Skip links

Among the thousands of ESXiArgs ransomware victims? FBI and CISA to the rescue

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak.

The malware attack hit thousands of servers over the globe but there’s no need to enrich criminals any more. In addition to the script, CISA and the FBI today published ESXiArgs ransomware virtual machine recovery guidance on how to recover systems as soon as possible.

The software nasty is estimated to be on more than 3,800 servers globally, according to the Feds. However, “the victim count is likely higher due to Internet search engines being a point-in-time scan and devices being taken offline for remediation before a second scan,” Arctic Wolf Labs’ security researchers noted.

Uncle Sam urged all organizations managing VMware ESXi servers to update to the latest version of the software, harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and make sure that ESXi isn’t exposed to the public internet.

Also: the government agencies really don’t encourage paying the ransom, except when they do.

Bad news, good news

Last Friday, France and Italy’s cybersecurity agencies sounded the alarm on the ransomware campaign that exploits CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched two years ago.  

The bad news: the ransomware infects ESXi, VMware’s bare metal hypervisor, which is a potential goldmine for attackers. Once they’ve compromised ESXi, they could move onto guest machines that run critical apps and data.

The good news is that it’s not a very sophisticated piece of malware. Sometimes the encryption and data exfiltration doesn’t work, and shortly after government agencies sounded the alarm, security researchers released their own decryption tool. Now CISA’s added its recovery tool to the pool of fixes.

Organizations can access the recovery script on GitHub.

The US agency compiled the tool using publicly available resources, including the decryptor and tutorial by Enes Sonmez and Ahmet Aykac. “This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” according to CISA.

The US government org also suggests folks check out the guidance provided in the accompanying README file to determine if the script is a good fit .

In research published Tuesday, cloud security company Wiz reported that 12 percent of  ESXi servers remain unpatched for CVE-2021-21974, and thus vulnerable to attacks. 

Earlier reports indicated the malware has ties to the Nevada ransomware family, first observed in December 2022 and associated with Chinese and Russian criminals. However, further analysis suggests the ransomware is likely based on Babuk source code.

Babuk source code was leaked in 2021, and has since been used in other ESXi ransomware attacks, such as CheersCrypt and PrideLocker. ®