ESXiArgs ransomware campaign against VMware ESXi servers

Posted date 13/02/2023

Government agencies and CERTs in several countries have issued warnings about an active exploitation campaign against unpatched VMware ESXi servers affecting their countries, exploiting an old remote code execution (RCE) vulnerability to deploy a new ransomware called ESXiArgs.

These agencies inform organisations using VMWare servers to patch ESXi servers to a version not affected by the attacks or to disable the OpenSLP service. Additionally, CISA has published a tool on its GitHub profile to allow affected organisations to attempt to recover virtual machines locked by the ESXiArgs ransomware attacks.