CISA Warns Organizations To Guard Against ESXi Ransomware Attacks

A two-year-old VMware ESXi vulnerability is proving problematic for some organizations that previously failed to patch affected servers. Malicious actors are actively exploiting a corresponding ESXi bug to spread ESXiArgs ransomware. The attacks reportedly target the OpenSLP service on outdated, unpatched or out-of-service publicly accessible VMware ESXi servers to enable encrypting ESXi configuration files, thereby corrupting the servers’ operations.

The Cybersecurity & Infrastructure Security Agency (CISA) and Federal Bureau of Investigation (FBI) have together issued Alert AA23-039A. The bulletin provides guidance, as well as information regarding an ESXiArgs recovery script CISA made available to assist stricken organizations in potentially recovering from ESXiArgs ransomware attacks.

Because ESXiArgs ransomware corrupts virtual machine configuration files and (at least, initially) not flat files, in some cases impacted firms can, according to CISA, “reconstruct the encrypted configuration files based on the unencrypted flat file.” The agency’s recovery script aims to assist victims in recreating the damaged configuration files and thereby recover proper operation.

Victims of ESXiArgs ransomware should, before executing the agency’s recovery script, review the file and its accompanying read me information before proceeding. CISA notes the recovery script does not delete encrypted configuration files but creates new ones, instead, in an effort to re-enable accessing the impacted virtual machines (VMs).

Impacted organizations should continually monitor ESXiArgs ransomware news from credible sources for updates. New variants have reportedly arisen that encrypt additional files, making recovery efforts subsequently more difficult and complex.

Both CISA and the FBI recommend companies with VMware ESXi servers perform the following three actions:

  1. Download and install the latest ESXi software updates
  2. Disable the ESXi Service Location Protocol (SLP) service
  3. Confirm ESXi servers are not publicly accessible from the Internet

Within Alert AA23-039A, CISA and the FBI also present cybersecurity best practices information. The agency and bureau recommend organizations guard against ransomware infections by maintaining offline backups, regularly testing backup sets to confirm they can be restored as required, encrypting all backups and maintaining comprehensive cybersecurity response plans. Other ransomware-prevention steps the bulletin urges firms adopt include disabling or removing outdated versions of Server Message Block (SMB) protocol, implementing multifactor authentication (MFA), maintaining user education training programs, continually auditing administrative- and elevated-privilege user accounts, regularly updating antimalware software and disabling hyperlinks in incoming email messages.

If you’re unsure your office is properly prepared against cybersecurity threats, or if you’ve having trouble confirming your VMware ESXi hypervisors are updated and properly secured, contact Louisville Geek. You can reach a Louisville Geek technology expert at 502-897-7577 or by emailing [email protected].