CISA: VMware ESXi Servers Ransomware Recovery.

VMware ESXi Attack

There has been a global ransomware attack that recently targeting VMware ESXi servers. VMware has drawn the public attention to this, to be an exploitation of a vulnerability that has existed in the past 2-years in the ESXi hypervisor and its module.  It has been reported by various customers using this hypervisor that hackers were able to infect over 3,200 ESXi servers that were unpatched. The ransomware modification known as “ESXiArgs” was used in encrypting the various file extensions (.vsmd, .nvra, .vmdk, .vmx, .vmxf) stored on the ESXi servers that are vulnerable.

Malicious persons known as cybercriminals are exploiting the CVE-2021-21974 which was patched sometime in February 2021, as reported by CERT-FR (French Computer Emergency Response Team).  The vulnerability score is reported to have a severe rating of 8.8 which is a high risk that can be exploited by attackers with access to the same network segment.

The campaign has been investigated, and recommendation has been made by Cybersecurity and Infrastructure Security Agency (CISA); users who are yet to upgrade to the latest version of the firmware should do so, and also VMware has advised that disabling of OpenSLP service for older versions of ESXi should be done.

Recover from the ESXiArgs ransomware attack using the “ESXiArgs-Recover” patch:

A new recovery script known as “ESXiArgs-Recover” has been released by CISA to assist users of the hypervisor to recover their machine from the ransomware attack. Certain organization has drawn the attention of CISA, of being able to recover their files successfully without having to pay any form of ransomware. The tool was made possible by available resources, and two cybersecurity experts by name Enes Sönmez and Ahmet Aykac.  The efficiency of this tool is possible, by reconstructing the metadata from the virtual disk which were not affected by the malware.

The recovery tool can be downloaded from the GitHub repository Here.  Users, are advised to read through the file, to view the necessary instruction and hardware configurations on running the scripts.




Put your comments below in the comment section on your thoughts about this.

Find this article and information helpful? Show some love and support  “Click-Here”
0 0 votes
Article Rating
Notify of
Inline Feedbacks
View all comments