Just a week after the Cybersecurity and Infrastructure Security Agency (CISA) released its recovery script against ransomware targeting VMWare ESXi virtual machines, a modified version of the malware is already in circulation that renders the decryptor script useless.
So far, around 3,800 servers across the globe have already fallen victim to EXSiArgs ransomware, CISA and the FBI warn.
“Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB,” researchers at Malwarebytes said in a new report on the ESXi vulnerability. “This ensures that all files larger than 128MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant.”
Targets of ESXi-Args ransomware can tell if they are infected with the new variant if the ransom note directs the victim to contact the threat actor via the TOX encrypted messenger, the report added. The ransom note from the old ESXiArgs variant that can be mitigated by the CISA-issued decryptor includes a Bitcoin address.