Thousands of ESXi hosts around (some of the) globe have been encrypted by cyber criminals. This post is a fast publish showing some of what has occurred, it’s impact and now includes limited remedial advice.

If you have been affected by this ransomware event there is an attempted recovery script by CISA

https://github.com/cisagov/ESXiArgs-Recover/blob/main/recover.sh

🚨We released an ESXiArgs ransomware recovery script on GitHub to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks: https://t.co/cXpP1m03yw #StopRansomware

— Cybersecurity and Infrastructure Security Agency (@CISAgov) February 7, 2023

Situation

Thousands of hosts in Western countries have been ransomwared:

https://www.shodan.io/search/facet?query=http.title%3A%22How+to+Restore+Your+Files%22&facet=org

https://www.bleepingcomputer.com/news/security/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/

Initial Access Vector

Unknown but possibly exploiting OPENSLPD:

• CVE-2019-5544
• CVE-2020-3992
• CVE-2021-21974 (this is the one everyone is reporting but we haven’t seen forensic evidence of this)

Juniper Blog

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

Why don’t we know? well these hosts aren’t heavily monitored and logs/evidence of the OPENSLPD service being exploited seems to be on the LOW side. People are also (rightly) focusing on restoration of service vs forensic analysis at this stage.

Patient Zero

So at the weekend I found some entries going back to October but I woke up today to find this chap had found one back even further!

(nice work dude!)

https://www.linkedin.com/feed/update/urn:li:activity:7028483731652808704?commentUrn=urn%3Ali%3Acomment%3A%28activity%3A7028483731652808704%2C7028492870693068800%29

We believe this host:

https://trends.shodan.io/search?query=title%3A%22How+to+Restore+Your+Files%22#facet/ip

was the first host to have this chain tested on it.

https://trends.shodan.io/search?query=title%3A%22How+to+Restore+Your+Files%22&language=en#facet/ip

Threat Actor/s

Unknown but likely aligned or politically/physically in/adjacent to Russia/China/Iran/N. Korea/India/South America/Africa (this is a broad list of countries/regions that were not affected despite having vulnerable servers exposed)

Timeline

• 23rd February 2021 – VMWARE issues a patch for OPENSLPD – this states you must be NETWORK ADJACENT (this might be wrong!)
• April 2022 – A single host has been detected as being encrypted with what appears to be this ransom note
• October 2022 – A Backdoor was detected by Juniper
• October 2022 – A group of hosts were encrypted
• Friday 31/01/2023 ESXi hundreds/thousands of hosts started to display ransomware notes on the HTTPS service for ESXi and SSH MOTD

Payment Tracking

Each host has a unique BITCOIN. wallet address. At time of writing only .5 of a bitcoin is known (to me) to have been paid (the criminals) It’s now reported that ~ 50K USD has been paid

Response & Recovery

Response is complex, isolate, contain and eradicate is easy to say, sometimes harder to do given the number of variables. This post isn’t covering detailed ESXi recovery steps, Recovery may be simple, or it may be complex or you might not be able to (i mean paying is an option but a risky AF one)

You may be able to restore VMs by rebuilding VMDK descriptors…

You may find some useful info in the forums (be careful etc.)

https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-28

IP IOCs

This list is a subset from

https://github.com/fastfire/IoC_Attack_ESXi_Feb_2023/blob/main/ip.md

It has been enriched and had some of the “known good” IPs taken out

I think some IPs in here are not criminals but people doing mass scanning (researchers) but I can’t confirm this so I’ve left the list as is:

104.152.52.131 104.152.52.55 107.155.50.142 107.170.232.9 146.0.75.2 152.32.219.120 162.243.141.11 162.62.191.220 162.62.33.200 164.92.211.90 170.106.115.253 170.106.115.55 192.241.196.48 192.241.200.36 192.241.202.27 192.241.214.26 192.241.223.35 192.241.239.28 198.199.103.238 43.130.10.173 43.131.94.145 46.17.96.41 103.75.201.219 104.152.52.233 106.75.190.21 106.75.64.29 119.42.54.188 172.105.73.148 176.58.124.251 89.248.163.200

GreyNoise Enrichment

Ransom Note

How to Restore Your Files Security Alert!!!   We hacked your company successfully   All files have been stolen and encrypted by us   If you want to restore files or avoid file leaks, please send 2.035639 bitcoins to the wallet {REDACTED}   If money is received, encryption key will be available on TOX_ID: {REDACTED}   Attention!!!   Send money within 3 days, otherwise we will expose some data and raise the price   Don’t try to decrypt important files, it may damage your files   Don’t trust who can decrypt, they are liars, no one can decrypt without key file   If you don’t send bitcoins, we will notify your customers of the data breach by email and text message   And sell your data to your opponents or criminals, data may be made release   Note   SSH is turned on   Firewall is disabled

Mitigations

• Disable SLPD on ESXi
• Ensure you are running a supported and fully patched ESXi version
• Apply ingress filtering on all management services for the host/User a VPN etc.

