Gartner Peer Insights Labyrinth the First Finalists for the ECSO CISO Choice Award 2025

ESXiArgs ransomware attacks are known for targeting VMware ESXi servers worldwide, which is currently one of the most crucial cybersecurity issues.
As a vast number of companies around the world widely use VMware products, critical vulnerabilities in the VMware product line are always of great concern and interest to the security industry. This is evidenced by the notorious ESXiArgs ransomware, which exploits CVE-2021-21974 (heap-overflow) and has affected several vulnerable ESXi hosts.
For mitigation, VMware released hotfixes and VMware Advisory VMSA-2021-0002. CVE-2021-21974 is not the only vulnerability in this Advisory Document; the other one is CVE-2021-21972 (RCE). It’s important to mention that these two critical vulnerabilities appeared almost simultaneously. Due to more media coverage, CVE-2021-21974 received more attention, although CVE-2021-21972 has a higher CVSS rating according to nvd.nist.gov: 9.8(Critical) versus 8.8(High).
FortiGuard Labs research* shows this vulnerability can also be used for ransomware distribution. This fact and the higher CVSS rating make detecting this type of attack a necessary and high priority for any VMware user.
Labyrinth Deception Platform simulates VMware nodes and the presence of vulnerabilities related to this CVE. The system operator receives a highly accurate alert and the necessary margin of time before an attacker finds actual hosts of this type. With Labyrinth, it is possible to create multiple network decoys with the CVE-2021-21972 vulnerability in a matter of minutes while spending a minimum of computing resources and time on the part of the IS department staff.

A week ago, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks. CISA urges admins to review the script before using it to understand how it works and avoid possible complications. While the script should not cause any issues, BleepingComputer strongly advises that backups are created before attempting recovery**.

A couple of days ago, after the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, the threat actors returned with an updated version that encrypts more data. Since the ransomware outbreak in early February, over 3,800 unique hosts have been compromised. Most infections are located in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan (see graph below)***.

Like with Log4Shell vulnerability****, the Labyrinth Development team is preparing signatures against ESXiArgs at the beginning of March 2023.

Follow our updates on LinkedIn or contact our managers for more information to keep your system safe and protected.


*  https://www.fortiguard.com/threat-signal-report/4295/memento-group-exploited-cve-2021-21972-hid-five-months-to-deploy-ransomware
** https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims
*** https://thehackernews.com/2023/02/new-esxiargs-ransomware-variant-emerges.html
**** https://www.labyrinth.tech/news/posts/log4j-vulnerability


Subscribe to our Newsletter

You successfully subscribed!