The U.S. Cybersecurity and Infrastructure Security Agency (CISA) and the FBI have jointly released a new ransomware recovery script for the victims of the latest ESXiArgs ransomware campaign. Through the widespread campaign, the unknown threat actors have victimized thousands of companies, including Florida’s Supreme Court and several U.S. and European universities.
In total, the ESXiArgs ransomware campaign compromised more than 3,800Opens a new window VMware ESXi servers vulnerable to CVE-2021-21974Opens a new window (CVSS score: 8.8), a heap overflow flaw in OpenSLP (a component of ESXi) discovered and patched two years ago. Exploitation can lead to that can lead to remote code execution.
However, the unknown threat actor(s) began exploiting the vulnerability this month on February 3, 2023. As of February 9, 2023, Censys data indicates that there still are 1,615 compromised serversOpens a new window .
Xavier Bellekens, co-founder and CEO at Lupovis, told Spiceworks, “This massive campaign looks like the attackers behind it used scanners to run automated tests on across to internet to help them identify vulnerable VMWare ESXi servers, and then exploit the vulnerability to launch the ESXiArgs ransomware.â€
According to a Reuters report, Florida’s Supreme Court and several universities in the U.S. and Central Europe have been impacted. The sophistication of the ESXiArgs ransomware campaign is questionable, although momentum certainly is on its side, given the propagation rate.
Additionally, a VMware update suggests that more than one vulnerability could be exploited. “Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs),†the company’s notice reads.
As such, the cloud and virtualization major advised admins to upgrade vulnerable ESXi instances to the latest available supported releases of vSphere components and recommended disabling the OpenSLP service in ESXi.
“Over the course of the weekend, Lupovis has seen numerous new IPs scanning and exploiting the vulnerability, with attackers acting quickly to catch organizations out before they have time to apply the patch,†Bellekens noted. “On Friday, Lupovis saw 3 IPs scanning for vulnerable servers, and by Monday morning, this jumped to 40. On our decoys, we also saw the various IP touching most of our sectorial clusters, which explains the diversity in targets in this campaign.â€
“Interestingly enough, it seems that most of the affected servers pointed to many different wallets, i.e., definitely looking at mudding their tracks,†Bellekens continued adding that the number of wallets increased from 150 last Saturday to nearly 350 yesterday.
See More: Cyberattack Cripples Florida Hospital’s Emergency Treatment Ability
The attackers are demanding $50,000 as ransom in exchange for encrypted data. Reportedly, $88,000 has been paid in four ransom payments so far.
Bellekens concluded, “When it comes to protecting against this vulnerability and stopping organizations [from] getting caught up in this campaign, the VMWare patch must be applied to address this vulnerability. However, if the patch cannot be applied to systems, Lupovis recommends blocking the IP addresses below, which relate to scanners that are actively working to find vulnerable servers.â€
- 104.152.52.55
- 43.130.10.173
- 178.62.44.152
- 46.17.96.41
- 146.0.75.2
- 193.163.125.138
- 152.89.196.211
However, for those already infected and compromised by ESXiArgs ransomware, CISA and the FBI have good news.
ESXiArgs Ransomware Recovery Script
The data recovery scriptOpens a new window by CISA and the FBI reconstructs unencrypted virtual machine metadata from virtual disks. Meaning not all data is being encrypted by the ESXiArgs ransomware; it only encrypts the following file extensions: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.
“As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files,†CISA explained.
The only caveat? It creates new configuration files.
“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,†CISA added.
Admins who come across any issues using the ESXiArgs ransomware recovery can report them hereOpens a new window . For technical details, refer to CISA’s advisoryOpens a new window .
However, a BleepinComputer report states that a new version of the ESXiArgs ransomware with a modified encryption routine encrypts more data. Experts told BleepingComputer that the encryption mechanism used in the new version also makes 50% of the data unrecoverable.
Interestingly, developers of the ESXiArgs ransomware removed the Bitcoin addresses in the ransom note.Â
Let us know if you enjoyed reading this news on LinkedInOpens a new window , TwitterOpens a new window , or FacebookOpens a new window . We would love to hear from you!
Image source: Shutterstock