Esxiargs

Campaign updated 4 months ago (2024-05-04T16:30:55.419Z)

Download STIX

Preview STIX

The ESXiArgs campaign was a significant cybersecurity event where an unknown ransomware group targeted VMware ESXi environments. The attackers exploited CVE-2021-21974, a vulnerability that was two years old at the time of the attacks. The campaign involved several ransomware groups such as Royal, Black Basta, LockBit, RTM Locker, Qilin, Monti, and Akira, which are known for directly targeting victims' VMware ESXi servers to steal and encrypt files, subsequently demanding substantial ransoms. In February, reports emerged about the ESXiArgs campaign causing brief devastation to some unpatched cloud services. Initially, it was believed that the eponymous locker used in the attack was derived from Babuk, another notorious ransomware. However, upon further analysis by experts, they found "little similarity" between ESXiArgs and Babuk, leading to incorrect attributions. It was later revealed that the cybercriminals used leaked Babuk source code to target VMware ESXi servers in this widespread ransomware campaign. In response to these attacks, the U.S. Cybersecurity & Infrastructure Security Agency (CISA) released an ESXiArgs recovery script available on GitHub. This tool is designed to assist organizations that have fallen victim to the ESXiArgs ransomware in their attempts to recover encrypted files. Despite the challenges posed by the ESXiArgs campaign, this development offers a measure of hope for affected entities seeking to mitigate the damage caused by these ransomware attacks.

Description last updated: 2024-05-04T16:30:55.341Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Aliases We are not currently tracking any aliases

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Esxi

Vulnerability

CISA

Malware

Vmware

Encryption

Exploit

Linux

Ransom

exploited

Encrypt

Github

flaw

Locker

RCE (Remote ...

Bitcoin

Remote Code ...

Exploits

Hypervisor

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Lockbit	Unspecified	3	LockBit is a malicious software, or malware, that has been notably active and damaging in the cyber world. Known for its ability to infiltrate systems often without detection, it can steal personal information, disrupt operations, and even hold data hostage for ransom. In the first half of 2024, Loc
Babuk	Unspecified	2	Babuk is a type of malware, specifically ransomware, that infiltrates systems to encrypt files and hold them for ransom. This malicious software can infect your system through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can disrupt operations by enc

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	Unspecified	3	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op

Associated Vulnerabilities

To see the evidence that has resulted in these vulnerability associations, create a free account

ID	Type	Votes	Profile Description
CVE-2021-21974	Unspecified	6	CVE-2021-21974 is a heap-overflow vulnerability discovered in VMware's ESXi OpenSLP service. This flaw allows attackers to execute arbitrary code and take control of the affected system, posing a significant threat to organizations that utilize VMware's ESXi for their virtual infrastructure manageme

Source Document References

Information about the Esxiargs Campaign was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
Unit42	7 months ago	Ransomware Retrospective 2024: Unit 42 Leak Site Analysis
CERT-EU	8 months ago	VMware confirms critical vCenter flaw now exploited in attacks
Securityaffairs	8 months ago	Decryptor for Tortilla variant of Babuk ransomware released
CERT-EU	8 months ago	Free Decryptor Released for Black Basta and Babuk's Tortilla Ransomware Victims \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	Amsterdam arrest leads to Babuk Tortilla ransomware decryptor \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	Tortilla (Babuk) Ransomware Decryptor Available – Gridinsoft Blogs \| #ransomware \| #cybercrime \| National Cyber Security Consulting
CERT-EU	8 months ago	And that's a wrap for Babuk Tortilla ransomware as free decryptor released • The Register \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
CERT-EU	8 months ago	The biggest cybersecurity and cyberattack stories of 2023
CERT-EU	8 months ago	12 Top Hacks, Data Breaches, Missteps of 2023 \| #cybercrime \| #infosec \| National Cyber Security Consulting
CERT-EU	9 months ago	Municipalities Face a Constant Battle as Ransomware Snowballs \| #ransomware \| #cybercrime \| National Cyber Security Consulting
DARKReading	9 months ago	Municipalities Face a Constant Battle as Ransomware Snowballs
Checkpoint	10 months ago	The Platform Matters: A Comparative Study on Linux and Windows Ransomware Attacks - Check Point Research
CERT-EU	10 months ago	Zhiniang Peng （@edwardzpeng） - Talks
CERT-EU	a year ago	Ces vulnérabilités qui nécessitent plus qu’un correctif \| LeMagIT
CERT-EU	a year ago	3 Growing Trends That Security Teams Must Watch \| #hacking \| #cybersecurity \| #infosec \| #comptia \| #pentest \| #ransomware \| National Cyber Security Consulting
Recorded Future	a year ago	Beyond the Code: Unearthing the Subtle Business Ramifications of Six Months in Vulnerabilities
Recorded Future	a year ago	H1 2023: Ransomware's Pivot to Linux and Vulnerable Drivers \| Recorded Future
CERT-EU	a year ago	Cyber Security Today, August 9, 2023 – The latest ransomware news, and more \| IT World Canada News
DARKReading	a year ago	Ransomware Victims Surge as Threat Actors Pivot to Zero-Day Exploits
CERT-EU	a year ago	Code leaks are causing an influx of new ransomware actors