Ransomware

ESXiArgs seems to be all the rage right now on the interwebz, with what (in my opinion) started as a reddit post reporting attacks, and quickly spread like wild fire to everyone with a vSphere environment talking about it. What's interesting though, is that the most common vector used to exploit this vulnerability was patched out in late 2021. Sooooo, why has this picked up in early 2023 ?

In this blog post, I am going to briefly discuss what seems to be going on with environments getting hit by ESXiArgs, why this should have never happened in the first place, and finally, prevention and remediation for ESXiArgs.

Lets start with What is ESXiArgs ?

ESXiArgs is the fancy name given to a "new" set of ransomware attacks targeting unpatched and unprotected instances of the ESXi hypervisor. Key points here being "unpatched" ESXi hosts, and scenarios where attackers have direct access to the ESXi management interfaces (for example ESXi management directly exposed to the internet, or a machine that is exposed to the internet that also has direct access to ESXi)