CISA Releases Recovery Script for Attacked VMWare ESXi Hypervisors

In other cybersecurity news …

Earlier this week, we reported on malicious hackers hitting thousands of VMware ESXi hypervisors with ESXiArgs ransomware, exploiting a two-year-old vulnerability.

The attacks have taken place globally, including in the United States, Canada, France and Italy. VMware ESXi allows organizations to host several virtualized computers running multiple operating systems on a single physical server.

The Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script for organizations that have fallen victim to ESXiArgs ransomware. The ESXiArgs ransomware encrypts configuration files on vulnerable ESXi servers, potentially rendering virtual machines (VMs) unusable.

CISA recommends organizations impacted by ESXiArgs evaluate the script and its guidance to determine if it is fit for attempting to recover access to files in their environment.

Morten Gammelgard is executive vice president of EMEA at BullWall, a ransomware containment provider.

“We got lucky this time,” he said. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMware servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files, and perhaps next time a rescue script will not be available.”

Companies must patch all critical OS and application vulnerabilities in a timely manner, and deploy ransomware containment to stop the encryption from happening, Gammelgard said.

“Had this attack been more successful, many more organizations would now be facing downtime and disruption, and having to restore lots of files and environments from back up at very high cost,” he said.

Photo courtesy: Pavel Kapysh/Shutterstock