Analysis of Files Used in ESXiArgs Ransomware Attack Against VMware ESXi Servers

Threat actors exploited CVE-2021-21974 in VMware ESXi to deploy the ESXiArgs ransomware: a Bash script (encrypt.sh) that prepares targets, renames VM files, kills VM processes, hides traces and drops a compiled ELF payload (encrypt) which uses an RSA public key and the Sosemanuk stream cipher to encrypt VM-related files; the report provides technical analysis, IoCs (hashes, BTC addresses), YARA rules, OSINT on widespread infections, and recommends patching and backups.