Global ransomware spree infects unpatched VMWare servers. CISA has a (possible) fix.

Ransomware targeting VMware ESXi servers takes advantage of an old vulnerability and has affected more than 3,000 systems worldwide.
Getty Images

The Cybersecurity and Infrastructure Security Agency released a script Tuesday night to help organizations attempting to recover virtual machines affected by a spree of global cyberattacks targeting VMware ESXi servers.

However, recent reports indicate that the unknown ransomware hackers have updated the malware to encrypt additional files, making CISA’s script ineffective, Bleeping Computer reports.

The impact of the campaign is still being assessed. According to Censys, a firm that indexes internet-connected devices, there are at least 3,800 hosts compromised with 900 servers with the latest version of malware.

The so-called ESXiArgs ransomware variant has been reported by some firms to take advantage of two-year-old vulnerability that attackers are able to remotely exploit. Last weekend, the attacks prompted warnings from several European cybersecurity authorities to quickly patch the OpenSLP bug. However, Censys noted that there are some victims without OpenSLP who are reporting to be infected with ESXiArgs.


It’s unclear how widespread the campaign is and who is behind it, however, France’s CERT-FR said that they became aware of the campaign starting on Feb. 3. The Austrian CERT noted that they saw at least 3,276 systems impacted worldwide using scans from Censys.

The script released Tuesday is at least partially based on a recovery tutorial by cybersecurity researchers Enes Sonmez and Ahmet Aykac. It reconstructs VM metadata from virtual disks not encrypted by the ransomware.

However, CISA also warned that they are not going to assume any liability for damage caused by the script. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” CISA wrote.

In an emailed statement, a CISA spokesperson said that the agency “is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed. Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI.”


CISA did not respond to request for comment on how widespread the ESXiArg campaign may be in the U.S.

Cybersecurity firm GreyNoise, however, noted in a report released Wednesday that the vulnerability that cybersecurity firms are pointing to as the culprit for the global ransomware campaign may not be the actual access point.

“We do not currently know what the initial access vector is, and it is possible it could be any of the vulnerabilities related to ESXi’s OpenSLP service,” the report said.

GreyNoise points out other vulnerabilities in OpenSLP that could be the initial access point and notes that none of the reports describing the campaign are first-party sources.

Updated Feb. 8, 2023: This article has been updated to include comment from CISA and additional information from GreyNoise.


Updated Feb. 9, 2023: This article has been updated with additional information on the effectiveness of the released script.

Latest Podcasts