CISA Alert AA23-039A – ESXiArgs ransomware virtual machine recovery guidance.

This is a CISA Cybersecurity Alert. ID number Alpha Alpha Two Three tack Zero Three Nine Alpha.

Original release date: February Eighth, 2023.

CISA and the FBI are releasing this alert in response to the ongoing ransomware campaign, known as “ESXiArgs.” (pronounced “E-S-X-I args”) Malicious actors are exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines unusable.

CISA has released an ESXiArgs recovery script available for download on github. The verified link to this script can be found in the show notes. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. The full alert documentation linked in the show notes provides additional guidance on how to use the script.

Malicious actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to: 

Update servers to the latest version of VMware ESXi software, 

Harden ESXi hypervisors by disabling the Service Location Protocol service, 

And, ensure the ESXi hypervisor is not exposed to the public internet.

If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this alert to attempt to recover access to your files.  

The alert documentation linked in the show notes includes additional technical details, recovery guidance, mitigations, and response recommendations. CISA and FBI would like to thank VMware for their contributions to this alert.

To report incidents and anomalous activity or to request incident response resources or technical assistance, contact CISA at report@cisa.gov, or call (888) 282-0870, or report incidents to your local FBI field office.

This report was written by CISA, the United States Cybersecurity and Infrastructure Security Agency, and edited and adapted for audio by the CyberWire as a public service. Please visit www dot cisa dot gov to read the full report which may include additional details, links, and illustrations. A link to this report can be found in the show notes.

This has been a CISA Cybersecurity Alert.