virus logo Virus

Linux/ESXiArgs.VMVS!tr.ransom

description-logoAnalysis

Linux/ESXiArgs.VMVS!tr.ransom is a generic detection for a trojan.
Since this is a generic detection, malware that are detected as Linux/ESXiArgs.VMVS!tr.ransom may have varying behaviour.
Below are some of its observed characteristics/behaviours:

  • This malware is related to the ESXiArgs ransomware outbreak.

  • The ransomware exploits the vulnerability found in the VMware ESXi servers. This vulnerability is a heap-overflow issue with the OpenSLP service in ESXi which can result in remote code execution.

  • Upon execution, the ransomware will attempt to stop the VMX process and proceed to traverse through the system to target files with the following extensions: ".vmdk", ".vmx", ".vmxf", ".vmsd", ".vmsn", ".vswp", ".vmss", ".nvram", ".vmem". It will attempt to encrypt the targeted files and create new files with the extension ".args" that contains the encrypted data before continuing on to delete log files.

  • A ransom note asking for payment may be dropped. Affected users are discouraged on taking this action as it does not guarantee the retrieval of data upon payment.

  • The malware has been associated with the following third party article/advisory. 
    • https://www.csirt.gov.it/contenuti/rilevato-lo-sfruttamento-massivo-della-cve-202121974-in-vmware-esxi-al01-230204-csirt-ita
https://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974

  • Following are some of the exact file hashes associated with this detection:
    • Md5: 948e6d82d625ec2ebec2b2e5ee21ada8
      Sha256: 73c66de7964b86b9fe32563b7d3195b87896a644c2bcdcaea74b81cb5da2a06b
    • Md5: df1921871117dc84e9d1faf361656a83
      Sha256: 5a9448964178a7ad3e8ac509c06762e418280c864c1d3c2c4230422df2c66722
    • Md5: d0d36f169f1458806053aae482af5010
      Sha256: 10c3b6b03a9bf105d264a8e7f30dcab0a6c59a414529b0af0a6bd9f1d2984459

description-logoOutbreak Alert

ESXi servers vulnerable to the OpenSLP heap-overflow vulnerability (CVE-2021-21974) and OpenSLP remote code execution vulnerability (CVE-2020-3992) are being exploited through the OpenSLP, port 427 to deliver a new ransomware “ESXiArgs”. The ransomware encrypts files in affected ESXi servers and demand a ransom for file decryption.

View the full Outbreak Alert Report

recommended-action-logoRecommended Action

  • Make sure that your FortiGate/FortiClient system is using the latest AV database.
  • Quarantine/delete files that are detected and replace infected files with clean backup copies.

Telemetry logoTelemetry

Detection Availability

FortiGate
FortiClient
FortiAPS
FortiAPU
FortiMail
FortiSandbox
FortiWeb
Web Application Firewall
FortiIsolator
FortiDeceptor
FortiEDR

Version Updates

Date Version Detail
2023-04-03 91.02022
2023-02-27 91.00983
2023-02-23 91.00853
2023-02-08 91.00393
2023-02-06 91.00334
2023-02-06 91.00334
ID 10123319
Released Feb 23, 2023
Description
Updated		 Feb 23, 2023
Outbreak Alert ESXiArgs Ransomware
Aliases Ransom-EsxiArgs.a trojan,Ransom.Linux.ESXIARGS