Yesterday large scale "ESXiArgs" ransomware attacks were carried out on VMware vSphere servers worldwide. Reports suggest that around 2,800 servers were targeted, though for a large part, the attacks were unsuccessful as many were able to recover their data. VMware, in its defense, stated that the exploit was not a new zero-day vulnerability as it had already patched the security flaw in 2021 itself.
On an advisory, VMware has reiterated the same and has shared its findings on the attack, advising customers to update their vSphere components and has provided additional resources to understand the cyberattack better:
We wanted to address the recently reported ‘ESXiArgs’ ransomware attacks as well as provide some guidance on actions concerned customers should take to protect themselves.
VMware has not found evidence that suggests an unknown vulnerability (0-day) is being used to propagate the ransomware used in these recent attacks. Most reports state that End of General Support (EOGS) and/or significantly out-of-date products are being targeted with known vulnerabilities which were previously addressed and disclosed in VMware Security Advisories (VMSAs).
With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities. In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.
Cybersecurity and Infrastructure Security Agency (CISA) has now also extended its hand for support in the matter by releasing an "ESXiArgs-Recover" script to help affected users against the ESXiArgs attack. CISA explains that the tool has been compiled using reconstructed virtual machine metadata from those virtual disks which were not successfully encrypted during the ransomware invasion.
ESXiArgs-Recover is a tool to allow organizations to attempt recovery of virtual machines affected by the ESXiArgs ransomware attacks.
CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.
You can head over to the GitHub page where CISA has provided the detailed steps on how to apply the ESXiArgs-Recover script.
Source: CISA (Twitter)