CISA publishes recovery script for ESXiArgs ransomware as Florida courts, universities reel

The Cybersecurity and Infrastructure Security Agency has published a process for recovering files for organizations affected by the ESXiArgs ransomware, which has wreaked havoc on organizations across the world since last Friday. 

On its GitHub page Tuesday evening, CISA said victims should evaluate the script before using it to try to recover access to affected files. The script is based on work by two Turkish developers who posted a step-by-step tutorial earlier this week.

The ransomware exploits a 2-year-old vulnerability affecting VMWare EXSi servers — CVE-2021-21974 — and has already encrypted files at more than 3,800 organizations across the United States, France, Italy and more. The company issued a patch in 2021. ESXi servers are used to access several operating systems through one server.

Reuters reported on Tuesday that Florida's Supreme Court, the Georgia Institute of Technology, Rice University and several schools in Hungary and Slovakia were some of the ransomware's victims.

CISA specifically pointed to the work of Enes Sönmez and Ahmet Aykaç, two developers for the Turkish food retail and distribution company Yöre Group.

The script works "by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware," CISA said.

CISA went on to warn that it “does not assume liability for damage caused by this script.”

The FBI and CISA also issued a joint alert about blocking the ransomware and responding to attacks.

European cybersecurity authorities began warning of “massive active network exploitation” on Friday. Italy’s National Cybersecurity Agency (ACN) joined France’s computer emergency response team (CERT-FR) and Finland’s Kyberturvallisuuskeskus (Cybersecurity Center) in issuing warnings over the weekend about the campaign.

The ransomware actors are targeting unpatched VMWare servers that are connected to the internet — something several experts said is a grave mistake.

"These vulnerabilities can allow an attacker to execute arbitrary code on a remote host, potentially compromising the system and leading to data theft and other malicious activities," Sönmez and Aykaç wrote.

Most victims have reported seeing a ransom note asking for $50,000 worth of Bitcoin. Arctic Wolf’s Dan Schiappa said that based on the ransom note, the campaign is tied to a single threat actor or group. The low ransom demand and “widespread, opportunistic targeting” led him to assess that the campaign is not tied to any of the ransomware groups that typically target large companies or organizations. 

“More established ransomware groups typically conduct OSINT on potential victims before conducting an intrusion and set the ransom payment based on perceived value," Schiappa said. "Although the ransom note indicates the threat actors exfiltrated data, we have not observed reporting supporting this claim.”  

Several other experts said the fiasco highlights the problem so many organizations have with patching quickly, considering VMWare published a patch for CVE-2021-21974 in February 2021.

Cybrary's senior director of threat intelligence, David Maynor, added that its a “known secret” in the offensive hacking community that while the operating systems that are run in virtualized environments are getting more secure, the underlying tools that wrap around them are still very buggy. 

“VMWare has had ongoing ESXi issues for years,” Maynor said. “It would be best if you were not exposing your ESXi management interface to the world.”

Joe Warminsky contributed reporting to this article.

Get more insights with the
Recorded Future
Intelligence Cloud.
Learn more.
No previous article
No new articles

Jonathan Greig

Jonathan Greig

is a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since 2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia. He previously covered cybersecurity at ZDNet and TechRepublic.