CISA Releases Decryptor Tool to Combat New ESXiArgs Ransomware Variant
On February 11th, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a decryptor for victims affected by the ESXiArgs ransomware attack. However, the threat actors have responded with an updated version that encrypts more data. Reports suggest that files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Furthermore, the ransom note has been changed to remove the Bitcoin address, and instead urge victims to contact the attackers on Tox to obtain wallet information.
Statistics from Ransomwhere reveal that as many as 1,252 servers have been infected by the new version of ESXiArgs as of February 9th, 2023, with 1,168 being reinfections. In total, over 3,800 unique hosts have been compromised, with a majority located in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan.
Unlike other ransomware families, ESXiArgs does not include a data leak site, indicating that it is not running on a ransomware-as-a-service (RaaS) model. The ransoms are set at just over two bitcoins (US $47,000), and victims are given three days to pay.
Initially, it was suspected that the intrusions involved the abuse of a two-year-old OpenSLP bug in VMware ESXi (CVE-2021-21974). However, it has since been observed that compromises have been reported in devices that have the network discovery protocol disabled. VMware has also found no evidence to suggest that a zero-day vulnerability in its software is being used to propagate the ransomware.
Cybersecurity company Rapid7 found 18,581 internet-facing ESXi servers that are vulnerable to CVE-2021-21974 and observed RansomExx2 actors opportunistically targeting susceptible ESXi servers. Tony Lauro, director of security technology and strategy at Akamai, warned “the ESXiArgs ransomware is a prime example of why system administrators need to implement patches quickly after they are released”. Therefore, it is imperative that users move quickly to update to the latest version in order to protect themselves from this threat. The attacks have yet to be attributed to a known threat actor or group.