April 19, 2024

VMware warns of ransomware attacks on unpatched ESXi hypervisors

3 min read



Impression: Getty Illustrations or photos/Morsa Illustrations or photos

Hypervisor maker VMware has warned that attackers are using previously disclosed vulnerabilities in its ESXi hypervisor and elements to deploy ransomware. 

The organization believes the vulnerabilities remaining exploited are not zero-working day flaws, this means the attackers are exploiting formerly identified bugs in the hypervisor. In other words and phrases, the attacks exploit situations of the hypervisor that have not been current or are no more time supported. 

Also: Cloud computing dominates. But stability is now the greatest challenge

“We preferred to handle the not long ago claimed ‘ESXiArgs’ ransomware assaults as effectively as present some direction on steps involved buyers ought to get to shield by themselves,” VMware’s protection response centre explained on Monday.

“VMware has not discovered evidence that implies an unknown vulnerability (-day) is getting utilised to propagate the ransomware utilised in these modern assaults.” 

The company notes that most stories state attacked situations have achieved close of aid or are considerably out-of-day merchandise. 

It is reiterating a workaround it gave in December for clients to disable the SLP Services on VMware ESXi after OpenSLP vulnerabilities influencing ESXi were being disclosed.    

France’s pc emergency response group (CERT) final week warned that it turned conscious of attack strategies focusing on ESXi hypervisors to deploy ransomware on February 3. The SLP company appeared to have been specific and enables a remote attacker to operate code of their choice on the vulnerable server. It also notes that exploit code has been publicly accessible due to the fact at the very least May 2021. 

CERT France strongly suggests admins isolate an influenced server, reinstall the hypervisor, utilize all patches, disable unwanted services like SLP, and block entry to admin solutions by way of a firewall. 

Specially, it recommends the pursuing programs of action: 

  • Isolate the afflicted server
  • Have out an assessment of the methods in get to detect any signal of compromise 
  • Reinstall the hypervisor in a model supported by the publisher (ESXi 7.x or ESXi 8.x)
  • Use all security patches and adhere to long term seller safety advisories
  • Disable unwanted expert services on the hypervisor
  • Block entry to the different administration solutions, both by way of a focused firewall or by means of the firewall integrated into the hypervisor, and put into action a neighborhood administration community as perfectly as a distant administration capability if it is required 

BleepingComputer reviews that attackers guiding ESXiArgs ransomware use it to encrypt .vmxf, .vmx, .vmdk, .vmsd, and .nvra documents on compromised ESXi servers. 


Supply website link VMware recently warned organizations running its ESXi hypervisor of an increase in ransomware attacks targeting unpatched versions of the software. The attack works by exploiting vulnerabilities in the software that allow the attackers to gain access to the system and then encrypt its contents.

VMware stated that it has observed an increase in attempted ransomware attacks against its ESXi software. The company advised organizations to ensure that the hypervisor is kept up to date with the latest security patches as this is the most effective way of protecting against such attacks. Additionally, it stressed the importance of limiting privileged access to the system and implemented security best practices, such as host-based firewalls and restricted network access.

The ESXi hypervisor is widely used in the enterprise sector, making it a prime target for ransomware attackers. The software provides a virtualization platform that allows multiple operating systems to be run on a single server. It is an attractive target because a successful attack could cause significant disruption to an organization’s operations.

In a blog post, VMware warned: “Ransomware attackers are rapidly evolving their tactics, and organizations must keep pace with the changing nature of the threat in order to protect their data and systems. As ransomware attackers increasingly target unpatched systems, organizations must ensure that their hypervisor infrastructure is up to date with the latest patches and security best practices.”

Organizations should therefore take heed of the warnings from VMware and ensure that their ESXi installations are kept secure and up to date with the latest patches. Furthermore, organizations should take steps to limit access to the system and ensure it is inaccessible from the outside internet. By doing so, they can ensure that their systems are adequately protected from potential ransomware attacks.