ESXiArgs
ESXiArgs is ransomware targeting VMware ESXi servers.
Profile source: Mallory opens in a new tabESXiArgs
Family profile
ESXiArgs is ransomware targeting VMware ESXi servers. It was associated with a large-scale encryption campaign in early 2023 and is described as specifically aimed at ESXi environments. Reported initial access vectors against affected ESXi infrastructure include exploitation of exposed OpenSLP services and exposed VMware vCenter servers; one source in the content also reports exploitation of CVE-2021-21974. The campaign briefly devastated some unpatched cloud services. ESXiArgs is part of a broader trend of ransomware increasingly targeting virtualization platforms and Linux/ESXi systems. SentinelLABS assessed that ESXiArgs was likely misattributed as Babuk-derived: they found little similarity to Babuk beyond use of the same open-source Sosemanuk cipher implementation. No high-confidence actor attribution is provided in the content.
Ransomware.live
Operational record
Exploited software
Vulnerabilities linked to ESXiArgs
1 CVEsMITRE ATT&CK
ESXiArgs in ATT&CK
7 distinct techniquesReporting
Research mentioning ESXiArgs
Tidal Cyber - PARISITE
On ESXi infrastructure, adversaries may exploit exposed OpenSLP services; they may alternatively exploit exposed VMware vCenter servers. [Recorded Future ESXiArgs Ransomware 2023]
Hypervisor Ransomware | Multiple Threat Actor Groups Hop on Leaked Babuk Code to Build ESXi Lockers | SentinelOne
Reports on the February ESXiArgs campaign–which briefly devastated some unpatched cloud services–claim the eponymous locker is derived from Babuk. However, our analysis found little similarity between ESXiArgs and Babuk.
Sekoia.io mid-2023 Ransomware Threat Landscape
...release of ESXiArgs, a new ransomware specifically aimed at targeting VMware ESXi servers, which conducted a massive encryption campaign in early 2023.
Detecting and responding to ESXi compromise with Splunk | by Alex John | Detect FYI
These include — the ESXiArgs ransomware campaign...