Ransomware has hit 3,800 servers, but CISA says this tool might help

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have released a joint advisory warning about an ongoing ESXiArgs ransomware campaign targeting unpatched and out-of-service or out-of-date versions of the VMware ESXi hypervisor for virtual machines (VMs).  

According to CISA, 3,800 VMware ESXi servers have been compromises globally, potentially leaving VMs running from the ESXi server unusable.

Also: Microsoft: We are tracking these 100 active ransomware gangs using 50 types of malware

VMware this week warned enterprises to update ESXi servers to supported versions of the hypervisor. It also noted the attacks exploited previously disclosed bugs and provided a workaround it gave in December for disabling the Service Location Protocol (SLP) on VMware ESXi. The patches, released in 2021, address the critical bug tracked as CVE-2021-21974, which affected the SLP component in ESXi. 

The ESXiArgs ransomware appears to have started targeting servers in Europe from around February 3 but has since spread to North America. 

France’s computer emergency response team (CERT) advised organizations to isolate affected servers, reinstall a supported version of ESXi 7.x or ESXi 8.x, and apply any patches. 

CISA and FBI encouraged those with VMware ESXi servers to update them to the latest version of ESXi, harden ESXi hypervisors by disabling the SLP service, and ensure the ESXi hypervisor is not exposed to the public internet. 

CISA published the recovery script on its GitHub account, explaining how it works by reconstructing VM metadata from virtual disks that were not encrypted by the malware.

The ransomware is reported to encrypt .vmdk, .vmx, .vmxf, .vmsd, .vmsn, .vswp, .vmss, .nvram, and .vmem files on compromised servers. It can render VMs unusable because it encrypts configurations files linked to VMs. But the script can work for recovery by using the unencrypted flat file.

“CISA is aware that some organizations have reported success in recovering files without paying ransoms,” it notes. The script is based on publicly available resources and a tutorial by Enes Sonmez and Ahmet Aykac. 

Still, CISA warns that organizations need to review the script to see if it’s suited to their environment before deploying it. CISA accepts no responsibility for machines damaged during recovery attempts. 

Also: Cybersecurity staff are struggling. Here’s how to support them better

“This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script,” the agency notes.