Share news article

Share on facebook
Share on twitter
Share on linkedin
Share on email

CISA Releases Recovery Script for Victims of ESXiArgs Ransomware

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for victims of the ESXiArgs ransomware variant that affected thousands of organizations worldwide this week.

CISA’s ESXiArgs-Recover tool is available for free on GitHub and organizations can use it to attempt the recovery of configuration files on vulnerable VMware ESXi servers that the ransomware variant might have encrypted. Some organizations that used the tool have successfully recovered their encrypted files without having to pay a ransom, the agency noted.

However, any cybersecurity team that plans to use the tool should first make sure they understand how it works before attempting to recover files that EXSIArgs might have encrypted, CISA cautioned. “CISA recommends organizations impacted by ESXiArgs evaluate the script and guidance provided in the accompanying README file to determine if it is [a] fit,” for their environments, it noted.

ESXiArgs is a ransomware variant that France’s Computer Emergency Response Team (CERT) first spotted Feb. 3 targeting VMware ESXi hypervisors worldwide. The malware exploits a 2-year old — and long-patched — remote code execution vulnerability (CVE-2021-21974) in Open Service Location Protocol (OpenSLP), an ESXi service for resolving network addresses.

What is ESXiArgs?

ESXiArgs has already infected more than 3,000 unpatched servers in the US, Canada, and multiple other countries. Victims have reported receiving a ransom demand of around 2 Bitcoin (or around $22,800 at press time) for the decryption key. Affected organizations have also reported the threat actor behind the campaign warning them to pay up within three days or risk having their sensitive information released publicly.

Security researchers that have analyzed ESXiArgs describe the malware’s encryption process as specifically targeting virtual machine files so as to render the system unusable. In an alert earlier this week, Rapid 7 reported the malware was trying to shut down virtual machines by killing a specific process in the virtual machine kernel that handles I/O commands. In some cases, though, the malware was only partially successful in encrypting files and gave victims a chance to recover data, according to Rapid7.

In a Feb. 8 update, Rapid7 said its threat intelligence shows that multiple ransomware groups, in addition to the operator of ESXiArg, are targeting CVE-2021-21974 and other VMware ESXi vulnerabilities.

Recovery Tool Based on Published Information

CISA’s recovery script is based on the work of two security researchers — Enes Sonmez and Ahmet Aykac — who showed how victims of ESXiArgs could reconstruct virtual machine metadata from disks that the ransomware might have failed to encrypt.

“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA said. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.”

VMware itself has urged organizations to implement the patch it issued two years ago for the flaw that ESXiArgs is exploiting. As a temporary measure, organizations that have not patched the flaw should disable ESXi’s service location protocol (SLP) to mitigate the risk of attack via ESXiArgs, VMware said. Another measure: Disable port 427 (the one SLP uses), where possible, Singapore’s SingCERT advised in a notice.

Related News

Portion of Twitter’s proprietary source code leaked on GitHub

Portion of Twitter’s proprietary source code leaked on GitHub

Reportedly, the source code remained public for several months before being taken down by GitHub. According to a news report…
Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

Pwn2Own 2023: Tesla Model 3, Windows 11, Ubuntu and more Pwned

At Pwn2Own 2023, participants were awarded a full bounty (more than $1,000,000) in each round for successful exploits. Pwn2Own, as…
Latitude Financial Data Breach: 14 Million Customers Affected

Latitude Financial Data Breach: 14 Million Customers Affected

The Australian consumer lender, Latitude Financial, has suffered a major cyber attack, leading to a data breach of passport and…