Researchers Find New ESXiArgs Ransomware Variant that Makes Data Recovery Nearly Impossible


Last week, the US Cybersecurity and Infrastructure Security Agency (CISA) released a script to help enterprise customers recover from widespread ESXiArgs ransomware attacks. The threat actors have now created a new variant of the malware that can’t be decrypted with the data recovery script.

According to a report from Malwarebytes, CISA leveraged the publicly available information on the malware’s working to create the ESXiArgs-Recover tool. Unlike the original version, the new variant of ransomware is capable of encrypting large data chunks on vulnerable VMware ESXi virtual machines.

“Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant,” explained Pieter Arntz, a malware analyst at Malwarebytes.

Additionally, security researchers found that the new ESXiArgs ransomware variant no longer mentions a Bitcoin address. The ransomware informs victims to contact the threat actors through an encrypted messaging service dubbed “Tox Chat.” This method should prevent the payments from being tracked, which could otherwise reveal the hackers’ identity.

How to block ransomware attacks on unpatched ESXi hypervisors?

CISA recently confirmed that the original ESXiArgs ransomware has infected over 3,800 vulnerable servers worldwide. Attackers have already used it to encrypt .vmdk, .vmxf, .nvra, .vmx, and .vmsd files stored on vulnerable ESXi servers.

Malwarebytes highly recommends that enterprise customers should apply the latest security patches to protect their systems. It’s also advised that IT Pros need to block internet connectivity on their ESXi VMs. Meanwhile, VMware has provided some recommendations for administrators, and we invite you to check out this blog post for full details.