The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has created a script to help people recover their VMware ESXi servers that were affected by the recent ESXiArgs ransomware attack. The attack, which began last Friday, managed to encrypt 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable. However, the attack was largely unsuccessful as the threat actors failed to encrypt flat files, which store the data for virtual disks. This mistake allowed Enes Sonmez & Ahmet Aykac of the YoreGroup Tech Team to develop a method to rebuild virtual machines from the unencrypted flat files. To make the recovery process easier, CISA released an ESXiArgs-Recover script on GitHub to automate the process. The script works by cleaning up the encrypted files and then attempting to rebuild the virtual machines. If successful, users can then register the virtual machine again in VMware ESXi to gain access to the VM again. CISA urges admins to review the script before using it to understand how it works and avoid any potential complications. It is also important to note that CISA does not assume liability for any damage caused by the script, so users should make sure to create backups before attempting recovery.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Wed, 08 Feb 2023 01:55:02 +0000