Hi, what are you looking for?



Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability

Hundreds of new servers were compromised in the past days as part of ESXiArgs ransomware attacks, but it’s still unclear which vulnerability is being exploited.

There has been a surge in ESXiArgs ransomware attacks in the past days, but it’s still not clear exactly which vulnerability is being exploited by threat actors. 

In fact, questions linger over several aspects of these attacks, including who may be behind them and the origins of the malware delivered by the hackers.

In ESXiArgs attacks, an unidentified threat group has been delivering ransomware to unpatched VMware ESXi servers, encrypting files and dropping ransom notes instructing victims to pay up. While the ransom notes also inform victims that their files have been stolen, researchers have not found any evidence of data theft. 

The Censys and Shodan search engines currently show 1,000-2,000 compromised ESXi servers. The number of hacked systems can be determined because the ransom notes dropped on each system are accessible directly from the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) reported seeing 3,800 compromised servers as of February 8, but that number has likely grown significantly in the past week.

Censys reported on Wednesday that it had seen a surge in attacks, with more than 500 newly infected hosts observed on February 11-12, mainly in European countries such as France and Germany. 

An analysis conducted by Censys revealed the existence of two servers that hosted ransom notes similar to the one delivered in ESXiArgs attacks in October 2022. The notes delivered in October 2022 were similar, but different. However, the two servers were updated by attackers on January 31, 2023, with a ransom note more similar to the current campaign. 

It’s worth pointing out that the ransom notes are similar to the ones delivered in ransomware attacks involving Cheerscrypt, a Linux-based ransomware seen targeting ESXi servers since the spring of 2022. The base code of Cheerscrypt is derived from leaked Babuk source code.

While the attacks seen in October 2022 may have been part of a Cheerscrypt campaign, Censys noted that Cheerscrypt ransom notes were typically not accessible from the internet — like in the case of ESXiArgs attacks. As a result, Censys believes the October 2022 attacks may have been a precursor to the current campaign.

Advertisement. Scroll to continue reading.

The first ESXiArgs ransomware attacks were seen on February 2, with the first warnings issued the next day. 

While it has been largely assumed that the ESXiArgs attacks have exploited an ESXi OpenSLP-related vulnerability tracked as CVE-2021-21974 — which VMware patched in February 2021 — this has yet to be confirmed.

Threat intelligence company GreyNoise said last week that there is not enough evidence that CVE-2021-21974 is the only flaw being exploited. It pointed out that several OpenSLP-related vulnerabilities have been found in ESXi in recent years, and any of them could have been exploited in the ESXiArgs attacks, including CVE-2020-3992 and CVE-2019-5544.   

In an update on Tuesday, GreyNoise said it had checked its records for evidence of older CVE-2021-21974 exploitation attempts and it did find two attempts between January and June 2021, but the source IPs were only active for a single day. 

VMware has also highlighted that it cannot confirm which vulnerability is being exploited but said it does not appear to be a zero-day

“VMware currently has no evidence to support that a new vulnerability is being used to propagate recent ransomware attacks, but there is also no evidence that CVE-2021-21974 is the only attack vector, either,” the virtualization giant said in an FAQ document focusing on ESXiArgs

“The media has speculated about the involvement of CVE-2022-31699, CVE-2021-21995, CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544 but it is very likely that the attackers are using any vulnerability that is accessible to them. VMware is continuing to investigate,” it added.

As attackers continue to launch ESXiArgs attacks, they also continue improving the malware. Initial versions left some files unencrypted, allowing some users to recover their files without paying a ransom. CISA even released an open source recovery tool to help impacted organizations. 

However, newer versions of the malware encrypt more data, and since researchers have yet to find a weakness in the actual encryption method, recovering the files becomes an impossible task, at least for now. 

Malware targeting ESXi servers has been increasingly common over the past few years. Threat intelligence company Recorded Future reported recently that it saw a three-fold increase in ransomware attacks targeting ESXi between 2021 and 2022, including Alphv, LockBit and Black Basta. 

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join us as we delve into the transformative potential of AI, predictive ChatGPT-like tools and automation to detect and defend against cyberattacks.


As cybersecurity breaches and incidents escalate, the cyber insurance ecosystem is undergoing rapid and transformational change.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Data Breaches

OpenAI has confirmed a ChatGPT data breach on the same day a security firm reported seeing the use of a component affected by an...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...

IoT Security

A group of seven security researchers have discovered numerous vulnerabilities in vehicles from 16 car makers, including bugs that allowed them to control car...


A researcher at IOActive discovered that home security systems from SimpliSafe are plagued by a vulnerability that allows tech savvy burglars to remotely disable...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


A SaaS ransomware attack against a company’s Sharepoint Online was done without using a compromised endpoint.