CISA Releases New Tool to Recover from Ransomware Attacks on Unpatched VMware ESXi Servers

VMware has warned about a large-scale global ransomware campaign that is currently targeting vulnerable VMware ESXi servers worldwide. The hypervisor maker disclosed that threat actors are exploiting a two-year old vulnerability in its ESXi hypervisor and components to deploy ransomware.

VMware ESXi is a service that enables companies to host multiple virtualized systems running different operating systems on a single physical server instance. Over the weekend, several customers reported that attackers infected over 3,200 unpatched VMware ESXi servers with a ransomware variant called “ESXiArgs.” They have used it to encrypt .vmsd, .vmx, .nvra, .vmxf, and .vmdk files stored on vulnerable ESXi servers.

According to the French computer emergency response team CERT-FR, the cybercriminals are leveraging the CVE-2021-21974 flaw that was disclosed and patched in February 2021. The vulnerability had a severity rating of 8.8 and it could be exploited by anyone with access to the same network segment. The proof-of-concept exploit code has been publicly available for the past two years.

Cybersecurity and Infrastructure Security Agency (CISA) investigated the campaign and recommends customers to upgrade to the latest version of vSphere components. Meanwhile, VMware advises customers to disable the OpenSLP service in older versions of ESXi.

Download the “ESXiArgs-Recover” script to recover VMs from ransomware attacks

CISA also released a new “ESXiArgs-Recover” script to help customers recover virtual machines from the ESXiArgs ransomware attacks. “CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” CISA explained.

If you’re affected by the ESXiArgs ransomware attacks, you can download the ESXiArgs recovery tool from GitHub. Keep in mind that the script creates new config files that enable customers to access the virtual machines. However, IT administrators should evaluate the recovery tool to determine its suitability for implementation in their system.