CISA Releases New Tool to Recover from Ransomware Attacks on Unpatched VMware ESXi Servers
VMware has warned about a large-scale global ransomware campaign that is currently targeting vulnerable VMware ESXi servers worldwide. The hypervisor maker disclosed that threat actors are exploiting a two-year old vulnerability in its ESXi hypervisor and components to deploy ransomware.
VMware ESXi is a service that enables companies to host multiple virtualized systems running different operating systems on a single physical server instance. Over the weekend, several customers reported that attackers infected over 3,200 unpatched VMware ESXi servers with a ransomware variant called “ESXiArgs.” They have used it to encrypt .vmsd, .vmx, .nvra, .vmxf, and .vmdk files stored on vulnerable ESXi servers.
According to the French computer emergency response team CERT-FR, the cybercriminals are leveraging the CVE-2021-21974 flaw that was disclosed and patched in February 2021. The vulnerability had a severity rating of 8.8 and it could be exploited by anyone with access to the same network segment. The proof-of-concept exploit code has been publicly available for the past two years.
Cybersecurity and Infrastructure Security Agency (CISA) investigated the campaign and recommends customers to upgrade to the latest version of vSphere components. Meanwhile, VMware advises customers to disable the OpenSLP service in older versions of ESXi.
Download the “ESXiArgs-Recover” script to recover VMs from ransomware attacks
CISA also released a new “ESXiArgs-Recover” script to help customers recover virtual machines from the ESXiArgs ransomware attacks. “CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” CISA explained.
If you’re affected by the ESXiArgs ransomware attacks, you can download the ESXiArgs recovery tool from GitHub. Keep in mind that the script creates new config files that enable customers to access the virtual machines. However, IT administrators should evaluate the recovery tool to determine its suitability for implementation in their system.
More in Security
CISA Releases New Free Tool to Identify Threats in Microsoft Cloud Services
Mar 24, 2023 | Rabia Noureen
Microsoft Defender for IoT Gets Cloud-Powered Security Features to Protect Enterprise Networks
Mar 21, 2023 | Rabia Noureen
Azure Firewall Basic Now Available to Protect Small Businesses Against Cyberattacks
Mar 16, 2023 | Rabia Noureen
Microsoft Releases Updates to Patch Critical Outlook NTLM Vulnerability
Mar 16, 2023 | Rabia Noureen
Microsoft Warns About New MFA Bypass Tool Used in AiTM Phishing Campaigns
Mar 15, 2023 | Rabia Noureen
Microsoft 365 Defender Adds Real-Time Custom Detections Support in Preview
Mar 14, 2023 | Rabia Noureen
Most popular on petri