Security Experts:

Connect with us

Hi, what are you looking for?



CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware 

It may be possible to recover some virtual machines impacted by the ESXiArgs ransomware and CISA has released a tool for the task.

The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files.

The ESXiArgs ransomware attacks, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021. 

Hackers are leveraging the vulnerability to deploy file-encrypting malware that targets virtual machines (VMs). The cybercriminals are also claiming to have stolen data — which they threaten to leak — but currently there is no evidence to back up their claims.

Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. VMware is warning users to take action, noting that there is no evidence that a zero-day vulnerability has been involved in the ESXiArgs attacks.

The Censys and Shodan search engines show there are currently roughly 2,000 compromised ESXi servers. It’s worth noting that the number of hacked systems identified by Censys has decreased in the past days, which indicates that affected organizations have started cleaning up their networks. 

An analysis of the ESXiArgs attack shows that once a server is compromised, the attacker places a series of files in the /tmp folder, including an encryptor, a shell script managing the attack flow, a public RSA encryption key, and a ransom note. 

The shell script is responsible for changing VMX configuration file names, killing running VMX processes, identifying and encrypting VM-related files, placing the ransom note on the targeted system, and deleting the originals of the encrypted files, according to an analysis conducted by BlackBerry researchers. 

While the ransomware does encrypt some files associated with virtual machines, it appears that — at least in some cases — it only encrypts configuration files, not the disk files that store data. This can allow victims to recover their data without paying a ransom to the cybercriminals.

Security researchers Enes Sonmez and Ahmet Aykac have described the steps that users need to take to recover their data. CISA has taken the researchers’ tutorial and other publicly available resources and created an ESXiArgs ransomware recovery tool that reconstructs VM metadata from virtual disks that were not encrypted by the malware. 

“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained. 

Based on an initial analysis, experts say the files that have actually been encrypted by the ransomware cannot be recovered

ESXiArgs has not been linked to any known ransomware group, but some believe the malware may have been derived from the Babuk source code that was leaked in 2021.

Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event

Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities 

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...


Satellite TV giant Dish Network confirmed that a recent outage was the result of a cyberattack and admitted that data was stolen.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.


The FBI dismantled the network of the prolific Hive ransomware gang and seized infrastructure in Los Angeles that was used for the operation.