Security News > 2023 > February > CISA releases ESXiArgs ransomware recovery script

CISA releases ESXiArgs ransomware recovery script
2023-02-08 12:08

According to the latest data, the number of ESXiArgs ransomware victims has surpassed 3,800, and CISA has published a recovery script for victim organizations.

Investigations point to a new family of ransomware dubbed ESXiArgs by the researchers - though, according to Paul Ducklin, Sophos Head of Technology for the Asia Pacific region, it should be just Args, as it's a Linux program that can be used against more than just VMWare ESXi systems and files.

"Depending of your VM OS and file system type, you might be able to recover data with data revery tools, at least partially. Be carefull, this tools might have irreversible action on the file so, we recommend to copy the VM files on an other location to protect the data before trying any recovery operation," warned Julien Levrard, CISO at OVHcloud.

To help organizations recover virtual machines affected by the ESXiArgs ransomware attacks, CISA has released a recovery script based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac of the YoreGroup Tech Team.

"The tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs," CISA explained, but warned that organizations using it review it before deploying it, to determine if it is appropriate for their environment.

According to a recent list compiled by CISA technical advisor Jack Cable by combining the results of Censys's scanning of internet-facing systems and a collection of Bitcoin addresses compiled by crowdsourced ransomware payment tracker Somewhere, over 3,800 systems have been hit by the ransomware.


News URL

https://www.helpnetsecurity.com/2023/02/08/esxiargs-ransomware-recovery/