Script Has Appeared to Restore VMware ESXi Servers Affected by ESXiArgs Ransomware Attack

script to restore ESXi servers
Written by Emma Davis

Experts from the US Department of Homeland Security Cybersecurity and Infrastructure Protection Agency (DHS CISA) have prepared a script to restore VMware ESXi servers that were encrypted as a result of recent massive ESXiArgs ransomware attacks.

We also wrote about CISA official federal agencies that urgently fix vulnerability in Windows 10, and we also published: US Authorities List Vulnerabilities That Chinese Hackers Attack.

Let me remind you that last week, thousands of VMware ESXi servers were hacked by the new ESXiArgs ransomware as part of a large-scale hacking campaign. The attackers exploited a two-year-old vulnerability (CVE-2021-21974) that allowed them to execute remote commands on vulnerable servers via OpenSLP (port 427).

At the same time, VMware developers emphasized that hackers definitely did not use any zero-day vulnerabilities, and OpenSLP after 2021 is generally disabled by default.

That is, the attackers targeted products that were “significantly outdated,” and there were quite a few of them. According to CISA, about 2,800 servers were hacked, while last week experts counted about 3,200 at all.

Shortly after the attacks began, Yöre Grup CTO Enes Sonmez published a massive guide describing a way for VMware administrators to decrypt affected servers, recovering their virtual machines and data for free.

The fact is that although many devices were encrypted, it can be said that the malicious campaign as a whole was not successful: the attackers failed to encrypt the flat files where virtual disk data is stored.

However, the method described by Sonmez and his colleagues for restoring virtual machines from unencrypted flat files turned out to be too complicated for many. Therefore, CISA experts have prepared a special script for recovering affected servers, with which there should be much less problems, since it automates the entire process.

This tool works by restoring virtual machine metadata from virtual disks that have not been encrypted by malware.the experts explain.

Also posted on GitHub is a step-by-step guide to using this script. CISA encourages administrators to review and study the script before starting recovery to understand how it works and avoid possible complications. It is also strongly recommended that you make backups beforehand.

User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Emma Davis

I'm writer and content manager (a short time ago completed a bachelor degree in Marketing from the Gustavus Adolphus College). For now, I have a deep drive to study cyber security.

Leave a Reply