The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a new tool to help victims of ESXiArgs ransomware. It has been dubbed SXiArgs-Recover.
According to CISA, SXiArgs-Recover is an open-source tool designed to help ransomware attack victims recover virtually any VMs (VMware virtual machines) that have been impacted by the currently active attack campaign involving the use of ESXiArgs ransomware. CISA noted that some organizations had used this tool to recover files without paying a ransom.
CISA has developed this tool entirely using publicly available resources, such as a tutorial by Enes Sonmez and Ahmet Aykac. It does the job by reconstructing VM metadata from virtual disks that the malware didn’t encrypt. In its technical advisory, the agency stated that,
“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
Ransomware Attack Details
We reported earlier that threat actors are exploiting a high-severity ESXi remote code execution vulnerability, which VMware had patched back in 2021. The vulnerability was tracked as CVE-2021-21974 and is now being used to deploy file-encrypting malware targeting VMs.
This legacy bug allows attackers to perform remote code execution on ESXi hypervisors by initiating a heap-overflow issue in OpenSLP. Cybercriminals are threatening to leak the stolen data, but there hasn’t been any leak.
Ransomwhere is a ransomware payment tracker, according to which the number of victims targeted in this new attack wave is 3800, and four payments have been made worth a total amount of $88,000.
According to VMware, only unpatched and out-of-date products are targeted with known vulnerabilities like this; therefore, the company advised its customers to upgrade to the latest vSphere components.
It has also recommended that users disable the OpenSLP service in ESXi. It is worth noting that the ESXiArgs malware has not yet been linked to any known ransomware group, but the malware could be derived from the Babuk source code leaked in 2021.