More than 3,200 VMware ESXi servers have been affected by the new ESXiArgs ransomware in a large-scale cyberattack, according to hosting providers and France’s CERT. Attackers exploit OpenSLP to execute remote commands on servers vulnerable to a two-year-old security flaw (CVE-2021-21974) on port 427.

OpenSLP contains a dynamic memory overflow bug that unauthorized attackers can leverage to launch fast and effective intrusions. CVE-2021-21974 affects the following systems:
• ESXi 7.x (before ESXi70U1c-17325551)
• ESXi 6.7.x (before ESXi670-202102401-SG)
• ESXi 6.5.x (before ESXi650-202102101-SG)

It is important to note that an exploit for this vulnerability has been publicly available since spring 2021, shortly after the flaw was disclosed. Why attackers began using it only now remains unclear.

Hackers infiltrate the victim’s system, encrypt files on the ESXi server, and then demand a $50,000 Bitcoin ransom to restore data.

CERT-FR urges all users to immediately install the latest security patches and inspect all vulnerable systems for signs of compromise. Experts recommend disabling OpenSLP entirely as a last resort.

Researchers from cloud provider OVHcloud found that the wave of mass attacks was driven by a recent encryption engine called Nevada. According to experts, the attacks “mainly target ESXi servers older than version 7.0 U3i via the OpenSLP port (427).”

Some analysts suggested the attacks may have been carried out using a variant of the Cheerscrypt ransomware, which is based on the leaked Babuk source code.

Ultimately, however, it appears that a new program called ESXiArgs is responsible for the attacks, proving earlier theories incorrect.

According to Bleeping Computer, victims are actively communicating online and seeking assistance. Most affected companies, based on collected data, rely on ESXi servers rented from cloud providers.

On infected servers, the ransomware encrypts files with extensions .vmxf, .vmx, .vmdk, .vmsd, and .nvram, generating an .args metadata file for each encrypted item — likely required for decryption.

The malware authors claim that data is stolen before encryption, but victims deny this: network traffic logs show no evidence of exfiltration.

However, according to research by cybersecurity expert Michael Gillespie (ID Ransomware), the ransomware contains no obvious “weak points” that would allow victims to recover their data without paying. Gillespie notes that the malware uses the Sosemanuk algorithm — typically found only in ransomware built using the Babuk (ESXi version) source code. He suspects the attackers may have modified the code, replacing Babuk’s Curve25519 with RSA.

Encryption techniques differ between ESXiArgs and Cheerscrypt, though their ransom notes are quite similar. While both threats are built on Babuk code, researchers remain uncertain whether ESXiArgs is a variation of Cheerscrypt.

Since most compromised servers were located in France, CERT-FR and cloud provider OVH were the first to report the incident. According to Censys (based on ransom-note file scans), over 3,200 servers have been encrypted to date — nearly one-third of them in France.