US CISA releases a script to recover servers infected with ESXiArgs ransomware

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script to recover VMware ESXi servers infected with ESXiArgs ransomware.

Good news for the victims of the recent wave of ESXiArgs ransomware attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to allow them to recover encrypted VMware ESXi servers.

The French Computer Emergency Response Team (CERT-FR) last Friday first warned that threat actors are targeting VMware ESXi servers to deploy ransomware.

CERT-FR reported that threat actors behind these ransomware attackers are actively exploiting the vulnerability CVE-2021-21974.

Experts noticed that only a few thousand systems were encrypted worldwide.

Jack Cable, a senior technical advisor at US CISA, published a list of 2803 bitcoin addresses associated with the infections.

The good news is that in most cases the attacks failed because the ESXiArgs ransomware did not encrypt virtual disk files.

Then the U.S. CISA released a script to recover VMware ESXi servers, it is compiled based on publicly available resources:

The tool is available here:

https://github.com/cisagov/ESXiArgs-Recover

“ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.” reads the description provided by the Agency.

“CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.”

The script reconstructs virtual machine metadata from virtual disks that were not encrypted by the ransomware.

As usual, every time we attempt to recover files encrypted by ransomware it is a good practice to create a backup of the server.

“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.” CISA concludes. “Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.”

VMware yesterday said that it found no evidence that the threat actors behind the ongoing ESXiArgs ransomware attacks are leveraging a zero-day vulnerability in VMware ESXi servers.

“VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.” reads the latest advisory published by the company. “Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs).” 

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, ESXiArgs ransomware)