VMware ESXi Server Ransomware Attack Evolves, Recovery Script Released

On Wednesday, the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) released a recovery script for organizations affected by a massive ransomware attack targeting VMware ESXi servers worldwide. However, reports have surfaced that the malware has evolved in a way that has made earlier recovery procedures ineffective.

The attacks, aimed at VMware’s ESXi bare metal hypervisor, were first made public February 3 by the French Computer Emergency Response Team (CERT-FR). They target ESXi instances running older versions of the software or those that have not been patched to current standards, and have affected some 3,800 servers globally.

The ransomware encrypts configuration files on vulnerable virtual machines, making them potentially unusable. One ransom note issued to an affected company asked for about $23,000 in bitcoin. In response, CISA and the FBI released a recovery script which does not delete the affected configuration files, but attempts to create new ones. It is not a guaranteed way to circumvent the ransom demands, and does not fix the root vulnerability that allowed the ESXiArgs attack to function in the first place.

Following the release of the script, reports have surfaced of a new version of the ransomware that is infecting servers and rendering prior recovery methods ineffective. This new version encrypts a larger percentage of the configuration files, making it difficult for the CISA script to create a clean alternative. Additionally, this new wave of ESXiArgs attacks may work even on systems that don’t have Service Location Protocol (SLP) enabled.

Gartner senior director analyst Jon Amato said while this is plausible, it has yet to be confirmed by security research organizations. He added that attempting the recovery script is still a good idea for affected organizations.

CISA recommends that affected organizations update their servers to the latest versions, disable SLP service, and cut the ESXi hypervisors off from the public Internet before re-initializing systems.