The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has created a new tool to help those affected by ESXiArgs ransomware. This open-source tool, called SXiArgs-Recover, is designed to help victims recover their virtual machines that have been impacted by the current attack campaign involving ESXiArgs ransomware. CISA has developed this tool using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It works by reconstructing the metadata of the virtual machines that the malware did not encrypt. Organizations should review the script to make sure it is suitable for their environment before using it. The script does not delete the encrypted config files, but instead creates new config files that allow access to the VMs. It was previously reported that threat actors were exploiting a high-severity ESXi remote code execution vulnerability, which was patched by VMware in 2021. This vulnerability, tracked as CVE-2021-21974, is being used to deploy file-encrypting malware targeting VMs. Cybercriminals are threatening to leak the stolen data, but there has been no leak yet. According to Ransomwhere, a ransomware payment tracker, 3800 victims have been targeted in this attack wave, and four payments have been made worth a total of $88,000. VMware has advised customers to upgrade to the latest vSphere components and to disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the Babuk source code leaked in 2021.
This Cyber News was published on www.hackread.com. Publication date: Thu, 09 Feb 2023 10:30:03 +0000