#ESXiArgs:

- Not a worm
- Automated attacks but attacker IP running
- Not very skilled
- You can pull attacker IP by running Netflow against impacted boxes (you can pull from Shodan)
- Primary impact SMB MSPs and dedicated server hosts who default VMware insecure on deployment
- Likely off the shelf OpenSLP exploit (eg https://github.com/straightblast/My-PoC-Exploits/blob/master/CVE-2021-21974.py ) based on it only impacting certain version ESXi hosts
- Haven't been able to get binary, but may be Babuk builder, similar to Cheerscrypt mid last year.

Also, obvious point above reiterated - it only appears to be a subset of vuln boxes getting ransom'd. I speculate this is because the public exploit they're potentially using was only tuned to work with certain versions. So it should help reduce the impact somewhat.

In other news, don't open port 427 to the internet, and if you must expose ESXi web servers (port 443) to the internet make sure you patch it.

Good spot by @gregclermont - alleged #ESXiArgs #ransomware samples

Encryption software binary https://www.virustotal.com/gui/file/11b1b2375d9d840912cfd1f0d0d04d93ed0cddb0ae4ddb550a5b62cd044d6b66/detection

Shell script https://pastebin.com/y6wS2BXh

One caveat - doesn’t appear to contain the ransom note unless I’m thick (I am)

If you want to see the havoc #ESXiArgs is causing, check out this forum topic.. it gets more nuts as the pages go on. https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/

One lesson learnt from this - some cloud providers that offer managed VMware hosting haven’t been patching, and leave all ports open to internet on management IP 🤦‍♀️