VMware is warning its customers to install the latest security updates and disable the OpenSLP service targeted in a large-scale ransomware attack campaign against Internet-exposed and vulnerable ESXi servers

The company added that the attackers are not exploiting a 0day vulnerability and that this service is disabled by default in ESXi software releases issued since 2021.

Most reports indicate that end of general support (EOGS) and/or significantly out-of-date products target known vulnerabilities that were previously addressed and disclosed in VMware Security Advisories (VMSA).

The company recommends that customers upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. Additionally, VMware recommended disabling the OpenSLP service on ESXi.

VMware’s warning comes after unknown hackers began encrypting unpatched VMware ESXi servers against an OpenSLP security flaw (CVE-2021-21974) to achieve remote code execution in low-sophistication attacks.

Dubbed the ESXiArgs ransomware, this malware was deployed as part of a massive wave of ongoing attacks that have already affected thousands of vulnerable targets worldwide (over 2,400 servers, according to recent Censys data).

https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=services.http.response.body%3A+%22How+to+Restore+Your+Files%22+and+services.http

Attackers use the malware to encrypt .vmxf, .vmx, .vmdk, .vmsd and .nvra on compromised ESXi servers and deploy ransom notes named “ransom.html” and “How to Restore Your Files.html”.

Security researcher Enes Sonmez has shared a guide that may allow VMware administrators affected by these attacks to rebuild their virtual machines and recover data for free.

https://enes.dev/https://blogs.vmware.com/vsphere/2021/02/evolving-the-vmware-vsphere-security-configuration-guides.html