Security News > 2023 > February > VMWare user? Worried about “ESXi ransomware”? Check your patches now!
Here's some more bad news: the ransomware used in this attack, which you'll see referred to variously as ESXi ransomware and ESXiArgs ransomware, seems to be a general-purpose pair of malware files, one being a shell script, and the other a Linux program.
In other words, altough you absolutely need to patch against these old-school VMWare bugs if you haven't already, there's nothing about this malware that inextricably locks it to attacking only via VMWare vulnerabilities, or to attacking only VMWare-related data files.
We'll just refer to the ransomware by the name Args in this article, to avoid giving the impression that it is either specifically caused by, or can only be used against, VMWare ESXi systems and files.
Call a general-purpose file scrambling tool for each file found.
Go to the beginning of FILENAME Read in M megabytes from FILENAME. Scramble that data using the Sosemanuk stream cipher with RNDKEY. Overwrite those same M megabytes in the file with the encrypted data.
Jump to the end of FILENAME. Use RSA public key encyption to scramble RNDKEY, using PUBKEY. Append the scrambled decryption key to FILENAME. In the script file we looked at, where the attackers invoke the encrypt program, they seem to have chosen M to be 1MByte, and N to be 99Mbytes, so that they only actually scramble 1% of any files larger than 100MBytes.
News URL
Related news
- Chilean hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- Hosting firm's VMware ESXi servers hit by new SEXi ransomware (source)
- VMware Issues Security Patches for ESXi, Workstation, and Fusion Flaws (source)
- VMware fixes critical sandbox escape flaws in ESXi, Workstation, and Fusion (source)
- VMware patches critical flaws in ESXi, Workstation, Fusion and Cloud Foundation (source)