One of the administrator's worst nightmares is falling victim to ransomware. This time the nightmare came to the user administrator of the VMWare ESXi virtualization server.
ESXi is a virtualization server that can be used to run and manage multiple operating systems on a single server, whether it's a Windows server/workstation OS, macOS, or Linux VM, and includes data managed by that server.
The problem is that this ESXi server has a security hole which, if successfully exploited, will allow access to the ESXi system automatically without the need to know the server's credentials. The result is that all OS systems that are virtualized on ESXi including the data contained therein will be accessible.
In the case of ARGS ransomware encryption, the virtualized files will be encrypted and replaced with the .args extension. After successful encryption, this ransomware will display a ransom request message as follows:
How to Restore Your Files
Security Alert!!!
We hacked your company
All files have been stolen and encrypted by us
If you want to restore files or avoid file leaks, please send 2.0*** bitcoins to the wallet 1PAFdD9fwqRWG4VcCGuY27VT**********
If the money is received, the encryption key will be available on TOX_ID:
D6C324719AD0AA50A54E4F8DED8E8220D8698DD67B218B5429466C40E7F72657C015D86C7E4A
Attention!!!
Send money within 3 days, otherwise we will expose some data and raise the price
Don't try to decrypt important files, it may damage your files
Don't trust who can decrypt, they are wild, no one can decrypt without key file
If you don't send bitcoins, we will notify your customers of the data breach by email and text message
And sell your data to your opponents or criminals, the data may be released
note
SSH is turned on
Firewall is disabled
As of the writing of this article, thousands of VMWare ESXi users around the world have become victims of the ARGS ransomware. Most of the victims came from France, the United States, Germany, Canada and the United Kingdom.
According to Lilincom's monitoring, there are at least 3 VMWare ESXi users in Indonesia who are also victims of the args ransomware.
i**s budget airport with IP 175.176.166.6**
PT Indonesia ***net Plus with IP 124.158.167.***
PT A***hia Thuba Jaya with IP 103.148.192.***
VMWare ESXi users who are vulnerable to this attack are versions 7.0, 6.7 and 6.5. The security flaw exploited by this ransomware is CVE-2021-21974.
For the record, what is attacked by this ransomware is the ESXi system so that any operating system that is virtualized by this ESXi system will be encrypted, be it Windows OS, Mac OS, or Linux. And because it functions as a virtualization server, one ESXi server usually manages a combination of various OS such as Windows servers, Windows workstations, Mac OS and Linux.
If the ESXi server is successfully exploited, then apart from the OS that will be encrypted, all data contained in the OS will also be encrypted. Therefore please pay attention to the administrator to be disciplined in regularly backing up important data.
If you manage ESXi servers and fall victim to this ransomware encryption, contact your antivirus or security vendor for assistance with the recovery process and the process of preventing ransomware exploits and actions. Use a reliable antivirus and a solution that can restore data even though it has been encrypted by such as Vaccine Protect.
To avoid this ARGS ransomware attack, ESXi server users need to update the version of the ESXi server used as follows:
ESXi version 7.0 minimal update to version ESXi70U1c-17325551
ESXi version 6.7 minimal update to version ESXi670-202102401-SG
ESXi version 6.5 minimal update to version ESXi650-202102101-SG
In addition, it is recommended to disable SLP (Service Location Protocol) services when they are not needed because these services allow this means of exploitation with the following steps:
Login on the ESXi host.
Stop the SLP service with the command :/etc/init.d/slpd stop
Run the command to disable SLP service :esxcli network firewall ruleset set -r CIMSLP -e 0
Make sure the SLP service remains disabled even if the system is rebooted with the :chkconfig slpd off command