February 13, 2023

According to Censys, after the United States Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor to help affected victims recover from ESXiArgs ransomware attacks, the threat actors have returned with an updated version that encrypts more data.

While it was initially suspected that the first set of attacks were the result of the abuse of a two-year-old, now-patched OpenSLP bug in VMware ESXi (CVE-2021-21974), compromises have been reported in devices that do not use the network discovery protocol. With as many as 1,252 servers been infected by the new version of ESXiArgs as of February 9, 2023, of which 1,168 are reinfections.

A system administrator reported the emergence of the new variant on an online forum, where another participant stated that files larger than 128MB will have 50% of their data encrypted, making recovery more difficult.

The New ESXiargs Ransomware Variant encrypts VM virtual disk files, rendering them inaccessible. The attackers then demand a ransom payment in exchange for the files’ decryption. The ransom payment amount varies but can be substantial. Another notable change is that the Bitcoin address has been removed from the ransom note, with the attackers now urging victims to contact them on Tox in order to obtain the wallet information.

The threat actors “realized that researchers were tracking their payments, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent,” Censys said in a write-up.

Meanwhile, VMware has stated that there is no evidence that a zero-day vulnerability in its software is being used to spread the ransomware.

The sources for this piece include an article in TheHackerNews.