ESXWhy: A Look at ESXiArgs Ransomware

**Executive summary:** The Censys ARC report documents the ESXiArgs ransomware campaign (early February 2023) that leverages a VMware ESXi/OpenSLP vulnerability (CVE-2021-21974) to encrypt virtual machines on internet-facing ESXi hosts; the campaign has infected thousands of hosts (peak ~3,500–3,800), is concentrated in France and OVH infrastructure, has evolved to a variant that encrypts more data and removes BTC addresses to hinder tracking, and has at least some observed payments (~$88k) while defenders publish decryptors and mitigations.