Ransomware, Vulnerability Management, Endpoint/Device Security

CISA releases ESXiArgs-recovery tool for VMware ransomware victims

UPDATE: A recovery tool offers hope for the thousands of VMware ESXi customers hit by a series of massive and ongoing ransomware attacks. On Tuesday, the Cybersecurity and Infrastructure Security Agency (CISA) released a tool called ESXiArgs-Recover which is designed to help organizations recover files.

The tool doesn't decrypt scrambled data, rather allows affected companies to reconstruct virtual machine metadata in hopes to recompile lost data and not have to pay a hefty ransomware fee. 

"CISA is aware that some organizations have reported success in recovering files without paying ransoms," according to a GitHub description of the ESXiArgs-Recovery tool. The post explains the tool is "based on publicly available resources, including a tutorial by (researchers) Enes Sonmez and Ahmet Aykac."

"This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware," according to the post. 

Since the beginning of February threat actors have been targeting unpatched ESXi servers vulnerable to a two-year old critical remote code execution VMware bug (CVE-2021-21974). The heap overflow flaw is tied the ESXi's OpenSLP service and enables an unauthenticated actor to exploit the flaw via the public internet in a low-complexity attack.

A Monday analysis of servers impacted, by security firm Censys, indicated 3,200 VMware ESXi instances worldwide have been compromised by the ransomware malware campaign dubbed ESXiArgs. The U.S. has been the second-most impacted by these ransomware attacks.

In response to the CISA recovery tool, those behind the ESXiArgs attacks updated the ransomware malware to counteract the CISA recovery tool, according to a Feb. 8 BleepingComputer's report. The ESXiArg ransomware malware has been updated preventing the CISA tool from recovering data from the VMware ESXi virtual machines using the Shell script.

On Friday Feb. 10, Rapid7 researchers estimated that 19,000 ESXi servers were unpatched and vulnerable to the ESXiArgs ransomware campaigns.

Mitigate with caution

The ESXiArgs-Recover tool is essentially a script and CISA warns that organizations must carefully review it before deployment.

“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” according to CISA’s GitHub post. The script has been tested for effectiveness and safety. But CISA delivered the script “without warranty, either implicit or explicit” and is provided  “as is” for informational purposes only.”

Further, organizations should “not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script,” it said.

Further preventative workarounds

Researchers say the vulnerability stems from ESXi’s OpenSLP service. 

"OpenSLP is an open-source framework for networking applications to discover the existence, location, and configuration of services in enterprise networks, which ESXi client applications use to resolve network addresses and hosts," according to a Recorded Future description.

Researchers added, "for a system to be vulnerable to CVE-2021–21974, the OpenSLP service needs to be running, and its associated port 427 needs to be reachable from the internet." 

One solution to mitigating against the vulnerability, Recorded Future and other researchers suggest, is to close port 427.

Researchers are unanimous in warning that entities need to patch the vulnerability. Researchers urge organizations that have not yet scanned all servers for instances of the the bug to either close the SLP port, or disable it and ensure the servers in question are not exposed to the internet.

VMware says it has not found evidence to suggest the attacks are exploiting an unknown flaw and that only “End of General Support (EOGS) and/or significantly out-of-date products” are being targeted in attacks.

What organizations need to know

The ongoing campaigns are taking advantage of the exposed ESXi hypervisors in unpatched servers, with a particular targeting of the SLP service, according to the CERT-FR Alert issued on Feb. 3. “Exploit codes have been available in open source since at least May 2021.”

“The systems currently targeted would be ESXi hypervisors in version 6.x and prior to 6.7,” but CERT-FR found the SLP risks are also found in:

  • ESXi 7.x versions earlier than ESXi70U1c-17325551
  • ESXi versions 6.7.x earlier than ESXi670-202102401-SG
  • ESXi versions 6.5.x earlier than ESXi650-202102101-SG

Entities that failed to apply the previously released patch and have found no evidence of compromise should immediately do so, but only after carrying out tests as much as possible, according to a VMware alert update posted on Feb. 5.

Compromised “virtual machine disks can be recovered when configuration files ( .vmdk ) are encrypted and renamed with an .args extension,” the alert continues.

CERT-FR strongly recommends entities isolate the affected server, and “as far as possible, carry out an analysis of the systems in order to detect any sign of compromise.” However, “the application of patches alone is not sufficient, an attacker has probably already deposited malicious code.”

As such, it’s better to reinstall the hypervisor in a version supported by VMware, either ESXi 7.x or ESXi 8.x, and then apply all security patches. CERT-FR also suggests entities disable unnecessary services on the hypervisor, such as the SLP service.

The ongoing attacks and successful compromises should also serve as a warning for entities “to follow future vendor security advisories.”

Technical snapshot

Researchers at Cyble shared malware samples tied to the ongoing attacks, which “include two files responsible for encryption. “The ‘encrypt.sh’ is a shell script that performs several operations before starting the encryption process and executes the ‘encrypt’ ELF executable to encrypt files.”

The malicious shell script is able to perform a range of operations, including “modifying configuration files, encrypting files, establishing persistence for ransomware notes, and removing malware from the ESXi server.”

Despite the swarths of attacks, flaws in the campaign dampened the impact. Research from Sonmez and Aykat shows that the threat actors were unable to encrypt flat files, where virtual disk data is stored, which enabled them to help some victims rebuild exploited systems from those unaffected files. As noted in the CISA alert, the process has been difficult.

(Editor's Note: This article was updated 2/10/2023 at 1:30 p.m. ET to reflect the latest updates tied to the number of vulnerable VMware servers and adversarial tactics.)

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.