The creators of the ESXiArgs malware that attacks VMware ESXi servers have updated their malware. Now the ransomware encrypts more data, which makes it much more difficult or impossible to recover encrypted virtual machines on your own.
Let me remind you that thousands of VMware ESXi servers were hacked by the new ESXiArgs ransomware as part of a large-scale hacking campaign last week. The attackers exploited a two-year-old vulnerability (CVE-2021-21974) that allowed them to execute remote commands on vulnerable servers via OpenSLP (port 427).
At the same time, VMware developers emphasized that hackers definitely do not use any zero-day vulnerabilities, and OpenSLP is generally disabled by default after 2021. That is, the attackers targeted products that were “significantly outdated,” and there were quite a few of them. According to experts, about 2800 servers were hacked (last week they counted about 3200 at all).
But a few days ago it seemed that everything was over: experts from the Cybersecurity and Infrastructure Protection Agency, organized under the US Department of Homeland Security (DHS CISA) presented a script for self-recovery of encrypted VMware ESXi servers.
The fact is that although many devices were encrypted, experts wrote that the ESXiArgs malicious campaign as a whole was not successful, since the malware only partially encrypted large files and, in particular, the attackers failed to encrypt flat files where virtual disk data is stored. . As a result, administrators were able to decrypt the affected servers, restoring their virtual machines and data for free.
However, the joy was premature. Bleeping Computer journalists report that the second wave of ESXiArgs infections has begun, and now hackers are using an improved encryption procedure that encrypts much more data in large files.
So, earlier the malware used the encrypt.sh script and the following formula (slightly modified for i readability) to determine which size_step to use: size_step=((($size_in_kb/1024/100)-1)) . Now the malware encoder has not changed, but the complex size_step calculation has been removed from the encrypt.sh script. In the new version, it is simply set to “1”.
Security expert Michael Gillespie told reporters that the change will force the malware to alternate between encrypting 1MB of data and skipping 1MB of data. Thus, all files larger than 128 MB will now have 50% of the data encrypted, which will most likely make them unrecoverable.
Note that earlier for files of 450 GB and more, the amount of data skipped increased sharply, size_step became equal to 4607, that is, 1 MB encryption alternated with 4.49 GB of data skipped. Thanks to this, the work of recovery tools became possible.
It was also noticed that the updated version of ESXiArgs leaves a slightly modified version of the ransom note: the bitcoin address is now not included in the text, and the victim is promised to provide it later. Apparently, the hackers noticed that their wallet addresses were collected and tracked by information security specialists.
Bleeping Computer warns about another alarm signal. Some ransomware victims report that SLP was definitely disabled on their server, but this did not stop attackers from cracking it. Also, now victims do not detect the vmtool.py backdoor seen in previous attacks on their systems.