Learning with Stellar

A New Variant of ESXiArgs Ransomware attacks VMware ESXi Virtual Machines

Table of Content

    Summary: A new variant of ESXiArgs ransomware has targeted hosts of VMware ESXi virtual machines. Let’s learn about this new ransomware variant and how this ransomware is impacting compromised servers. In addition, we’ll discuss how to recover from the ESXiArgs ransomware attack.

    Read full summary

    Recently, a new variant of ransomware, called ESXIArgs, came to light which has reportedly attacked nearly 500 hosts of VMware ESXi virtual machines across the globe. Most of the victims are from European countries, including France, Germany, Netherlands, UK, and Ukraine.

    The latest ESXiArgs ransomware attack follows an encryption routine, which skips the small piece (1 MB) of the data and encrypts the next 1 MB. This ensures that all the files larger than 128 MB get 50% encrypted.

    The ransomware encrypts the files with .vmdk, .vmsd, .vmdk, and .vmsd extensions on compromised ESXi servers and creates an .args file for every encrypted file with the metadata. ESXiArgs ransomware is based on the Babuk source code, previously used by other ESXi ransomware, like CheersCrypt and Dagon group’s PrideLocker encryptor.

    The cybersecurity agencies reported that the attackers have been exploiting the vulnerabilities in VMware’s bare metal hypervisor ESXi, like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699. VMware also confirmed on 6 February 2023 in an advisory that this attack is exploiting the ESXi flaws.

    The first set of ESXiArgs ransomware attacks dates back to October 12, 2022. It followed the encryption routine skipping the large chunks of data on the basis of their size. It targeted the end-of-life ESXi servers 6.5 and 6.7 versions. Around 3800 VMware ESXi virtual machines globally became the victim of the ESXiArgs ransomware attack.

    How to Recover Virtual Machine after ESXiArgs Ransomware Attack?

    The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) jointly approached the rescue victims. They released the ‘ESXiArgs-Recover’ tool to overcome the damage done by the ransomware. The tool is intended to help organizations to attempt recovery of virtual machines affected by ESXiArgs ransomware attacks.

    However, two ransom notes were updated on the hosts on 31 January 2023, after a few days of the CISA recovery script tool release. The new variant consists of ransom notes matching the one used in the previous attacks with a few differences, such as the use of an Onion URL, a Proton mail address at the end of the note, and less ransom demand.

    The recently attacked VMware ESXi virtual machines can’t take benefit from the recovery tool released by CISA as the new version of the attack encrypts more data than the tool is built to restore.

    Some victims have reported that the SLP network was disabled, which turned out to be a solution for the vulnerability as per VMware. VMware also released some recommendations on its security blog.

    To protect the servers from such ransomware attacks, the company advises that it’s best to install updates for ESXiArgs servers and disable OpenSLP service (disabled since 2021) in ESXi. ESXi 7.0 U2c and newer, and ESXi 8.0 GA and newer versions.

    Additionally, keep virtual machine data recovery software such as Stellar Data Recovery for Virtual Machines in hand. It is the best DIY tool that helps you recover lost and deleted data from VMware (.vmdk), ORACLE (.vdi), and Microsoft (.vhd) virtual image files. The software supports data recovery from virtual machines in case of formatting and corruption. It comes with a simple user interface that facilitates the recovery of data within a few steps.


    1. What are the two main types of ransomware?

    There are innumerable strains of ransomware and almost all of them could cost you a big time. However, the primary ones fall into two categories:

    (i) Crypto Ransomware: Crypto ransomware enables threat actors to encrypt the data on the system, including documents, files, and more.

    (ii) Locker Ransomware: Locker Ransomware locks the victims out of their system and demands a ransom to unlock the device.

    2. Can ransomware viruses be removed?

    You can remove the malicious files and attachments downloaded on your system manually or automatically with the help of powerful antivirus software. You can also use an appropriate decryption tool to regain access to your data. Read more

    3. What is the best way to protect a PC against ransomware?

    Here are some best practices you can follow to protect your PC against ransomware attacks:

    • Keep your PC updated with recommended security patches
    • Be cautious while opening email attachments
    • Access websites with security marks and keep personal information safe
    • Keep antivirus on and updated

    Was this article helpful?

    No NO

    About The Author

    Mansi Verma linkdin

    Mansi Verma is a Senior Technology Writer at Stellar®. She is a Tech enthusiast, holding over 8 years of experience in Data Recovery, IoT, Artificial Intelligence, and the Robotics technology domain. She loves researching and providing DIY solutions to solve Windows technical issues. In her spare time, she likes reading novels, and poetry. She also enjoys Travelling, Rafting, Trekking, etc.

    Leave a comment

    Your email address will not be published. Required fields are marked *

    Image Captcha
    Refresh Image Captcha

    Enter Captcha Here :

    Related Posts


    Why Choose Stellar?

    • 0M+


    • 0+

      Years of Excellence

    • 0+

      R&D Engineers

    • 0+


    • 0+


    • 0+

      Awards Received