Cyber criminals are actively targeting a two-year-old vulnerability in VMware ESXi servers in a large-scale ransomware attack campaign. This is not a zero-day flaw, and a patch has been available since it was identified in 2021, however some customers have not installed the latest security updates but are continuing to use the products in an internet-exposed manner. Products that are using out-of-date software or are unsupported and considered ‘end-of-life’ are being currently targeted by these threat actors. 

The vulnerability CVE-2021-21974 is a heap overflow vulnerability affecting the OpenSLP service. An unauthenticated attacker who has access to the network segment hosting this service can access port 427 to cause the heap overflow. This can result in remote code execution in the target, which is being used in these attacks to deploy ESXiArgs ransomware. During the encryption process this ransomware uses an encrypt.sh script to look for virtual machine file extensions such as .vmxf, .vmx, .vmdk, .vmsd, and .nvram, then encrypts the files based on their size. It either encrypts the whole file if it is less than 128 MB or uses a size_step to encrypt only chunks of a larger file, creating .args files for each with metadata likely needed for decryption. Ransom notes were left on compromised systems named ransom.html and How to Restore Your Files.html. 

Advice from the National Cyber Security Centre (NCSC) is to not pay the ransom demands, and to regularly maintain backups of your data to lessen the impact of this form of attack. If you suspect you have fallen victim to this ransomware attack, security researcher Enes Sonmez has created a free VMware ESXi recovery guide to help admins rebuild machines and recover their data. End-of-life software should not be used when maintaining cyber security best practices as it no longer received updates from the developer. Keeping your systems up to date will fully prevent this attack from happening as it is only unpatched systems that are being targeted. A list of supported versions of VMware ESXi can be found on their customer connect site, which can be used to check your current build versions and ensure your products are fully up to date to resolve this vulnerability. As this is an OpenSLP security flaw, VMware have also suggested users disable the vulnerable SLP (Service Location Protocol) service, which is disabled by default in more recent updates.