CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware 

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files.

The ESXiArgs ransomware attacks, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021. 

Hackers are leveraging the vulnerability to deploy file-encrypting malware that targets virtual machines (VMs). The cybercriminals are also claiming to have stolen data — which they threaten to leak — but currently there is no evidence to back up their claims.

Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. VMware is warning users to take action, noting that there is no evidence that a zero-day vulnerability has been involved in the ESXiArgs attacks.

The Censys and Shodan search engines show there are currently roughly 2,000 compromised ESXi servers. It’s worth noting that the number of hacked systems identified by Censys has decreased in the past days, which indicates that affected organizations have started cleaning up their networks. 

An analysis of the ESXiArgs attack shows that once a server is compromised, the attacker places a series of files in the /tmp folder, including an encryptor, a shell script managing the attack flow, a public RSA encryption key, and a ransom note. 

The shell script is responsible for changing VMX configuration file names, killing running VMX processes, identifying and encrypting VM-related files, placing the ransom note on the targeted system, and deleting the originals of the encrypted files, according to an analysis conducted by BlackBerry researchers. 

While the ransomware does encrypt some files associated with virtual machines, it appears that — at least in some cases — it only encrypts configuration files, not the disk files that store data. This can allow victims to recover their data without paying a ransom to the cybercriminals.

Security researchers Enes Sonmez and Ahmet Aykac have described the steps that users need to take to recover their data. CISA has taken the researchers’ tutorial and other publicly available resources and created an ESXiArgs ransomware recovery tool that reconstructs VM metadata from virtual disks that were not encrypted by the malware. 

“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained. 

Based on an initial analysis, experts say the files that have actually been encrypted by the ransomware cannot be recovered. 

ESXiArgs has not been linked to any known ransomware group, but some believe the malware may have been derived from the Babuk source code that was leaked in 2021.

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities