The US Cybersecurity and Infrastructure Security Agency (CISA) has provided a tool that allows to recover VMware ESXi servers encrypted in a recent wave of ESXiArgs ransomware attacks.
“ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.
CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” CISA said.
The ESXiArgs attacks are reportedly exploiting a two-year old remote execution vulnerability affecting VMware ESXi to deploy the ransomware.
Tracked as CVE-2021-21974, the flaw is a heap-based buffer overflow issue in the OpenSLP service that can be exploited by a non-authenticated hacker for remote code execution on the underlying server. The bug affects ESXi versions 7.x prior to ESXi70U1c-17325551, ESXi versions 6.7.x prior to ESXi670-202102401-SG, ESXi versions 6.5.x prior to ESXi650-202102101-SG.
VMware said it “has not found evidence that suggests an unknown vulnerability is being used to propagate the ransomware used in these recent attacks.”
According to CISA’s list of bitcoin addresses, over 2,800 ESXi servers have been encrypted to date.