{
	"id": "bccd32a2-7be9-4987-a0be-24648eab1991",
	"created_at": "2026-04-06T00:17:20.006522Z",
	"updated_at": "2026-04-10T13:11:52.361178Z",
	"deleted_at": null,
	"sha1_hash": "73ce1e611e22dcc43cfc935d7013a27385a95b74",
	"title": "Ransomware targeting VMware ESXi",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 499453,
	"plain_text": "Ransomware targeting VMware ESXi\r\nBy Julien Levrard\r\nPublished: 2023-02-03 · Archived: 2026-04-05 22:44:12 UTC\r\nA wave of attacks is currently targetting ESXi servers. No OVHcloud managed service are impacted by this attack\r\nhowever, since a lot of customers are using this operating system on their own servers, we provide this post as a\r\nreference in support to help them in their remediation.\r\nThese attacks are detected globally. According to experts from the ecosystem as well as authorities, the malware is\r\nprobably using CVE-2021-21974 as compromission vector. Investigation are still ongoing to confirm those\r\nassumptions.\r\nOur technical teams are working to identify the detailed characteristics of the attack all the while coordinating\r\nwith our peers from other CERTs and security teams.\r\nUpdate 07/02/2023\r\nWe continue our investigations and to provide support to our customers.\r\nWe prioritize our efforts:\r\nto identify our impacted customers on our networks to provide the most accurate and appropriate\r\ninformation to help them to recover from the attack.\r\nto identify potentially vulnerable customers to ensure they mitigate the risks appropriately as soon as\r\npossible in the case of on an other wave of similar attack.\r\nSeveral security researchers may have found a link between the Babuk Ransomware source code leaked in\r\nSeptember 2021. The encryption cipher (Sosemanuk) is used in the both cases but the code structure seems to be\r\nslightly different.\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 1 of 6\n\nIn addition to the recovery procedure described earlier, we noted that the encryption process is only impacting a\r\nsmall amount of data within the file. Depending of your VM OS and file system type, you might be able to\r\nrecover data with data revery tools, at least partially. Be carefull, this tools might have irreversible action on the\r\nfile so, We recommend to copy the VM files on an other location to protect the data before trying any recovery\r\noperation.\r\nWe are referencing a list of companies that can assist you to recover your data and reconstruct your systems. The\r\nlist of companies will be available at OVHcloud support.\r\nWe also remind to our customers acting as Data Controller that they might have legal requirements to notify\r\nautorities in case of security incident. Ensure you declared the incident to the appropriate autorities within the\r\nright timeframe.\r\nYou will find below the Data Protection Autorities procedures for databreach violation for mainly impacted\r\ncountries and CERT websites as well. Check with your legal department or counsel to ensure you notify the right\r\norganisation according to your status.\r\nFor PII data controllers:\r\nFrance: https://www.cnil.fr/fr/notifier-une-violation-de-donnees-personnelles\r\nItaly: https://servizi.gpdp.it/databreach/s/\r\nBelgium: https://www.autoriteprotectiondonnees.be/professionnel/actions/fuites-de-donnees-personnelles\r\nSpain: https://www.aepd.es/es/derechos-y-deberes/cumple-tus-deberes/medidas-de-cumplimiento/brechas-de-datos-personales-notificacion\r\nPoland : https://uodo.gov.pl/pl/501/2278\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 2 of 6\n\nUK: https://ico.org.uk/for-organisations/report-a-breach/\r\nGermany: https://formulare.bfdi.bund.de/lip/form/display.do?%24context=E72B6A6366642AE42118\r\nPortugal: https://www.cnpd.pt/databreach/\r\nQuebec: https://www.cai.gouv.qc.ca/incident-de-confidentialite-impliquant-des-renseignements-personnels/aviser-commission-et-personnes/\r\nCERT:\r\nFrance: https://www.cert.ssi.gouv.fr/les-bons-reflexes-en-cas-dintrusion-sur-un-systeme-dinformation/\r\nItaly: https://cert-agid.gov.it/contatti/\r\nBelgium : https://www.cert.be/fr/signaler-un-incident\r\nSpain: https://www.ccn-cert.cni.es/gestion-de-incidentes/notificacion-de-incidentes.html\r\nPoland: https://incydent.cert.pl/#!/lang=en\r\nUK: https://report.ncsc.gov.uk/\r\nCanada: https://www.cyber.gc.ca/en/incident-management\r\nGermany: https://www.bsi.bund.de/DE/Themen/Unternehmen-und-Organisationen/Cyber-Sicherheitslage/Reaktion/CERT-Bund/Kontakt/kontakt_node.html\r\nPortugal: https://www.cncs.gov.pt/pt/certpt/\r\nAdditionnal references:\r\nhttps://www.bleepingcomputer.com/news/security/\r\nhttps://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/massive-esxiargs-ransomware-attack-targets-vmware-esxi-servers-worldwide/\r\nhttps://blogs.vmware.com/security/2023/02/83330.html\r\nhttps://members.loria.fr/MMinier/static/papers/sosemanuk_08.pdf\r\nUpdate on 05/02/2023\r\nWe continue to work on the technical analysis in coordination with authorities and security community to\r\ndetermine IOCs and understand how the malware is behaving after the initial compromission.