CISA releases ESXiArgs ransomware recovery script

According to the latest data, the number of ESXiArgs ransomware victims has surpassed 3,800, and CISA has published a recovery script for victim organizations.

ESXiArgs ransomware recovery

Fixing the mess

The attacks started late last week and are still ongoing.

Investigations point to a new family of ransomware dubbed ESXiArgs by the researchers – though, according to Paul Ducklin, Sophos Head of Technology for the Asia Pacific region, it should be just Args, as it’s a Linux program that can be used against more than just VMWare ESXi systems and files.

The malware attempts to kill off running virtual machines, export an ESXi filesystem volume list, find important VMWare files for each volume, and call a general-purpose file scrambling tool for each file found, Ducklin explained.

But according to different sources, the first step of the process occasionally fails, and the encryption process is limited to a small chunk of data within files.

“Depending of your VM OS and file system type, you might be able to recover data with data revery tools, at least partially. Be carefull, this tools might have irreversible action on the file so, we recommend to copy the VM files on an other location to protect the data before trying any recovery operation,” warned Julien Levrard, CISO at OVHcloud.

To help organizations recover virtual machines affected by the ESXiArgs ransomware attacks, CISA has released a recovery script based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team.

“The tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained, but warned that organizations using it review it before deploying it, to determine if it is appropriate for their environment.

Preventing similar attacks

According to a recent list compiled by CISA technical advisor Jack Cable by combining the results of Censys’s scanning of internet-facing systems and a collection of Bitcoin addresses compiled by crowdsourced ransomware payment tracker Somewhere, over 3,800 systems have been hit by the ransomware.

VMware says they have “not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.”

The French CERT says that the attackers are exploiting CVE-2021-21974, but possibly also an older vulnerability (CVE-2020-3992), to gain access to target systems. Both flaws affect ESXi’s SLP service, and VMware released patches for them years ago.

“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7,” the CERT said. VMware advises users for upgrade to a supported version (ESXi 7.x or ESXi 8.x), implement any security patches provided and/or disabling the SLP service (and other unnecessary services). The company also noted that “in 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”

UPDATE (February 9, 2023, 04:30 a.m. ET):

As a companion to the ESXiArgs recovery script released on Wednesday, CISA and the FBI have published a joint cybersecurity advisory offering guidance on to use the script and recover systems.

But, they warned, the script only serves as a method to recover essential services.

“Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script: review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity, and review traffic from network segments occupied by the ESXi hosts and guests,” they advised.

“Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.”

Unfortunately, there’s also some unwelcome news: The attackers have started using a new ESXiArgs version that encrypts a bigger portion of the targeted files, making the recovery script obsolete.

Don't miss