We have been made aware of a recent rash of un-patched, public-facing ESXi instances that are being compromised with ransomware. The attacks have been confirmed on all versions of ESXi, both supported and EOL. 

No internal Turnkey systems have been affected by this vulnerability. 

How to tell if you're affected

It is highly recommended that you review these two articles in depth, which relate to investigating malicious VIBs and processes within an ESXi environment:

https://www.mandiant.com/resources/blog/esxi-hypervisors-malware-persistence

https://www.mandiant.com/resources/blog/esxi-hypervisors-detection-hardening

The following security advisory from ESXi also gives a conceptual overview of how these exploits are being leveraged: 

https://www.vmware.com/security/advisories/VMSA-2022-0030.html

How to fix the vulnerability

Per the Security Advisory from VMWare, VMSA-2022-0030, it is recommended that all versions of ESXi be backed up and patched immediately. If a hypervisor has already been compromised, the recommended course of action is to wipe the server completely with a fresh, patched copy of the OS.

How to protect yourself from ransomware

By far, the most robust protection that you can have from ransomware is ensuring an adequate backup solution. Turnkey Internet offers R1Soft backup solutions, which can perform filesystem and database backups of your Linux or Windows VMs. For more information, visit https://turnkeyinternet.net/backups