CISA battles ESXiArgs ransomware campaign with recovery tool

The U.S. government's Cybersecurity and Infrastructure Security Agency Tuesday released a ransomware recovery script for victims affected by ESXiArgs ransomware.

ESXiArgs is the name of a widespread ransomware campaign that began last Friday and was first observed in France. The French government's cyberagency CERT-FR published an advisory warning that it had become aware of cyber attacks against VMware ESXi hypervisors. Ransomware attacks emerged throughout the weekend in a number of countries including France, Germany, Italy, the Netherlands and the U.S.

According to the updated advisory, threat actors appeared to have targeted ESXi's Service Location Protocol (SLP) service via flaws including CVE-2020-3992 and CVE-2021-21974. CVE-2020-3992 is a critical use-after-free issue with a CVSSv3 score of 9.8, and CVE-2021-21974 is a heap overflow flaw that VMware designated with a high-severity CVSSv3 score of 8.8. The former was disclosed and patched in 2020, and the latter in early 2021.

CISA published a tool for organizations that have been affected by an ESXiArgs attack. The agency described the tool as a decryptor script on its GitHub readme.

"If successful, the decryptor script will output that it has successfully run," the page read. "If unsuccessful, this may mean that your virtual machines cannot be recovered."

As noted in the GitHub post, CISA's recovery tool was developed with publicly available resources, including findings from infosec researchers Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team. Sonmez and Aykac discovered an error with ESXiArgs' encryption process that leaves flat VMDK files unaffected and can allow victims to recover data.

OVHcloud CISO Julien Levrard said in a Friday blog post that his company, a French cloud provider affected by the ransomware attack, had tested Enes and Aykac's recovery method and found it was successful in two-thirds of cases.

CISA declined TechTarget Editorial's request for additional information. Instead, a CISA spokesperson shared the following statement.

"CISA is working with our public and private sector partners to assess the impacts of these reported incidents and providing assistance where needed," the spokesperson said. "Any organization experiencing a cybersecurity incident should immediately report it to CISA or the FBI. Organizations should continue taking urgent steps to reduce the risk of ransomware incidents, including by adopting the guidance on StopRansomware.gov and implementing basic cyber hygiene such as multifactor authentication, which can drastically reduce your risk of being hacked."

The agency on Wednesday also published a joint cybersecurity advisory with the FBI to act as recovery guidance for ESXiArgs ransomware victims. The advisory recommends that customers update to the latest VMware ESXi software, disable the SLP service and ensure the ESXi hypervisor isn't connected to the internet. It also provides mitigations as well as additional details about how the recovery script works.

"ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable," the advisory read. "Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files."

Alexander Culafi is a writer, journalist and podcaster based in Boston.