Attackers targeting VMware ESXi servers have released a new strain of ransomware. Data encrypted in this way cannot be decrypted using the CISA script.
Update from 2/21/2023 : Just a few days after the US cyber security authority CISA released a script for restoring ESXi servers, a new variant of the ransomware is already in circulation. Data encrypted in this way cannot be decrypted using the CISA script, as Malwarebytes reports. The modified ransomware uses a new encryption routine that, according to the current state of knowledge, makes data recovery almost impossible.
To date, around 3,800 servers have fallen victim to the EXSiArgs ransomware, writes Malwarebytes, citing information from the CISA and the US Federal Police, the FBI.
Update 02/09/2023 : The US Cybersecurity and Infrastructure Security Agency (CISA) is helping administrators of VMware servers affected by a ransomware attack. The authority has published a script on Github that tries to restore attacked servers.
The script takes advantage of the fact that the ransomware distributed by cybercriminals often only encrypts small files that primarily contain structural information. The malware encrypts the large files that contain the important data of the attacked virtual servers less frequently, as “Bleeping Computer” explains . The script is based, among other things, on the instructions by Enes Sonmez mentioned below and automates the rescue steps described there.
Original message from February 7th, 2023: Cyber attacks on VMware servers: System administrators can do that
Criminal hackers managed to infect a large number of IT systems with ransomware within a few days. They use an ancient vulnerability in VMware’s ESXi servers as a gateway . Several government agencies have since issued warnings about the wave of attacks, and cybersecurity firm Censys says more than 2,400 servers have been infected with malware.
This is how system administrators recognize an infection
System administrators using one of the vulnerable ESXi server versions from VMware should import the security patches that have been available for almost two years as soon as possible, or at least protect their system with a workaround described by VMware .
But how do administrators know if their system is infected? In this regard, “The Register” refers to the French hosting provider OVH, which mentions the following specific characteristics :
- The attack occurs via a vulnerability in the OpenSLP component. The log files show that the user “dcui” played a role in the compromise.
- Encryption is done with a public key that the malware stores in the “/tmp/public.pem” file.
- The encryption process specifically targets virtual machine files. These have the extensions “.vmdk”, “.vmx”, “.vmxf”, “.vmsd”, “.vmsn”, “.vswp”, “.vmss”, “.nvram” and “.vmem”.
- The malware attempts to shut down virtual machines by killing the VMX process to free the files. However, this sometimes does not work as expected, resulting in the files remaining locked.
- The malware creates an args file. In it, it stores parameters for the encryption algorithm.
- According to OVH, no data is exfiltrated.
- “Bleeping Computer” adds that the attackers deposit files with the names “ransom.html” and “How to Restore Your Files.html” on the attacked systems.
Attacked systems can (perhaps) be rescued
The malware distributed by cybercriminals in the ongoing wave of attacks has been dubbed “ESXiArgs” by cybersecurity experts. As “Bleeping Computer” writes, citing an analyst at ID Ransomware, the encryption algorithm used has no known vulnerabilities. Accordingly, there is no way to decrypt data once it has been encrypted without the decryption key.
However, Enes Sonmez offers a ray of hope. In a blog post , he explains that the malware often only encrypts small files. The large files (often called “flat.vmdk”), on the other hand, were spared. However, in the ESXi server structure, the large files contain the data stored in a virtual machine. The small files, which mainly contain structural information, can be regenerated with the “vmkfstools” program, some manual work and a bit of luck. See the blog post for the exact instructions .
If you want to read more about cybercrime and cybersecurity, sign up for the Swisscybersecurity.net newsletter here . On the portal you can read daily news about current threats and new defense strategies.
(c) René Jaun
