SECURITY
SECURITY
SECURITY
CISA and FBI releases recovery script for VMware EXSi servers targeted by ransomware
The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have released a free recovery script in response to a widespread ransomware campaign targeting unpatched installations of VMware Inc.’s ESXi.
VMware Inc. and government agencies in Europe warned of the ransomware attacks earlier this week, saying that a malicious actor was targeting a vulnerability in VMware ESXi servers that was patched in 2021. The issue is a heap overflow vulnerability in OpenSLP used in ESXi in certain versions of 6.5, 6.7 and 7.0 of the software.
Two years after the patch was released, some VMware EXSi users have not implemented the patch or upgraded their software. VMware noted that the attacks are targeting installations that are generally at the end of general support or significantly out-of-date.
The new EXSiArgs recovery script, available on GitHub, allows organizations who have fallen victim to EXSiArs ransomware to attempt to recover their files. In an alert today, CISA said that there are now believed to be more than 3,800 EXSi servers compromised globally.
The script doesn’t seek to delete encrypted config files but instead tries to create new config files that enable access to affected virtual machines. Any organization considering using the ESXiArgs recovery script is warned that they should carefully review it to determine if it is appropriate for their environment before deploying it.
The quickness of the response by CISA and the FBI is undoubtedly welcome, but there’s a reason why it was relatively simple for them to code the script: The ransomware didn’t encrypt all data files.
“We got lucky this time,” Morten Gammelgard, executive vice president EMEA at ransomware protection company BullWall A/S, told SiliconANGLE. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMWare servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files and perhaps next time a rescue script will not be available.”
Image: CISA
A message from John Furrier, co-founder of SiliconANGLE:
Support our open free content by sharing and engaging with our content and community.
Join theCUBE Alumni Trust Network
Where Technology Leaders Connect, Share Intelligence & Create Opportunities
11.4k+
CUBE Alumni Network
C-level and Technical
Domain Experts
15M+
theCUBE
Viewers
Connect with 11,413+ industry leaders from our network of tech and business leaders forming a unique trusted network effect.
SiliconANGLE Media is a recognized leader in digital media innovation serving innovative audiences and brands, bringing together cutting-edge technology, influential content, strategic insights and real-time audience engagement. As the parent company of SiliconANGLE, theCUBE Network, theCUBE Research, CUBE365, theCUBE AI and theCUBE SuperStudios — such as those established in Silicon Valley and the New York Stock Exchange (NYSE) — SiliconANGLE Media operates at the intersection of media, technology, and AI. .
Founded by tech visionaries John Furrier and Dave Vellante, SiliconANGLE Media has built a powerful ecosystem of industry-leading digital media brands, with a reach of 15+ million elite tech professionals. The company’s new, proprietary theCUBE AI Video cloud is breaking ground in audience interaction, leveraging theCUBEai.com neural network to help technology companies make data-driven decisions and stay at the forefront of industry conversations.