References

https://github.com/fastfire/IoC_Attack_ESXi_Feb_2023

https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/

More to follow…

Orgs Affected (count of hosts by ORG name)

This is not a complete list but what is available in Shodan at the time or writing:

OVH SAS 190 Hetzner Online GmbH 91 OVH Hosting, Inc. 80 OVH US LLC 26 OVH GmbH 18 Scaleway 14 Scaleway Dedibox – Paris, France 13 OVH Sp. z o. o. 12 Joe’s Datacenter, LLC 11 LeaseWeb Netherlands B.V. 11 OVH Ltd 11 Cloud South 9 ONLINE SAS NL 9 Zenlayer Inc 8 Hetzner Online AG 7 WorldStream B.V. 7 Scaleway Dedibox 6 MacStadium, Inc. 5 SECURED SERVERS LLC 5 myLoc managed IT AG 5 velia.net Internetdienste GmbH 5 CoreSpace, Inc. 4 Korea Telecom 4 Leaseweb Deutschland GmbH 4 ReliableSite.Net LLC 4 Centrilogic, Inc. 3 Codero 3 Interserver, Inc 3 LEASEWEB UK LIMITED 3 Ministry of Education Computer Center 3 OVH Singapore PTE. LTD 3 Rackdog, LLC 3 Scaleway – Amsterdam, Netherlands 3 SingleHop LLC 3 SoftLayer Technologies, Inc. 3 Stealthy Hosting 3 Verizon Business 3 Aoyou L.L.C 2 Budapest University of Technology and Economics 2 Cadence Networks Ltd 2 Cogent Communications 2 Contabo GmbH 2 Dedicated Server Hosting 2 Dedicated servers OVH 2 Dedispec, LLC. 2 HA Servers, LLC 2 Hurricane Electric LLC 2 Leaseweb USA, Inc. 2 Level 3 Parent, LLC 2 Login, Inc. 2 MadeIT inc. 2 Manov Investments, LLC 2 Nocix, LLC 2 OVHCloud.com 2 Packet Host, Inc. 2 QuadraNet Enterprises LLC 2 RCN 2 Redium B.V. 2 Reliable Hosting Services 2 Scaleway – Paris, France 2 Serverius Holding B.V. 2 SoftLayer Technologies Inc. 2 Turnkey Internet Inc. 2 Velocihost Inc. 2 Vietnam Posts and Telecommunications Group 2 Web Werks 2 WhiteLabel IT Solutions Corp 2 WholeSale Internet, Inc. 2 Wowrack.com 2 Wroclaw Centre of Networking and Supercomputing 2 XLHost.com Inc 2 – HKCIX – 1 2 Cloud Ltd. 1 24/7 COMFORT APPAREL 1 2706360 Ontario Inc 1 ANFA FAJER Sp.J. 1 AR TV LTD 1 AS42926 1 AT&T Corp. 1 AT&T Services, Inc. 1 AZISTA GmbH 1 Apollo Information Systems Corp 1 Aptum Technologies 1 BNS 1 Barak I.T.C 1 Bright Packet, Inc. 1 Brno 1 CDN77-PRG 1 CLIENTID7315 1 CONNECTED TECHNOLOGIES 1 COULEE INTERNET SERVICES COMPANY 1 Centrum Uslug Sieciowych 1 CenturyLink Communications, LLC 1 Charles River Operation 1 Charter Communications Inc 1 ColoHouse LLC 1 Coloblox Data Centers Inc 1 Colocation America Corporation 1 Cologix, Inc 1 Cologuard 1 Comcast Cable Communications, LLC 1 Cox Communications Inc. 1 Cquadrat GmbH 1 Cyber Wurx LLC 1 D2 CLOUD COMMUNICATIONS LTD 1 DGN Teknoloji Anonim Sirketi 1 DINGFENG Network 1 Database Mart LLC 1 Datacamp Limited 1 DedFiberCo 1 Dedicated server 1 Direct Connect Solutions 1 Dublin Enterprise & Technology Centre Limited 1 EG 1 EGIHosting 1 ELASSAR MULTIMEDIA 1 ETC TECHSOLUTIONS 1 EVRY One Huskvarna AB 1 EasyDataHost S.L. 1 Empire Data Technologies 1 Eotvos Lorand University of Sciences 1 Equinix Services, Inc. 1 Excell /30 Customer PPC Connections 1 FASTPLANET LTD 1 FPT Telecom 1 FPT Telecom Company 1 FastLine For Communication And Information Technology Ltd Broadband Subscribers 1 Fasthosts Internet Limited 1 Fibernet Dedicated Hosting San Jose 1 Fifield Companies 1 Flokinet Ltd 1 Fort Hays State University 1 Fortress Networks 1 Frontier Communications of America, Inc. 1 GTHost 1 Galaxyvisions Inc 1 GameServers.com 1 Georgia Institute of Technology 1 Global Reach Networks Limited 1 GoDaddy.com, LLC 