VMware warns admins to patch ESXi servers, disable OpenSLP service

VMware warned customers today to install the latest security updates and disable the OpenSLP service targeted in a large-scale campaign of ransomware attacks against Internet-exposed and vulnerable ESXi servers.

The company added that the attackers aren't exploiting a zero-day vulnerability and that this service is disabled by default in ESXi software releases issued since 2021.

The threat actors also target products that are "significantly out-of-date" or have already reached their End of General Support (EOGS), according to VMware.

"VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks," VMware said.

"Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs).

"With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi."

ESXiArgs ransomware attacks

VMware's warning comes after unknown threat actors started encrypting VMware ESXi servers unpatched against an OpenSLP security flaw (CVE-2021-21974) that unauthenticated threat actors can exploit to gain remote code execution in low-complexity attacks.

Known as ESXiArgs ransomware, this malware has been deployed as part of a massive wave of ongoing attacks that has already impacted thousands of vulnerable targets worldwide (over 2,400 servers, according to current data from Censys).

The attackers use the malware to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra on compromised ESXi servers and deploy ransom notes named "ransom.html" and "How to Restore Your Files.html."

ID Ransomware's Michael Gillespie analyzed a copy of the ESXiArgs encryptor and told BleepingComputer that, unfortunately, it is a secure encryptor with no cryptography bugs that would allow decryption.

Security researcher Enes Sonmez shared a guide that may allow VMware admins affected by these attacks to rebuild their virtual machines and recover data for free.

BleepingComputer also has more ESXiArgs ransomware technical details and a dedicated ESXiArgs support topic where victims report their experiences with this attack and can receive help recovering their files.