Security Experts:

Connect with us

Hi, what are you looking for?



Surge in ESXiArgs Ransomware Attacks as Questions Linger Over Exploited Vulnerability

Hundreds of new servers were compromised in the past days as part of ESXiArgs ransomware attacks, but it’s still unclear which vulnerability is being exploited.

There has been a surge in ESXiArgs ransomware attacks in the past days, but it’s still not clear exactly which vulnerability is being exploited by threat actors. 

In fact, questions linger over several aspects of these attacks, including who may be behind them and the origins of the malware delivered by the hackers.

In ESXiArgs attacks, an unidentified threat group has been delivering ransomware to unpatched VMware ESXi servers, encrypting files and dropping ransom notes instructing victims to pay up. While the ransom notes also inform victims that their files have been stolen, researchers have not found any evidence of data theft. 

The Censys and Shodan search engines currently show 1,000-2,000 compromised ESXi servers. The number of hacked systems can be determined because the ransom notes dropped on each system are accessible directly from the internet.

The US Cybersecurity and Infrastructure Security Agency (CISA) reported seeing 3,800 compromised servers as of February 8, but that number has likely grown significantly in the past week.

Censys reported on Wednesday that it had seen a surge in attacks, with more than 500 newly infected hosts observed on February 11-12, mainly in European countries such as France and Germany. 

An analysis conducted by Censys revealed the existence of two servers that hosted ransom notes similar to the one delivered in ESXiArgs attacks in October 2022. The notes delivered in October 2022 were similar, but different. However, the two servers were updated by attackers on January 31, 2023, with a ransom note more similar to the current campaign. 

It’s worth pointing out that the ransom notes are similar to the ones delivered in ransomware attacks involving Cheerscrypt, a Linux-based ransomware seen targeting ESXi servers since the spring of 2022. The base code of Cheerscrypt is derived from leaked Babuk source code.

While the attacks seen in October 2022 may have been part of a Cheerscrypt campaign, Censys noted that Cheerscrypt ransom notes were typically not accessible from the internet — like in the case of ESXiArgs attacks. As a result, Censys believes the October 2022 attacks may have been a precursor to the current campaign.

The first ESXiArgs ransomware attacks were seen on February 2, with the first warnings issued the next day. 

While it has been largely assumed that the ESXiArgs attacks have exploited an ESXi OpenSLP-related vulnerability tracked as CVE-2021-21974 — which VMware patched in February 2021 — this has yet to be confirmed.

Threat intelligence company GreyNoise said last week that there is not enough evidence that CVE-2021-21974 is the only flaw being exploited. It pointed out that several OpenSLP-related vulnerabilities have been found in ESXi in recent years, and any of them could have been exploited in the ESXiArgs attacks, including CVE-2020-3992 and CVE-2019-5544.   

In an update on Tuesday, GreyNoise said it had checked its records for evidence of older CVE-2021-21974 exploitation attempts and it did find two attempts between January and June 2021, but the source IPs were only active for a single day. 

VMware has also highlighted that it cannot confirm which vulnerability is being exploited but said it does not appear to be a zero-day

“VMware currently has no evidence to support that a new vulnerability is being used to propagate recent ransomware attacks, but there is also no evidence that CVE-2021-21974 is the only attack vector, either,” the virtualization giant said in an FAQ document focusing on ESXiArgs

“The media has speculated about the involvement of CVE-2022-31699, CVE-2021-21995, CVE-2021-21974, CVE-2020-3992, and CVE-2019-5544 but it is very likely that the attackers are using any vulnerability that is accessible to them. VMware is continuing to investigate,” it added.

As attackers continue to launch ESXiArgs attacks, they also continue improving the malware. Initial versions left some files unencrypted, allowing some users to recover their files without paying a ransom. CISA even released an open source recovery tool to help impacted organizations. 

However, newer versions of the malware encrypt more data, and since researchers have yet to find a weakness in the actual encryption method, recovering the files becomes an impossible task, at least for now. 

Malware targeting ESXi servers has been increasingly common over the past few years. Threat intelligence company Recorded Future reported recently that it saw a three-fold increase in ransomware attacks targeting ESXi between 2021 and 2022, including Alphv, LockBit and Black Basta. 

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.