After the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a recovery script for organizations affected by a massive ransomware attack targeting VMWare ESXi servers worldwide, reports surfaced that the malware evolved in a way that made earlier recovery procedures ineffective.
The attacks, aimed at VMware’s ESXi bare metal hypervisor, were first made public February 3 by the French Computer Emergency Response Team (CERT-FR), and target ESXi instances running older versions of the software, or those that have not been patched to current standards. Some 3,800 servers have been affected globally, CISA and the FBI said.
The ransomware encrypts configuration files on vulnerable virtual machines, making them potentially unusable. One ransom note issued to an affected company asked for about $23,000 in bitcoin.
CISA, in conjunction with the FBI, has released a recovery script. The group said that the script does not delete the affected configuration files, but attempts to create new ones. It’s not a guaranteed way to circumvent the ransom demands, and doesn’t fix the root vulnerability that allowed the ESXiArgs attack to function in the first place, but it could be a crucial first step for affected companies.
CISA notes that after running the script, organizations should immediately update their servers to the latest versions, disable the Service Location Protocol (SLP) service that the ESXiArgs attackers used to compromise the virtual machines, and cut the ESXi hypervisors off from the public Internet before reinitializing systems.
After CISA released its guidance, however, reports surfaced that a new version of the ransomware was infecting servers and rendering prior recovery methods ineffective. The new version of the ransomware was first reported by Bleeping Computer.
One major change is that the ransomware now encrypts a larger percentage of the configuration files that it generally targets, making it difficult, if not impossible, for the CISA script to create a clean alternative.
In addition, the new wave of ESXiArgs attacks may work even on systems that don’t have SLP enabled, according to a system administrator’s post on Bleeping Computer, although that was not immediately confirmed by cybersecurity experts.
“[I] have not been able to personally verify that this is the case, nor have any other well-known security research organizations that I would imagine are looking into this,” said Gartner senior director analyst Jon Amato. “It’s certainly plausible, but there’s a lot of daylight between plausible and confirmed.”
Attempting the recovery script is still a good idea for affected organizations, he added.
“It’s worth a shot — it costs nothing but a few minutes of an admin’s time,” Amato said.
CISA: Take these server security procedures
Whether or not the CISA script is usable in a specific organization’s situation, the FBI and CISA recommend that affected organizations follow the last three steps anyway — if at all possible, patching the machines to the latest standard (which is not vulnerable to the ESXiArgs attack), shutting down the SLP service and cutting them off from the public Internet are all important steps for mitigation. The root vulnerability was first reported in CVE-2021-21974, and a patch has been available for almost a year.
The attacks primarily targeted servers in France, the US, and Germany, with substantial numbers of victims in Canada and the UK as well, according to cybersecurity company Censys. To forestall further attacks, CISA and the FBI issued a list of additional steps to be taken, including maintaining regular and robust offline backups, restricting known malware vectors like early versions of the SMB network protocol, and requiring a generally high level of internal security — phishing-resistant 2FA, user account auditing and several other techniques were particularly recommended.
(This story has been updated to include information about SLPs, and an analyst comment.)
Copyright © 2023 IDG Communications, Inc.
