Ransomware on a screen and a person with his head in his hands.
Image: Adobe Stock

Jump to:

How does this ransomware attack operate?

CVE-2021-21974 is a vulnerability affecting OpenSLP as used in VMware ESXi. Successful exploitation of that vulnerability allows an attacker to execute arbitrary code, and exploits for this vulnerability can be found in various open sources since May 2021.

The French government’s Computer Emergency Response Team CERT-FR was the first to raise an alert on ransomware exploiting this vulnerability on Feb. 3, 2023, quickly followed by French hosting provider OVH.

Attackers can exploit the vulnerability remotely and unauthenticated via port 427 (Service Location Protocol, SLP), which is a protocol that most VMware customers do not use.

The ransomware encrypts files with the following extensions on the affected systems: .vmdk, .vmxf, .vmsd, .vmsn, .vmss, .vswp, .nvram and .vmem. Then, it tries to shut down the virtual machines by killing the VMX process to unlock the files.

A text note is left after encryption is done (Figure A), asking for ransom that must be paid in Bitcoin cryptocurrency within three days.

Figure A

Ransom note left on a targeted device.
Image: Twitter. Ransom note left on a targeted device.

The ransomware threat actor behind this attack is not known, as the malware seems to be a new ransomware. OVH has reported that according to several security researchers, the encryption cipher used in the ransomware is the same as what was used in the leaked Babuk malware code from September 2021, although the code structure is different.

The Babuk code that leaked in 2021 has been used to create other malware that often targets ESXi systems, but it seems too early to draw a definitive conclusion as to the attribution of that new malware, which has been dubbed ESXiArgs by security researchers.

France and U.S. are the biggest targets

Censys Search, an online tool for searching through internet-connected devices, shows that more than 1,000 servers have been successfully hit by the ransomware, mostly in France, followed by the U.S. and Germany.

At the time of writing, more than 900 servers were compromised in France, while approximately 400 servers in the U.S. were hit.

A lot more systems might be vulnerable and not yet attacked. The Shadowserver Foundation reports that around 27,000 instances may be vulnerable, according to the version of its VMware software.

How to protect your organization from this ransomware threat

For systems running unpatched versions of VMware ESXi, the absolute priority is to cut the SLP service if it runs. The vulnerability can only be exploited via that service, so if it is closed, the system cannot be attacked via this vector.

The next step consists of reinstalling the hypervisor in a version supported by VMware — ESXi 7.x or ESXi 8.x — and applying all security patches.

Finally, all administration services should be protected and only available locally. In case there is a need for remote access, VPN with multi-factor authentication or IP filtering should be used.

Jan Lovmand, chief technology officer of BullWall, a cybersecurity firm focused on preventing ransomware attacks, told TechRepublic more about the vulnerability.

“A patch has been available from VMware since February 2021 when the vulnerability was discovered,” Lovmand said. “This just goes to show how long it takes many organizations to get around to patch internal systems and applications, which is just one of many reasons why the criminals keep finding their way in. The attack surface is big, and preventative security solutions can be bypassed in a scenario like this if the vulnerability has not been patched.”

Lovmand also stressed the importance of patching your networks.

“It’s 50-50 odds that your company will be successfully hit with ransomware in 2023,” he said. “Security solutions cannot protect unpatched networks.”

How to recover from this ransomware threat

Security researchers Enes Somnez and Ahmet Aykac have provided a solution to recover in case a system has been attacked by this ransomware.

The researchers explain that the ransomware encrypts small files like .vmdk and .vmx but not the server-flat.vmdk file, which contains the actual data. Using this file, it’s possible to do a fallback and recover information from the system.

Julien Levrard, chief information security officer from OVHCloud, wrote that the method documented by Somnez and Aykac has been tested by OVH as well as many security experts with success on several impacted servers, with a success rate of 2/3. He added that “this procedure requires strong skills on ESXi environments.”

Disclosure: I work for Trend Micro, but the views expressed in this article are mine.

Read next: Patch management policy (TechRepublic Premium)

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday

Subscribe to the Cybersecurity Insider Newsletter

Strengthen your organization's IT security defenses by keeping abreast of the latest cybersecurity news, solutions, and best practices. Delivered every Monday, Tuesday and Thursday