Alert essentials:
Thousands of VMware ESXi servers in Italy and other countries were targeted with global ransomware activity. CVE-2021-21974 was patched in 2021, yet unpatched servers were used to access networks in the attack.

Update: The U.S. Cybersecurity and Infrastructure Security Agency released a recovery script for ESXiArgs Ransomware. The tool allows organizations to attempt recovery of virtual machines affected by the ransomware attacks. However, reports of an updated ESXiArgs attack have surfaced. This variant cannot be decrypted with the script, and it encrypts large amounts of data, whereas the original version only encrypts smaller data packets. A new ransom note without a Bitcoin address accompanies the mischief.

Additionally, compromises in devices with the OpenSLP protocol disabled have been reported. So, it is possible the intrusions do not abuse CVE-2021-21974, and the attack vector is still unknown.

Email Team

Detailed threat description:
VMware ESXi hypervisors monitor virtual machines and are found in many network environments. On Friday, February 3 a global ransomware campaign began attacking ESXi servers with CVE-2021-21974. The remote code execution vulnerability has had a patch available for two years, but thousands of unpatched servers were infected recently. ESXiArgs is a widespread ransomware campaign targeting Italy, Germany, and the U.S. Possibly tied to other strains of ransomware, ESXiArgs is ongoing, and it is highly advised to update ESXi servers to the most recent version as soon as possible. Fortified will review specific findings with VTM clients on the next monthly call. Until then, you can view specific information related to vulnerable hosts by searching for plugin ID 146827 in the VTM dashboard.

Affected Products / Versions

  • ESXi versions 7.x prior to ESXi70U1c-17325551
  • ESXi versions 6.7.x prior to ESXi670-202102401-SG
  • ESXi versions 6.5.x prior to ESXi650-202102101-SG


  • CVE-2021-21974

IPs used by scanners during the attack


Note: Fortified’s SOC has current detections in place and is monitoring for additional IoCs.

Impacts on healthcare organizations
This campaign spreads ransomware, and all business-critical systems could be impacted or rendered unavailable in the event of an attack and further proliferation within a victim’s network.

Many healthcare organizations employ VMware ESXi systems, so the likelihood of impact is substantial. While some victims may suffer limited impact, that is usually not the case. Ransomware often propagates automatically to numerous systems on a network, which raises concerns beyond the systems hosted in an ESXi environment. The impacts can be as minimal as affecting a few systems or services, or as significant as rendering much of a network inaccessible or inoperable.


Engineering recommendations:

  • Perform version upgrade to affected systems following appropriate testing
  • Use the vSphere Security Configuration Guides to harden environments
  • Tightly control access to IT infrastructure to management interfaces (not just vSphere)
  • Review the systems that interact with those hosted in an ESXi environment
  • Ensure deployment of endpoint detection and response toolsets where able
  • If unable, consider minimizing the impact through the system and network segmentation as well as role-based access and network access controls

Leadership / Program recommendations:

  • Considering the seemingly unwavering preference of the ransomware threat, consider advanced response mechanisms such as Endpoint Detection and Response technologies
  • Review IR Plans and dedicate a procedure and organization preparedness around a Ransomware threat
  • Review and understand system recovery capabilities and limitations via Recovery Time and Recovery Point Objectives

Fortified recommends applying patches and updates where possible and only after adequate testing in a development environment to ensure stability and compliance with organizational change management policies.