The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files.
The ESXiArgs ransomware attacks, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021.
Hackers are leveraging the vulnerability to deploy file-encrypting malware that targets virtual machines (VMs). The cybercriminals are also claiming to have stolen data — which they threaten to leak — but currently there is no evidence to back up their claims.
Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. VMware is warning users to take action, noting that there is no evidence that a zero-day vulnerability has been involved in the ESXiArgs attacks.
The Censys and Shodan search engines show there are currently roughly 2,000 compromised ESXi servers. It’s worth noting that the number of hacked systems identified by Censys has decreased in the past days, which indicates that affected organizations have started cleaning up their networks.
An analysis of the ESXiArgs attack shows that once a server is compromised, the attacker places a series of files in the /tmp folder, including an encryptor, a shell script managing the attack flow, a public RSA encryption key, and a ransom note.
The shell script is responsible for changing VMX configuration file names, killing running VMX processes, identifying and encrypting VM-related files, placing the ransom note on the targeted system, and deleting the originals of the encrypted files, according to an analysis conducted by BlackBerry researchers.
While the ransomware does encrypt some files associated with virtual machines, it appears that — at least in some cases — it only encrypts configuration files, not the disk files that store data. This can allow victims to recover their data without paying a ransom to the cybercriminals.
Security researchers Enes Sonmez and Ahmet Aykac have described the steps that users need to take to recover their data. CISA has taken the researchers’ tutorial and other publicly available resources and created an ESXiArgs ransomware recovery tool that reconstructs VM metadata from virtual disks that were not encrypted by the malware.
“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained.
Based on an initial analysis, experts say the files that have actually been encrypted by the ransomware cannot be recovered.
ESXiArgs has not been linked to any known ransomware group, but some believe the malware may have been derived from the Babuk source code that was leaked in 2021.
Related: VMware Patches VM Escape Flaw Exploited at Geekpwn Event
Related: VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Unpatched Security Flaws Expose Water Pump Controllers to Remote Hacker Attacks
- 3CX Confirms Supply Chain Attack as Researchers Uncover Mac Component
- OpenSSL 1.1.1 Nears End of Life: Security Updates Only Until September 2023
- Google Links More iOS, Android Zero-Day Exploits to Spyware Vendors
- ChatGPT Data Breach Confirmed as Security Firm Warns of Vulnerable Component Exploitation
- Thousands Access Fake DDoS-for-Hire Websites Set Up by UK Police
Latest News
- Italy Temporarily Blocks ChatGPT Over Privacy Concerns
- FDA Announces New Cybersecurity Requirements for Medical Devices
- Report: Chinese State-Sponsored Hacking Group Highly Active
- Votiro Raises $11.5 Million to Prevent File-Borne Threats
- Lumen Technologies Hit by Two Cyberattacks
- Leaked Documents Detail Russia’s Cyberwarfare Tools, Including for OT Attacks
- Mandiant Investigating 3CX Hack as Evidence Shows Attackers Had Access for Months
- Severe Azure Vulnerability Led to Unauthenticated Remote Code Execution
