Recently, two ransomware gangs, RansomExx and Darkside Group, have launched attacks against VMware ESXi environments and encrypting their virtual hard drives. A third group that operate the Babuk Locker ransomware have also threatened attacks, although none have been attributed to them yet.
These ransomware attacks exploit VMware vulnerabilities CVE-2019-5544 and CVE-2020-3992 by sending malicious Service Location Protocol (SLP) requests to take control of ESXi servers and encrypt the virtual hard disk files. SLP is a protocol used by devices, including ESXi servers, on the same network to discover each other. From the cases reported, most of the virtual machines cannot boot after the attack forcing critical business operations to go down. The only way to recover is to restore data from backups or create new VMs. Currently, there is no tool to decrypt data.
Security experts from Sangfor FarSight Labs recommend the following:
Sangfor XDDR Security Framework has already updated protections for this threat: