Skip to content
Ransomware group

ESXiArgs

ESXiArgs is ransomware targeting VMware ESXi servers.

Profile source: Mallory opens in a new tab

ESXiArgs

Family profile

ESXiArgs is ransomware targeting VMware ESXi servers. It was associated with a large-scale encryption campaign in early 2023 and is described as specifically aimed at ESXi environments. Reported initial access vectors against affected ESXi infrastructure include exploitation of exposed OpenSLP services and exposed VMware vCenter servers; one source in the content also reports exploitation of CVE-2021-21974. The campaign briefly devastated some unpatched cloud services. ESXiArgs is part of a broader trend of ransomware increasingly targeting virtualization platforms and Linux/ESXi systems. SentinelLABS assessed that ESXiArgs was likely misattributed as Babuk-derived: they found little similarity to Babuk beyond use of the same open-source Sosemanuk cipher implementation. No high-confidence actor attribution is provided in the content.

Ransomware.live

Operational record

View group record ↗

Exploited software

Vulnerabilities linked to ESXiArgs

1 CVEs

MITRE ATT&CK

ESXiArgs in ATT&CK

7 distinct techniques

Reporting

Research mentioning ESXiArgs

We appreciate you

Derp wouldn't exist without the work these projects do for the security community. We rely on their data sources to improve the quality and depth of what we publish. Thank you, we're genuinely grateful.