View All R&D Articles

ESXiArgs VMware Ransomware: An Overview

February 10, 2023

ESXiArgs is ransomware that encrypts VMware ESXi virtual machines and demands payments via cryptocurrency. The attackers reveal the infection with a ransom message demanding payment. Here’s a typical example of a ransom:

Security Alert!!!

We hacked your company successfully
All files have been stolen and encrypted by us
If you want to restore files or avoid file leaks, please send XX bitcoins to the wallet [address]

Send money within 3 days, otherwise we will expose some data and raise the price
Don't try to decrypt important files, it may damage your files
Don't trust who can decrypt, they are liars, no one can decrypt without key file
If you don't send bitcoins, we will notify your customers of the data breach by email and text message
And sell your data to your opponents or criminals, data may be made release [sic]

New infections may not display a bitcoin address; the bad actors are probably leaving out a distinct address to evade investigations. Instead, the ransom directs victims to contact their attackers on TOX, a secure messaging service.

At, we’re investing heavily in the development of new recovery techniques for ransomware infections. We can also provide guidance to victims to limit the extent of attacks and to form effective disaster recovery strategies. 

If you’re addressing an ESXiArgs infection, call us at 1-800-237-4200 or submit a case online to discuss your options.

How does ESXiArgs spread?

At this time, it’s not clear how the newer variant infects its targets. We’re reviewing current cases to identify potential vulnerabilities.

Early versions of ESXiArgs exploited SLP (Service Location Protocol) to infect their targets or gained access via a backdoor. However, BleepingComputer reports that some infections have occurred with SLP disabled, and without the backdoor. 

ESXi targets the following file extensions:

  • .vmdk
  • .vmx
  • .vmxf
  • .vmsd
  • .vmsn
  • .vswp
  • .vmss
  • .nvram
  • .vmem

Is data recovery possible after an ESXiArgs infection?

We strongly recommend working with professional data recovery engineers as soon as an infection has been identified — do not attempt recovery on your own without isolating the infected system.

Earlier versions of the ESXiArgs ransomware used an encryption method that could be addressed quickly and easily; a recovery script could recover most of data. That script, ESXi-Args-Recover, is available as a free utility via Github.

This recovery technique was effective because early versions of ESXiArgs encrypted a small portion of each target file. The amount of skipped data rose with the size of the file, so larger virtual machines were left mostly untouched. 

However, in February 2023, the ransomware was updated to change the encryption method. That update also enabled the malware to target more data, potentially increasing the severity of infections. All files targeted by the new variant have 50% of their data encrypted, which makes recovery much more difficult.

Some key points to keep in mind:

  • Reinstalling ESXI will not remove the encryption.
  • Disabling SSH will not mitigate the attack.
  • Login attempt rules do not appear to mitigate attacks.
  • The ransomware appends infected files with the .args extension.

Unfortunately, most recent ESXiArgs infections use the newer version of the ransomware. Here’s the good news: Because the newer variant encrypts more data, administrators may have more time to recognize the infection and limit the extent of the damage. The recovery script may also be effective in a small percentage of cases.

If you’ve lost data due to ransomware, we’re here to help. 

With risk-free evaluations and fully outfitted laboratories at every location, provides expert ransomware solutions to help you get your business back up and running. 

Submit a case online or call us at 1-800-237-4200 to get started.