Ransomware Attacks Target VMware ESXi Servers Worldwide

ESXiArgs’s campaign

• Experts found approximately 3,200 compromised VMware ESXi servers worldwide to be impacted by this recent campaign.
• CERT-FR and SingCERT issued separate warnings against this massive automated ransomware campaign targeting VMware ESXi hypervisors globally, with a focus on Europe. Both authorities recommended applying the patch as soon as possible.

Royal Ransomware’s campaign

• It is executed using the command line and comes with support for multiple flags that will give the ransomware operators some control over the encryption process.
• When encrypting files, it will add the .royal_u extension to all encrypted files on the VM.

More on ESXiArgs ransomware

• The arguments include the public RSA key file (public.pem), the file to encrypt, the data details that will not be encrypted, the size of an encryption block, and the file size.
• The script encrypts files with specific extensions on compromised ESXi servers and creates a .args file for each encrypted document with metadata.
• After the encryption, the script will replace VMware ESXi's home page index.html and the server's motd file with the ransom notes. Finally, the script performs a cleanup of various Linux configuration files and a potential backdoor.

ESXiArgs connected to Babuk

• Experts discovered that ESXiArgs is possibly based on leaked Babuk source code, similar to other ESXi ransomware campaigns such as CheersCrypt and the Quantum/Dagon group's PrideLocker encryptor.
• While the ransom note for Cheerscrypt and ESXiArg are very similar, the encryption method is different, which makes it unclear if this is a new variant or just a shared Babuk codebase.

Conclusion