Update on ESXiArgs ransomware: mitigation tools released.

The US Cybersecurity and Infrastructure Security Agency (CISA) and SecurityScorecard have both developed tools to mitigate and track attacks by ESXiArgs ransomware.

Unencrypted flat files may be used to recover data.

CISA has released a script that can, in some cases, rebuild virtual machines from flat files and recover data encrypted by ESXiArgs. BleepingComputer explains that the ransomware “failed to encrypt flat files, where the data for virtual disks are stored.”

The agency stated, “CISA’s ESXiArgs script is based on findings published by the third-party researchers mentioned above. Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.”

Tracking IP addresses.

SecurityScorecard has published a report looking at potentially vulnerable ESXi servers, and cases in which these servers have recently communicated with malicious IP addresses:

“The IP address that appears most likely to reflect an attempt by a ransomware group to exploit this vulnerability is 161.47.17[.]28.; it not only appeared in all three of the ESXi traffic samples collected in response to the recent advisories, but also appeared in multiple previous STRIKE Team ransomware investigations.”