1 GorillaServers, Inc. 1 Gridlogix 1 HGC Global Communications Limited 1 HIVELOCITY, Inc. 1 HKBN Enterprise Solutions HK Limited 1 HOSTKEY 1 Hail Point, LLC 1 Hargray Communications Group, Inc. 1 Hivelocity Inc 1 Hogeschool van Arnhem en Nijmegen 1 HostSailor NL Services 1 Hosting Services, Inc. 1 Hudson Valley Host 1 HugeServer Networks, LLC 1 Huseyin Inanc 1 I-2000, Inc. 1 IDEAL HOSTING TEKNOLOJI A.S 1 IHGCO ATT 1 IO INC 1 IOMART HOSTING LIMITED 1 IPXO LLC 1 IPvision 1 IQ PL Sp. z o.o. 1 Ibis Budget Bandara 1 Indeno GmbH – Cloud Services 1 Industrial Systems Institute, 1 Infortech Corporation 1 Institute of Biochemistry and Biophysics LAN 1 Instituto Politecnico de Tomar 1 Internet Marketing Ninjas 1 Izzy Dot Net 1 KIEVLINE LLC 1 Krypt Technologies 1 Last Minute Gourmet 1 LeaseWeb USA, Inc. Los Angeles 1 LeaseWeb USA, Inc. Seattle 1 Limestone Networks, Inc. 1 MEVSPACE sp. z o.o. 1 MOJOHOST 1 MULTACOM CORPORATION 1 MUV Bilisim ve Telekomunikasyon Hizmetleri Ltd. Sti. 1 MadNET d.o.o. 1 Magyar Telekom plc. 1 Majestic Hosting Solutions, LLC 1 MegaNetServe Inc. 1 Mersa Host Datacenter Solutions 1 Missouri CASA 1 Mraknet s.r.o. 1 NForce Entertainment B.V. 1 NYITX 1 Natureware Inc. 1 Nerivon 1 Nessus GmbH 1 Netsons s.r.l. 1 Network Address for Servers 1 New Century InfoComm Tech. Co., Ltd. 1 Nida Telekomunikasyon Hizmetleri A.S. 1 Northern Neck Wireless Internet Services LLC 1 Ntirety, Inc. 1 OC1-DedicatedNow, LLC 1 ODS Joint Stock Company 1 OVH Dedicated Servers LIM 1 OVH Dedicated Servers LON 1 PAGI S.A. 1 PEG TECH INC 1 PNG Maritime College 1 PRIVATE JOINT STOCK COMPANY DATAGROUP 1 PT. Akashia Thuba Jaya 1 Perfect International, Inc 1 Performive LLC 1 Pingmar 1 Pinpointe On-Demand, Inc. 1 PowerWeb – Backbone Uplink2 1 QuickPacket, LLC 1 Rackspace Hosting 1 RapidSwitch Ltd 1 Rapidswitch 1 Ravand CyberTech Inc 1 Ravand Cybertech Inc. 1 Register.it Server 1 Ruprecht-Karls-Universitaet Heidelberg 1 SBA Edge, LLC 1 SERVERS 1 SIMCENTRIC-HK NETBLOCK 1 SPEED-NET S.R.L 1 STIADSL S.R.L 1 SUPPORNET INC. 1 Sagitta ApS 1 Saglayici Teknoloji Bilisim Yayincilik Hizmetleri Ltd. Sti. 1 Seflow s.r.l. 1 Sharktech 1 Sharq Telekom CJSC 1 Shenmiren Communications 1 Simtronic Technologies Pty Ltd 1 SingleHop 1 Slovak Technical University 1 SolidSpace LLC 1 Southern Broadband, LLC 1 State University of New York at Stony Brook 1 Supreme Court of the State of Florida 1 T-Mobile Austria GmbH 1 TELEFONICA DE ESPANA S.A.U. 1 TENET Scientific Production Enterprise LLC 1 Telecom Italia S.p.A. 1 The Montgomery Academy 1 Tourist Information Centres Ltd. 1 Tripnet AB 1 Turhost.com Dedicated Servers Network 1 1 UAB Informacijos labirintas 1 UAB Rakrejus 1 US Zenlayer FRA BMC 1 Ulm, Germany 1 UnReal Servers, LLC 1 UnionCOM Ltd 1 University of Ioannina 1 University of Macedonia 1 University of Pitesti 1 University of Virginia 1 Vargonen Teknoloji ve Bilisim Sanayi Ticaret Anonim Sirketi 1 Viettel Group 1 Vodafone Hungary Ltd. 1 Volia Cherkassy 1 Voxility S.R.L. 1 Wave Broadband 1 WebNX, Inc. 1 Webb Kooper AB 1 Webmad Webmarketing GmbH 1 WiLine Networks Inc. 1 Wnet Ukraine LLC 1 WorldStream IPv4.26 1 Xfernet 1 Yesilbir Bilisim Teknolojileri SAN.TIC.LTD.STI 1 Zemlyaniy Dmitro Leonidovich 1 Zerolag Communications, Inc. 1 eStruxture Data Centers Inc. 1 iWeb Technologies Inc. 1 kabelplus GmbH 1 myNET Internet Solutions 1 shannon hansen 1 ssd networks limited 1 za200.cz s.r.o.