The US Cybersecurity and Infrastructure Security Agency (CISA) has created a free tool to help those affected by the ESXiArgs ransomware attacks. These attacks, first seen on February 3, exploit a high-severity vulnerability in VMware's ESXi software, which was patched in February 2021. The hackers are using the vulnerability to deploy file-encrypting malware that targets virtual machines, and they are also claiming to have stolen data, though there is no evidence to back this up. There are currently around 2,000 compromised ESXi servers, though this number has been decreasing, suggesting that affected organizations are taking action. The ransomware encrypts some files associated with virtual machines, but it appears that in some cases it only encrypts configuration files, not the disk files that store data. This means that victims may be able to recover their data without paying a ransom. Enes Sonmez and Ahmet Aykac have described the steps needed to do this, and CISA has taken their tutorial and other publicly available resources to create the ESXiArgs ransomware recovery tool. This script does not delete the encrypted config files, but instead creates new config files that enable access to the VMs. Unfortunately, the files that have been encrypted by the ransomware cannot be recovered. ESXiArgs has not been linked to any known ransomware group, but some believe it may have been derived from the Babuk source code that was leaked in 2021.
This Cyber News was published on www.securityweek.com. Publication date: Wed, 08 Feb 2023 12:03:03 +0000