An open source tool made available by the US Cybersecurity and Infrastructure Security Agency (CISA) may be able to assist some victims of the recent ESXiArgs ransomware assaults in regaining access to their files.
The ESXiArgs ransomware attacks, which were discovered for the first time on February 3, take advantage of the high-severity ESXi remote code execution vulnerability CVE-2021-21974 that VMware addressed in February 2021. The flaw is being used by hackers to spread malware that targets virtual machines and encrypts files (VMs). There is currently no proof to support the cybercriminals’ claims that they have stolen data, despite their threats to disclose it.
Technical information and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been available for almost two years, but up until now there has been no sign of in-the-wild exploitation. Since there is no proof that the ESXiArgs attacks used a zero-day vulnerability, VMware is advising customers to take precautions. There are presently about 2,000 hacked ESXi servers, according to the Censys and Shodan search engines. It’s important to note that Censys has found less compromised systems recently, which suggests that affected businesses have been patching up their networks.
An examination of the ESXiArgs attack reveals that after a server has been compromised, the attacker uploads a number of files, including an encryptor, a shell script controlling the attack flow, a public RSA encryption key, and a ransom note, to the /tmp folder.
BlackBerry researchers conducted an analysis, and found that the shell script is in charge of altering the names of VMX configuration files, terminating VMX processes, locating and encrypting VM-related files, posting the ransom note on the targeted system, and erasing the originals of the encrypted files.
While the ransomware does encrypt some virtual machine-related files, it seems that — at least in some instances — it only does so with configuration files and not with the disc files that contain data. This may enable victims to regain access to their data without having to pay the crooks a ransom.
The procedures users must follow to recover their data have been laid forth by security experts Enes Sonmez and Ahmet Aykac. CISA has developed an ESXiArgs ransomware recovery solution that decrypts virtual drives that were not encrypted by the malware using the researchers’ tutorial and other publicly accessible information.
Experts claim that the files that the ransomware actually encrypted cannot be recovered based on an initial study. Although ESXiArgs has not been connected to any known ransomware groups, some speculate that the malware may have originated from the Babuk source code that was exposed in 2021.