According to the latest data, the number of ESXiArgs ransomware victims has surpassed 3,800, and CISA has published a recovery script for victim organizations.
Fixing the mess
The attacks started late last week and are still ongoing.
Investigations point to a new family of ransomware dubbed ESXiArgs by the researchers – though, according to Paul Ducklin, Sophos Head of Technology for the Asia Pacific region, it should be just Args, as it’s a Linux program that can be used against more than just VMWare ESXi systems and files.
The malware attempts to kill off running virtual machines, export an ESXi filesystem volume list, find important VMWare files for each volume, and call a general-purpose file scrambling tool for each file found, Ducklin explained.
But according to different sources, the first step of the process occasionally fails, and the encryption process is limited to a small chunk of data within files.
“Depending of your VM OS and file system type, you might be able to recover data with data revery tools, at least partially. Be carefull, this tools might have irreversible action on the file so, we recommend to copy the VM files on an other location to protect the data before trying any recovery operation,” warned Julien Levrard, CISO at OVHcloud.
To help organizations recover virtual machines affected by the ESXiArgs ransomware attacks, CISA has released a recovery script based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team.
“The tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained, but warned that organizations using it review it before deploying it, to determine if it is appropriate for their environment.
Preventing similar attacks
According to a recent list compiled by CISA technical advisor Jack Cable by combining the results of Censys’s scanning of internet-facing systems and a collection of Bitcoin addresses compiled by crowdsourced ransomware payment tracker Somewhere, over 3,800 systems have been hit by the ransomware.
VMware says they have “not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks.”
The French CERT says that the attackers are exploiting CVE-2021-21974, but possibly also an older vulnerability (CVE-2020-3992), to gain access to target systems. Both flaws affect ESXi’s SLP service, and VMware released patches for them years ago.
“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7,” the CERT said. VMware advises users for upgrade to a supported version (ESXi 7.x or ESXi 8.x), implement any security patches provided and/or disabling the SLP service (and other unnecessary services). The company also noted that “in 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”