As the threat of cyber attacks looms over businesses, it’s essential to stay ahead of the game and have proper measures in place to mitigate the risks. Despite the release of the CVE-2021-21974 patch a year ago, recent reports have shown that many have failed to apply it. Resulting in a surge of vulnerability attacks. Don’t let your business fall prey to these attacks, stay vigilant and be proactive in your defence strategies. Read below how to recover from ESXiArgs ransomware.
The VMware ESXi server, widely utilized for virtualization purposes, is susceptible to a two-year-old remote code execution vulnerability. This security flaw enables malicious actors to run harmful code on the targeted server from a remote location. The failure to patch the vulnerability leaves the VMware ESXi server open to exploitation. Hence, it is crucial for administrators to regularly update their systems. This can be done through security patches and updates to prevent potential security breaches.
As reported by The Stack, the ESXi ransomware attacks are affecting a significant number of users. Up to 20 being targeted every hour. Shodan data reveals that a significant portion of these attacks are directed towards systems hosted by OVHcloud. But the reach of the ransomware is rapidly expanding, affecting more victims in various locations.
As per ongoing investigations, it appears that these cyber-attacks are exploiting the vulnerability designated as CVE-2021-21974. The good news is that a solution is there. In the form of a patch has been made available since February 23, 2021, according to CERT-FR.
The ESXiArgs ransomware that’s happening right now takes advantage of the CVE-2021-21974 vulnerability. It gains access to the affected system and encrypts files. Then demanding payment in exchange for the decryption of the encrypted files.
Lets start by understanding the ransomware.
What is ESXiArgs Ransomware?
ESXiArgs ransomware is a malicious software that strikes computer systems and encodes the stored information. The perpetrators then request payment, frequently in the form of a digital currency, to release the encrypted data. This particular type of ransomware targets VMware ESXi servers and takes advantage of the vulnerability CVE-2021-21974 to infect them. The impact of ESXiArgs ransomware on affected organizations can be substantial. Making it crucial to take the necessary precautions to prevent it. This includes staying current with security patches and having robust backup and disaster recovery plans in place.
The Impact / Ramifications of the CVE-2021-21974 Vulnerability in VMware ESXi:
- Remote Code Execution: Attackers have the ability to execute any code on the targeted server, granting them complete control of the system.
- Virtual Environment at Risk: An effective attack can result in the entire virtual environment, including virtual machines and their data, being compromised.
- Threat to Data Privacy: The attacker can access confidential information, putting data privacy and security at risk.
- Disruptions in Service: The attack can cause disruptions to the services provided by the server, potentially leading to financial losses.
- Network-Wide Spread: The attacker can spread the attack to other systems within the network, making the entire infrastructure vulnerable.
- No Authentication Needed: The vulnerability can be exploited without any authentication or user interaction, making it a highly dangerous security threat.
How do you know if you are attacked by ESXiArgs Ransomware?
If you suspect that your system may have fallen victim to the ESXiArgs ransomware, there are several key signs to look out for:
- Encrypted Files: One of the most distinctive indications of a ransomware attack is the presence of encrypted files with altered file names and extensions. Some of the file extensions will be like .vmxf, .vmx, .vmdk, .vmsd, and .nvram. There will also be a .args file for each encrypted document with metadata.
- Ransom Note: Attackers may leave behind a ransom note demanding payment for the decryption of your encrypted files. This note may come in the form of a text file or be displayed on your screen.
- Increased Network Activity: Observing unusual network activity may indicate that your system is infected with malware, as the ransomware may be communicating with the attacker’s servers.
- Reduced System Performance: A decrease in performance may be experienced as the malware utilizes system resources to encrypt files and communicate with the attacker’s command and control servers.
- Error Messages or System Crashes: Error messages or system crashes may occur during the malware’s process of infecting and encrypting files on your system.
It’s essential to note that these symptoms may also be caused by other types of malware infections or system issues. To be sure, it’s recommended to conduct a thorough investigation and seek professional assistance if necessary. In case of an ESXiArgs ransomware infection, immediate action should be taken. Isolate the infected system, prevent the further spread of the malware, and implement appropriate remediation measures.
How to recover the system from ESXiArgs Ransomware attack?
A Step-by-Step Guide on recovering from an ESXiArgs Ransomware Attack:
- Isolate the infected system: The first step in recovering from an ESXiArgs ransomware attack is to isolate the infected server from the network. This helps to prevent the further spread of the malware and minimize potential damage.
- Backup data: Before proceeding with the recovery process, make sure to back up all important data stored on the infected server. The decryption process may result in data loss, so it’s crucial to have a backup in place.
- Remove the ransomware: The next step is to remove the ransomware from the infected system. You can do this by using anti-malware software or following the recommended steps from security experts.
- Restore from a backup: If you have a recent, clean backup, restore the system and data from it. This is the most effective way to recover the system, as it removes all traces of the ransomware.
- Update software and security measures: After recovery, make sure to update the software on the system and implement strong security measures to prevent future attacks.
Note: It’s essential to seek professional support from security experts to ensure a safe and effective recovery process.
If you are not impacted by the ransomware then without delay get your VMware patched. To apply the patch follow the below steps,
A Step-by-Step Guide to preventing CVE-2021-21974 Vulnerability (Patching) when not impacted:
- Verify Current Version: Before proceeding, check the version of VMware ESXi currently installed on your server.
- Download the Patch: Obtain the patch for CVE-2021-21974 from the VMware website or through VMware Update Manager. (https://www.vmware.com/security/advisories/VMSA-2021-0002.html)
- Installing the Patch: Choose to install the patch through either the command line interface or the vSphere Client, and make sure to backup your server before proceeding.
- Verify Installation: Confirm that the patch has been applied by checking the version number and ensuring that it is up-to-date.
- Restart Server: Once the installation has been verified, restart the server to complete the process.
It’s crucial to follow proper guidelines and best practices while installing patches to guarantee a successful and smooth installation. In case of uncertainty, consider seeking support from a VMware expert or professional support team.
Protect your VMware ESXi from future Ransomware attacks with the following steps:
- Secure OpenSLP Service: Disable the OpenSLP service or limit access to only trusted IP addresses. Refer to VMware’s Knowledgebase article for instructions.
- Turn Off SSH and Console Shell Services: Log in to the ESXi Web UI, then go to Host > Actions > Services to disable these services.
- Stay Up-to-Date with Security Patches: Ensure your ESXi is updated with the latest security patches available.
- Limit Access to Essential Services: Disable any unneeded services running on your ESXi server, or restrict access to only trusted IP addresses. Log in to the ESXi Web UI and navigate to Manage > Services to make these changes.
In conclusion, the CVE-2021-21974 and ESXi ransomware attacks are a reminder of the ever-present threat of cyber attacks. The importance of staying vigilant and proactive in protecting our systems. From keeping software up-to-date to implementing strong security measures. It is crucial to take the necessary steps to minimize the risk of attack. While the potential consequences of a ransomware attack can be devastating. With the right knowledge and preparation, it is possible to mitigate the damage and recover from the attack. Let’s work together to make our digital world a safer place.
PS: Hope this article throws light on how to recover from ESXiArgs ransomware. If you are impacted, we strongly advise getting the VM reviewed and restored by a VMware expert.