The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that can help some victims of the recent ESXiArgs ransomware attacks recover their files
The ESXiArgs ransomware attacks, first spotted on February 3, include an exploit for CVE-2021-21974, a high-hardware ESXi remote code execution vulnerability that VMware patched in February 2021.
Hackers are leveraging the vulnerability to deploy file-encrypting malware targeting virtual machines (VMs). The cybercriminals also claim to have stolen data – which they are threatening to leak – but there is currently no evidence to back up their claims.
Security researchers Enes Sonmez and Ahmet Aykac outlined the steps users should take to recover their data. CISA took the researchers’ guide and other publicly available resources and created an ESXiArgs ransomware recovery tool that recovers VM metadata from virtual disks that were not encrypted by the malware.
Any organization wishing to use CISA’s ESXiArgs recovery script should carefully review the script to determine whether it is appropriate for their environment before deploying it. This script does not ask to delete the encrypted configuration files, but rather asks to create new configuration files that allow access to the VMs.
Based on initial analysis, experts say that the files actually encrypted by the ransomware cannot be recovered.
The ESXiArgs group has not been linked to any known ransomware groups, but some believe the malware was derived from the Babuk source code leaked in 2021.