New Ransomware Targets VMware ESXi Servers as of 3rd Feb 2023 — FIX Available

NetShop ISP
2 min readFeb 4, 2023
New Ransomware Targets VMware ESXi Servers — Feb 2023

NetShop ISP’s infrastructure security team has been informed about a new ransomware released today, 3rd of February 2023, affecting thousands of VMware ESXi servers around the world.

The attack affects VMware ESXi servers running on versions 7.0u3i and lower. As per cyber security experts announcement, a ransomware group is responsible for these attacks in Europe and worldwide, using CVE-2021–21941 vulnerability to target and compromise ESXi servers.

Whilst investigations are still on going, it is almost certain that the OpenSLP port (427) is being used by the attackers to gain access on the server and encrypt the Virtual Machines disks.

How To Protect ESXi Server from New Ransomware

Here is a quick check list of what you need to do to ensure your ESXi server remains intact from this ransomware attack.

  1. Disable the Openslpd service or restrict access to trusted IP addresses
    Read this VMware Knowledgebase Article on how to do this.
  2. Disable SSH service and Console Shell services
    To do so, login to ESXi Web UI, navigate to Host > Actions >Services.
  3. Update ESXi with the latest security patches available
  4. Disable any unnecessary services running on the ESXi server or restrict access to trusted IPs only
    To do so, login to ESXi Web UI, navigate to Manage > Services.

How To Recover ESXi VMs from Latest Ransomware

NetShop ISP customers with fully managed servers have not been affected as we have already in place those security best practices that help preventing such incidents.

Until a few hours ago, a handful of customers with self-managed ESXi servers reported to our support team they have been affected with this Ransomware. NetShop ISP’s infrastructure engineers have been able to mitigate the situation, recover the encrypted disks and make the VMs back online.

Need Help? We Can Help!

If you are an existing customer affected by this Ransomware please send a ticket/email to support at netshop-isp . com . cy. Our engineers are 24×7 online to assist you.

If you are NOT an existing customer and need NetShop ISP team’s help to resolve this, please send an email to customercare at netshop-isp . com . cy. We will get back to you promptly and help you recover your ESXi Server.

Please monitor this blog article as we will be publishing updates related to this matter.