Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Ransomware

CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware 

It may be possible to recover some virtual machines impacted by the ESXiArgs ransomware and CISA has released a tool for the task.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files.

The ESXiArgs ransomware attacks, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021. 

Hackers are leveraging the vulnerability to deploy file-encrypting malware that targets virtual machines (VMs). The cybercriminals are also claiming to have stolen data — which they threaten to leak — but currently there is no evidence to back up their claims.

Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. VMware is warning users to take action, noting that there is no evidence that a zero-day vulnerability has been involved in the ESXiArgs attacks.

The Censys and Shodan search engines show there are currently roughly 2,000 compromised ESXi servers. It’s worth noting that the number of hacked systems identified by Censys has decreased in the past days, which indicates that affected organizations have started cleaning up their networks. 

An analysis of the ESXiArgs attack shows that once a server is compromised, the attacker places a series of files in the /tmp folder, including an encryptor, a shell script managing the attack flow, a public RSA encryption key, and a ransom note. 

The shell script is responsible for changing VMX configuration file names, killing running VMX processes, identifying and encrypting VM-related files, placing the ransom note on the targeted system, and deleting the originals of the encrypted files, according to an analysis conducted by BlackBerry researchers. 

While the ransomware does encrypt some files associated with virtual machines, it appears that — at least in some cases — it only encrypts configuration files, not the disk files that store data. This can allow victims to recover their data without paying a ransom to the cybercriminals.

Advertisement. Scroll to continue reading.

Security researchers Enes Sonmez and Ahmet Aykac have described the steps that users need to take to recover their data. CISA has taken the researchers’ tutorial and other publicly available resources and created an ESXiArgs ransomware recovery tool that reconstructs VM metadata from virtual disks that were not encrypted by the malware. 

“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained. 

Based on an initial analysis, experts say the files that have actually been encrypted by the ransomware cannot be recovered

ESXiArgs has not been linked to any known ransomware group, but some believe the malware may have been derived from the Babuk source code that was leaked in 2021.

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities 

Written By

Eduard Kovacs (@EduardKovacs) is a managing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this event as we dive into threat hunting tools and frameworks, and explore value of threat intelligence data in the defender’s security stack.

Register

Learn how integrating BAS and Automated Penetration Testing empowers security teams to quickly identify and validate threats, enabling prompt response and remediation.

Register

People on the Move

Wendi Whitmore has taken the role of Chief Security Intelligence Officer at Palo Alto Networks.

Phil Venables, former CISO of Google Cloud, has joined Ballistic Ventures as a Venture Partner.

David Currie, former CISO of Nubank and Klarna, has been appointed CEO of Vaultree.

More People On The Move

Expert Insights

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest cybersecurity news, threats, and expert insights. Unsubscribe at any time.