The Cybersecurity and Infrastructure Security Agency (CISA) has released a script to help organizations affected by the ESXiArgs ransomware. This ransomware has caused disruption to many organizations around the world since last Friday. CISA has posted the script on its GitHub page and has advised victims to evaluate it before using it. The script is based on the work of two Turkish developers, Enes Sönmez and Ahmet Aykaç, who posted a step-by-step tutorial earlier this week. The ransomware exploits a two-year-old vulnerability in VMWare EXSi servers, known as CVE-2021-21974, and has already encrypted files at more than 3,800 organizations in the US, France, Italy, and other countries. The script works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. CISA has warned that it does not assume liability for any damage caused by the script. The FBI and CISA have also issued a joint alert about blocking the ransomware and responding to attacks. European cybersecurity authorities have also issued warnings about the campaign. The ransomware actors are targeting unpatched VMWare servers that are connected to the internet, which experts have said is a mistake. Most victims have reported seeing a ransom note asking for $50,000 worth of Bitcoin. It is believed that the campaign is tied to a single threat actor or group, due to the low ransom demand and widespread, opportunistic targeting. Experts have said that the fiasco highlights the problem of organizations not patching quickly, as VMWare had released a patch for CVE-2021-21974 in February 2021. It is also a known secret in the offensive hacking community that the underlying tools that wrap around virtualized environments are still very buggy. It is recommended that organizations do not expose their ESXi management interface to the world.
This Cyber News was published on therecord.media. Publication date: Thu, 09 Feb 2023 13:01:02 +0000