ESXi is back in the news again. CVE-2021-21974 made waves back in April, triggering Cytidel to alert its customers about the rising threat. This nasty piece of malware is targeting VMware ESXi servers worldwide using the critical vulnerability to allow hackers to execute arbitrary commands on the underlying operating system of vCenter Server. The result? Important files get encrypted, and the attacker demands a ransom to release them.
In this blog post, we're going to give you a quick overview on this particular threat and offer some tips on how to protect your servers from cyber-attacks.
What Happened?
A remote code execution vulnerability has been identified that could allow a malicious actor with network access to port 443 to execute arbitrary commands on the underlying operating system of the vCenter Server. One example of how this vulnerability is being exploited is through a new type of ransomware called "ESXiArgs". Attackers are using "spray and pray" tactics, targeting VMware ESXi servers worldwide, including those managed by hosting companies. The ransomware takes over the server and encrypts important files, with the attacker demanding payment to release them.
Once compromised, the ransomware executes an encryptor and delivers a ransom note. The attack has already compromised hundreds of servers, including servers managed by hosting companies.
Why Should I Care?
Organisations with ESXi servers exposed to the public internet are at particular risk as hackers are using "spray and pray" tactics to compromise servers worldwide.
Recent reports have warned of an increase in cyberattacks, especially those targeting corporate banking clients and servers. The Italian National Cybersecurity Agency (ACN) has reported a global ransomware hacking campaign that targeted VMware ESXi servers, urging organisations to take action to protect their systems. Moreover, Italian cybersecurity firm Cleafy has reported an ongoing financial fraud campaign called drIBAN, which infects Windows workstations inside corporate environments, altering legitimate banking transfers and transferring money to an illegitimate bank account.
What Can I Do?
To protect against the ESXiArgs ransomware threat, it is crucial for organizations to take proactive steps to secure their systems. Here are some recommended steps to protect your ESXi servers from this and other cyber threats:
Update your installations to a secure version immediately, without waiting for a routine patch cycle.
Disable the OpenSLP service if it is not being used.
Back up critical data regularly and store backups in a secure location.
Implement a comprehensive security plan, including regular vulnerability scans, intrusion detection systems, and firewalls.
Train your employees to identify and report suspicious activity, and limit access to sensitive data only to authorized personnel.
Monitor your systems regularly for signs of compromise and respond quickly to any detected threats.
Cyber threats, such as the ESXiArgs ransomware, pose a serious risk to organizations worldwide. By taking proactive measures to secure your ESXi servers and implementing a comprehensive security plan, you can significantly reduce your risk of falling victim to cybercriminals.
Keep your organisation ahead of threats with Cytidel Threat Intelligence
To find out more about Cytidel’s threat intelligence offering, visit
Stay safe and secure!
The Cytidel Threat Intelligence Team