ESXiArgs is ransomware targeting VMware ESXi servers. It was associated with a large-scale encryption campaign in early 2023 and is described as specifically aimed at ESXi environments. Reported initial access vectors against affected ESXi infrastructure include exploitation of exposed OpenSLP services and exposed VMware vCenter servers; one source in the content also reports exploitation of CVE-2021-21974. The campaign briefly devastated some unpatched cloud services. ESXiArgs is part of a broader trend of ransomware increasingly targeting virtualization platforms and Linux/ESXi systems. SentinelLABS assessed that ESXiArgs was likely misattributed as Babuk-derived: they found little similarity to Babuk beyond use of the same open-source Sosemanuk cipher implementation. No high-confidence actor attribution is provided in the content.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
約2年前の2021年2月23日に公開されたCVE-2021-21974が悪用されていると考えられています。なお、本脆弱性はOpenSLPに関するもので427/UDP経由で攻撃が行われます。
7 distinct techniques documented for this family, organized by ATT&CK tactic.
ESXiArgsにより暗号化されたサーバはESXiのログイン画面が以下のように改ざんされ、サーバ内のデータが暗号化されます。身代金額は被害を受けたサーバごとに微妙に異なり約2BTC(約600万円)が要求されているようです。
1 indicator attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Ransomware targeting ESXi infrastructure, associated in the content with exploitation of exposed OpenSLP services or VMware vCenter servers.
An ESXi-targeting ransomware locker used in a February campaign against unpatched cloud services. The article says it is often misattributed as Babuk-derived, but only shares the same open-source Sosemanuk implementation and otherwise differs substantially.
Ransomware targeting VMware ESXi servers; associated with a large-scale early-2023 campaign and reported exploitation of an ESXi vulnerability for initial access.
Ransomware campaign targeting VMware ESXi environments.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.