Experts from the US Department of Homeland Security Cybersecurity and Infrastructure Protection Agency (DHS CISA) have prepared a script for recovering VMware ESXi servers that were encrypted as a result of recent massive ESXiArgs ransomware attacks.
Let me remind you that last week, thousands of VMware ESXi servers were hacked by the new ESXiArgs ransomware as part of a large-scale hacking campaign. The attackers exploited a two-year-old vulnerability (CVE-2021-21974) that allowed them to execute remote commands on vulnerable servers via OpenSLP (port 427). At the same time, VMware developers emphasized that hackers definitely did not use any zero-day vulnerabilities, and OpenSLP after 2021 is generally disabled by default.
That is, the attackers targeted products that were “significantly outdated,” and there were quite a few of them. According to CISA, about 2,800 servers were hacked, while last week experts counted about 3,200 at all.
Shortly after the attacks began, Yöre Grup CTO Enes Sonmez published a massive guide describing a way for VMware administrators to decrypt affected servers, recovering their virtual machines and data for free.
The fact is that although many devices were encrypted, it can be said that the malicious campaign as a whole was not successful: the attackers failed to encrypt the flat files where virtual disk data is stored.
However, the method described by Sonmez and his colleagues for restoring virtual machines from unencrypted flat files turned out to be too complicated for many. Therefore, CISA experts have prepared a special script for recovering affected servers, with which there should be much less problems, since it automates the entire process.
“This tool works by restoring virtual machine metadata from virtual disks that have not been encrypted by malware,” the experts explain.
Also on GitHub A step-by-step guide to using this script has also been published. CISA encourages administrators to review and study the script before starting recovery to understand how it works and avoid possible complications. It is also strongly recommended that you make backups beforehand.