Search the Petri IT Knowledgebase
search icon

close

Windows

Cloud

Microsoft 365

PowerShell

Active Directory

Security

Windows Server

Video

Upcoming FREE Conference on Identity Management and Privileged Access Management

Register Now!
Icon for Webinar coming soon!

Webinar coming soon!

Learn an effective way to detect cyberthreats

Icon for GET-IT Identity Management & Privileged Access Management

GET-IT Identity Management & Privileged Access Management

Conference on Thursday, March 30 -- Register Now!

Icon for Uncovering Hidden Risks Podcast

Uncovering Hidden Risks Podcast

New Episode Coming Soon!

Icon for Upcoming webinar!

Upcoming webinar!

Strengthen Operational Resilience with Identity Th...

Home

Security

Researchers Find New ESXiArgs Ransomware Variant that Makes Data Recovery Nearly Impossible

Rabia Noureen

 |

Feb 16, 2023

Security

Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a script to help enterprise customers recover from widespread ESXiArgs ransomware attacks. The threat actors have now created a new variant of the malware that can’t be decrypted with the data recovery script.

According to a report from Malwarebytes, CISA leveraged the publicly available information on the malware’s working to create the ESXiArgs-Recover tool. Unlike the original version, the new variant of ransomware is capable of encrypting large data chunks on vulnerable VMware ESXi virtual machines.

“Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant,” explained Pieter Arntz, a malware analyst at Malwarebytes.

Additionally, security researchers found that the new ESXiArgs ransomware variant no longer mentions a Bitcoin address. The ransomware informs victims to contact the threat actors through an encrypted messaging service dubbed “Tox Chat.” This method should prevent the payments from being tracked, which could otherwise reveal the hackers’ identity.

How to block ransomware attacks on unpatched ESXi hypervisors?

CISA recently confirmed that the original ESXiArgs ransomware has infected over 3,800 vulnerable servers worldwide. Attackers have already used it to encrypt .vmdk, .vmxf, .nvra, .vmx, and .vmsd files stored on vulnerable ESXi servers.

Malwarebytes highly recommends that enterprise customers should apply the latest security patches to protect their systems. It’s also advised that IT Pros need to block internet connectivity on their ESXi VMs. Meanwhile, VMware has provided some recommendations for administrators, and we invite you to check out this blog post for full details.

Petri Newsletters

Whether it’s Security or Cloud Computing, we have the know-how for you. Sign up for our newsletters here.

More in Security

Security

CISA Releases New Free Tool to Identify Threats in Microsoft Cloud Services

Mar 24, 2023 | Rabia Noureen

Cloud Computing

Microsoft Defender for IoT Gets Cloud-Powered Security Features to Protect Enterprise Networks

Mar 21, 2023 | Rabia Noureen

Cloud Computing

Azure Firewall Basic Now Available to Protect Small Businesses Against Cyberattacks

Mar 16, 2023 | Rabia Noureen

Windows Logo

Microsoft Releases Updates to Patch Critical Outlook NTLM Vulnerability

Mar 16, 2023 | Rabia Noureen

Microsoft Warns About New MFA Bypass Tool Used in AiTM Phishing Campaigns

Mar 15, 2023 | Rabia Noureen

Security

Microsoft 365 Defender Adds Real-Time Custom Detections Support in Preview

Mar 14, 2023 | Rabia Noureen

Most popular on petri

Article saved!

Access saved content from your profile page. View Saved

Reach out

Learn More

Sitemap

Join The Conversation

Create a free account today to participate in forum conversations, comment on posts and more.

Copyright ©2019 BWW Media Group

Terms and Conditions of Use

 |

Privacy Policy