There is a massive vulnerability being exploited with ESXI hosts, we recommend that you either disable the CIM SLP Service via the SSH shell, or you take the following steps within the ESXI gui. Once disabled via the shell you will see the service is grayed out, see below.
Instructions to Fix with SSH Access
login via ssh and run the following commands
$ /etc/init.d/slpd stop $ esxcli network firewall ruleset set -r CIMSLP -e 0 $ chkconfig slpd off
Verify it has been disabled using the following command
$ esxcli system slp stats get
Instructions to fix with GUI Access
login to your ESXi host, go to networking and then to the Firewall rules tab right-click the following service, and disable
ESXi Ransomeware Images & Research
These are screens we have acquired from machines we are helping fix, for education purposes only
Ransomware VMDK encrypted
This is what the datastore directory will look like, none of the files will register as VM’s
Ransomware SSH Shell Screen
Ransomware SSH Shell Screen
For assistance decrypting these machines and securely hosting them please contact us or visit the link below for information about decrypting them
https://www.bleepingcomputer.com/forums/t/782193/esxi-ransomware-help-and-support-topic-esxiargs-args-extension/page-5#entry5470396