\r\nSo far we identified the following behavior:\r\nThe compromission vector is confirmed to use a OpenSLP vulnerability that might be CVE-2021-21974\r\n(still to be confirmed). The logs actually show the user dcui as involved in the compromission process.\r\nEncryption is using a public key deployed by the malware in /tmp/public.pem\r\nThe encryption process is specifically targeting virtual machines files (“.vmdk”, “.vmx”, “.vmxf”, “.vmsd”,\r\n“.vmsn”, “.vswp”, “.vmss”, “.nvram”,”*.vmem”)\r\nThe malware tries to shutdown virtual machines by killing the VMX process to unlock the files. This\r\nfunction is not systematically working as expected resulting in files remaining locked.\r\nThe malware creates argsfile to store arguments passed to the encrypt binary (number of MB to skip,\r\nnumber of MB in encryption block, file size)\r\nNo data exfiltration occurred.\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 3 of 6\n\nIn some cases, encryption of files may partially fail, allowing to recover data. Enes Sönmez (@enes_dev), a\r\nturkish security researcher has documented the procedure for recovery of VMDK files. The procedure is described\r\non his blog (https://enes.dev/). We tested this procedure as well as many security experts with success on several\r\nimpacted servers. The success rate is about 2/3. Be aware that following this procedure requires strong skills on\r\nESXi environnements. Use it at your own risk and seek the help of experts to assist.\r\nIn the previous version of the post, we made the assumption the attack was linked to the Nevada Ransomware\r\nwhich was a mistake. No material can lead us to attribute this attack to any group. Attribution is never easy and we\r\nleave security researchers to make their own conclusions.\r\nESXi OS can only be installed on bare metal servers. We launched several initiatives to identify vulnerable\r\nservers, based on our automation logs to detect ESXI installation by our customers.\r\nWe have limited means of action since we have no logical access to our customer servers. For identified bare\r\nmetal hosts:\r\nWe sent emails on Friday’s afternoon to warn customer of the risk and provide them information on to\r\nmitigate the risk\r\nWe blocked the OpenSLP port (427) between internet and the servers with ESXI installed. Customer can\r\ndeactivate the filtering rule in their management interface if the use of port 427 is required for whatever\r\nreason.\r\nWe launched scan to identify compromised hosts, by testing the presence of the web page and/or the ssh banner\r\nspecifying the host has been compromised to notify impacted customers.\r\nOur support team is fully mobilized to help our customers to protect their systems and to help them to recover if\r\nthey are impacted by the attack.\r\nAdditionnal references:\r\nhttps://www.cert.ssi.gouv.fr/alerte/CERTFR-2023-ALE-015/\r\nhttps://enes.dev/\r\nhttps://straightblast.medium.com/my-poc-walkthrough-for-cve-2021-21974-a266bcad14b9\r\nFirst response action items on 03/02/2023\r\nThe attack is primarily targetting ESXi servers in version before 7.0 U3i, apparently through the OpenSLP port\r\n(427).\r\nTo check your version of ESXi, please refer to your server page in your customer interface to identify wich\r\nversion has been deployed on the server or to the ESXi interface on the system itself.\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 4 of 6\n\nSo far, we can identify the following recommendations regarding our services:\r\nFor Bare Metal customer using ESX-i we strongly recommend in emergency :\r\nto deactivate the OpenSLP service on the server or to restrict access to only trusted IP addresses\r\n(https://kb.vmware.com/s/article/76372)\r\nto upgrade you ESXi on the latest security patch\r\nIn a second time, ensure:\r\nyour data are backed up (on immutable storage?)\r\nonly necessary services are active and filtered with ACL to only trusted IP adresse\r\nmonitor your system for any abnormal behaviour.\r\nOur clients using VMware Private Cloud are not impacted. By design, the SSL gateway prevent this typology of\r\nattack by blocking the external access to this port (OpenSLP 427). \r\nFor our Public Cloud customers, there is no dependency to ESXi so no risk are identified.\r\nNo other product among OVHcloud’s portfolio is threatened by this ransomware campaign.\r\nWe will update this blog post with any information that could help to reduce the risk associated with this threat.\r\nAdditionnal references:\r\nhttps://kb.vmware.com/s/article/76372\r\nhttps://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21974\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 5 of 6\n\nSource: https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nhttps://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/\r\nPage 6 of 6",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://blog.ovhcloud.com/ransomware-targeting-vmware-esxi/"
	],
	"report_names": [
		"ransomware-targeting-vmware-esxi"
	],
	"threat_actors": [],
	"ts_created_at": 1775434640,
	"ts_updated_at": 1775826712,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/73ce1e611e22dcc43cfc935d7013a27385a95b74.pdf",
		"text": "https://archive.orkl.eu/73ce1e611e22dcc43cfc935d7013a27385a95b74.txt",
		"img": "https://archive.orkl.eu/73ce1e611e22dcc43cfc935d7013a27385a95b74.jpg"
	}
}