{"id":16969,"date":"2023-02-08T13:33:07","date_gmt":"2023-02-08T12:33:07","guid":{"rendered":"https:\/\/www.show.it\/cisa-releases-open-source-recovery-tool-for-esxiargs-ransomware\/"},"modified":"2023-02-08T13:33:07","modified_gmt":"2023-02-08T12:33:07","slug":"cisa-releases-open-source-recovery-tool-for-esxiargs-ransomware","status":"publish","type":"post","link":"https:\/\/www.show.it\/en\/cisa-releases-open-source-recovery-tool-for-esxiargs-ransomware\/","title":{"rendered":"CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware\u00a0"},"content":{"rendered":"<p><strong>The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files.<\/strong><\/p>\n<p>The <a href=\"https:\/\/www.securityweek.com\/many-vmware-esxi-servers-targeted-in-ransomware-attack-via-old-vulnerability\/\" target=\"_blank\" rel=\"noreferrer noopener\">ESXiArgs ransomware attacks<\/a>, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021.\u00a0<\/p>\n<p>Hackers are leveraging the vulnerability to deploy file-encrypting malware that targets virtual machines (VMs). The cybercriminals are also claiming to have stolen data \u2014 which they threaten to leak \u2014 but currently there is no evidence to back up their claims.<\/p>\n<p>Technical details and a proof-of-concept (PoC) exploit for CVE-2021-21974 have been around for nearly two years, but there is no indication that in-the-wild exploitation has been observed until now. <a href=\"https:\/\/www.securityweek.com\/vmware-says-no-evidence-of-zero-day-exploitation-in-esxiargs-ransomware-attacks\/\" target=\"_blank\" rel=\"noreferrer noopener\">VMware is warning users<\/a> to take action, noting that there is no evidence that a zero-day vulnerability has been involved in the ESXiArgs attacks.<\/p>\n<p>The <a href=\"https:\/\/search.censys.io\/search?resource=hosts&#038;sort=RELEVANCE&#038;per_page=25&#038;virtual_hosts=EXCLUDE&#038;q=services.http.response.body%3A+%22How+to+Restore+Your+Files%22+and+services.http.response.html_title%3A%22How+to+Restore+Your+Files%22\" target=\"_blank\" rel=\"noreferrer noopener\">Censys<\/a> and <a href=\"https:\/\/www.shodan.io\/search?query=title%3A%22how+to+restore+your+files%22\" target=\"_blank\" rel=\"noreferrer noopener\">Shodan<\/a> search engines show there are currently roughly 2,000 compromised ESXi servers. It\u2019s worth noting that the number of hacked systems identified by Censys has decreased in the past days, which indicates that affected organizations have started cleaning up their networks.\u00a0<\/p>\n<p>An <a href=\"https:\/\/blogs.blackberry.com\/en\/2023\/02\/esxiargs-ransomware-knocking-out-unpatched-vmware-esxi-linux-servers-worldwide\" target=\"_blank\" rel=\"noreferrer noopener\">analysis of the ESXiArgs attack<\/a> shows that once a server is compromised, the attacker places a series of files in the \/tmp folder, including an encryptor, a shell script managing the attack flow, a public RSA encryption key, and a ransom note.\u00a0<\/p>\n<p>The shell script is responsible for changing VMX configuration file names, killing running VMX processes, identifying and encrypting VM-related files, placing the ransom note on the targeted system, and deleting the originals of the encrypted files, according to an analysis conducted by BlackBerry researchers.\u00a0<\/p>\n<p>While the ransomware does encrypt some files associated with virtual machines, it appears that \u2014 at least in some cases \u2014 it only encrypts configuration files, not the disk files that store data. This can allow victims to recover their data without paying a ransom to the cybercriminals.<\/p>\n<p>Security researchers Enes Sonmez and Ahmet Aykac have described the steps that users need to take to <a href=\"https:\/\/enes.dev\/\" target=\"_blank\" rel=\"noreferrer noopener\">recover their data<\/a>. CISA has taken the researchers\u2019 tutorial and other publicly available resources and created an <a href=\"https:\/\/github.com\/cisagov\/ESXiArgs-Recover\" target=\"_blank\" rel=\"noreferrer noopener\">ESXiArgs ransomware recovery tool<\/a> that reconstructs VM metadata from virtual disks that were not encrypted by the malware.\u00a0<\/p>\n<p>\u201cAny organization seeking to use CISA\u2019s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,\u201d CISA explained.\u00a0<\/p>\n<p>Based on an initial analysis, experts say the files that have actually been encrypted by the ransomware <a href=\"https:\/\/www.bleepingcomputer.com\/forums\/t\/782193\/esxi-ransomware-help-and-support-topic-esxiargs-args-extension\/page-18#entry5470974\" target=\"_blank\" rel=\"noreferrer noopener\">cannot be recovered<\/a>.\u00a0<\/p>\n<p>ESXiArgs has not been linked to any known ransomware group, but some believe the malware may have been derived from the Babuk source code that was leaked in 2021.<\/p>\n<p><strong>Related:<\/strong><a href=\"https:\/\/www.securityweek.com\/vmware-patches-vm-escape-flaw-exploited-geekpwn-event\/\"> VMware Patches VM Escape Flaw Exploited at Geekpwn Event<\/a><\/p>\n<p><strong>Related:<\/strong><a href=\"https:\/\/www.securityweek.com\/vmware-confirms-exploit-code-released-for-critical-vrealize-logging-vulnerabilities\/\"><strong> <\/strong>VMware Confirms Exploit Code Released for Critical vRealize Logging Vulnerabilities<\/a>\u00a0<\/p>\n<p>The post <a rel=\"nofollow\" href=\"https:\/\/www.securityweek.com\/cisa-releases-open-source-recovery-tool-for-esxiargs-ransomware\/\">CISA Releases Open Source Recovery Tool for ESXiArgs Ransomware\u00a0<\/a> appeared first on <a rel=\"nofollow\" href=\"https:\/\/www.securityweek.com\/\">SecurityWeek<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>The US Cybersecurity and Infrastructure Security Agency (CISA) has released an open source tool that could help some victims of the recent ESXiArgs ransomware attacks recover their files. The ESXiArgs ransomware attacks, first observed on February 3, involve exploitation of CVE-2021-21974, a high-severity ESXi remote code execution vulnerability that VMware patched in February 2021.\u00a0 Hackers [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":16970,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[96,23],"tags":[],"class_list":["post-16969","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-ransomware","category-vulnerabilities"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16969","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/comments?post=16969"}],"version-history":[{"count":0,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/posts\/16969\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media\/16970"}],"wp:attachment":[{"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/media?parent=16969"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/categories?post=16969"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.show.it\/en\/wp-json\/wp\/v2\/tags?post=16969"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}