VMware ESXi ransomware: CISA releases a rescue script

VMware ESXi ransomware: CISA releases a rescue script

Image:
VMware ESXi ransomware: CISA releases a rescue script

State Court of Florida among the victims of the ESXiArgs ransomware spree, which fortunately is easy to recover from

The US Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent wave of ransomware attacks around the world.

The ESXiArgs attackers exploit a vulnerability in VMware ESXi, a widely used enterprise virtualisation platform, to encrypt files using the CryptoLocker malware, appending them with '.args'. A patch for the CVE-2021-21974 vulnerability has been available since 2021, but many thousands of internet-accessible servers remain unpatched.

CVE-2021-21974 is caused by a memory overflow in the OpenSLP service, which unauthenticated threat actors may use to remotely execute code without requiring prior authentication.

But while the malware encrypts some files, including hard drive containers and configuration files, it does not encrypt server-flat.vmdk files, which is where the data is stored.

CISA's ESXiArgs-Recover is a simple Bash script published on GitHub that takes advantage of this error made by the attackers. Its discovery is credited to Enes Sonmez and Ahmet Aykac from YoreGroup Tech Team.

The ESXiArgs-Recover script conveniently pulls the processes required to reconstruct virtual machines from these server-flat.vmdk files.

"CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac," CISA explains on the tool's GitHub page.

"This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware."

It adds: "This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs."

VMware advises users to apply the latest security updates and deactivate the vulnerable Service Location Protocol (SLP) service on internet-exposed ESXi servers. The company clarified that the attackers aren't taking advantage of any zero-day vulnerability, and that the SLP service is deactivated by default in ESXi software updates released after 2021.

A massive attack

The wave attacks on ESXi servers apparently started last Friday, Since then, the attacks encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable, while a Reuters analysis of data from the Ransomwhere site puts the number at 3,800.

Thanks to the error made by the attackers in not encrypting the server-flat.vmdk files, the attack only seems to have netted around $80,000, despite hitting thousands of organisations.

This mistake has also led security experts to conclude that the attackers are probably criminal opportunists, rather than state-backed actors.

However, the attacks have certainly caused disruption to those affected.

Florida Supreme Court hit

Florida's Supreme Court is among the victims of the ransomware spree, and Reuters analysts cite a number of universities in the US and Europe which may also have been hit.

Florida Supreme Court spokesman Paul Flemming told the news organisation that the damage was contained and affected systems were segregated from the Supreme Court's main network.

"Florida Supreme Court's network and data are secure," he said.

A Florida hospital was also hit by a cyberattack last week, although it's not clear if this is part of the same wave.

Tallahassee Memorial HealthCare was forced to shut down its IT network, to divert some emergency patients and cancel some surgeries.

"Our teams are working around the clock in collaboration with outside experts and state and federal agencies to investigate the cause of the event and safely restore all computer systems as quickly as possible," reads the latest update on the hospital's blog.

The hospital has not confirmed whether the security issue involved ransomware.

The health sector is a favourite target for ransomware perpetrators, who reason that the potentially life-threatening disruption caused means victims are more likely to pay a ransom.

One of the most serious incidents was an attack by the Conti gang on the Irish Health Service (HSE) in 2021, which caused months of disruption, including cancelled operations. Conti demanded a $20 million ransom from HSE, which the Irish government refused to pay.