US CISA Releases a Script to Recover Servers Infected with ESXIARGS RANSOMWARE

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script to recover VMware ESXi servers infected with ESXiArgs ransomware.

So far more than 3,500 servers have been compromised globally and were encrypted. CERT-FR and other CTI agencies reported that the attack campaign exploits the CVE-2021-21974 vulnerability, for which a patch has been available since February 23, 2021.

For the victims of the recent wave of ESXiArgs ransomware attacks, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to allow them to recover encrypted VMware ESXi servers. Its a great relief to victims.

Jack Cable, a senior technical advisor at US CISA, published a list of 2803 bitcoin addresses associated with the infections.

The good news is that in most cases the attacks failed because the ESXiArgs ransomware did not encrypt virtual disk files.

Then the U.S. CISA released a script to recover VMware ESXi servers, it is compiled based on publicly available resources:

The tool is available here: https://github.com/cisagov/ESXiArgs-Recover

ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.” reads the description provided by the Agency.

“CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.”

The script reconstructs virtual machine metadata from virtual disks that were not encrypted by the ransomware.

As usual, every time we attempt to recover files encrypted by ransomware it is a good practice to create a backup of the server.

“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.” CISA concludes. “Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.”