The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have released a free recovery script in response to a widespread ransomware campaign targeting unpatched installations of VMware Inc.’s ESXi.

VMware Inc. and government agencies in Europe warned of the ransomware attacks earlier this week, saying that a malicious actor was targeting a vulnerability in VMware ESXi servers that was patched in 2021. The issue is a heap overflow vulnerability in OpenSLP used in ESXi in certain versions of 6.5, 6.7 and 7.0 of the software.

Two years after the patch was released, some VMware EXSi users have not implemented the patch or upgraded their software. VMware noted that the attacks are targeting installations that are generally at the end of general support or significantly out-of-date.

The new EXSiArgs recovery script, available on GitHub, allows organizations who have fallen victim to EXSiArs ransomware to attempt to recover their files. In an alert today, CISA said that there are now believed to be more than 3,800 EXSi servers compromised globally.

The script doesn’t seek to delete encrypted config files but instead tries to create new config files that enable access to affected virtual machines. Any organization considering using the ESXiArgs recovery script is warned that they should carefully review it to determine if it is appropriate for their environment before deploying it.

The quickness of the response by CISA and the FBI is undoubtedly welcome, but there’s a reason why it was relatively simple for them to code the script: The ransomware didn’t encrypt all data files.

“We got lucky this time,” Morten Gammelgard, executive vice president EMEA at ransomware protection company BullWall A/S, told SiliconANGLE. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMWare servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files and perhaps next time a rescue script will not be available.”

Image: CISA