CISA, FBI recovery tool no match for updated ESXiArgs ransomware encryption

Malwarebytes researchers noted that vulnerable VMware ESXi virtual machines impacted with the updated ESXiArgs ransomware could not be decrypted with the data recovery script issued by the Cybersecurity and Infrastructure Security Agency, which could not keep pace with the extent of data encrypted by the new ransomware variant, reports The Register. "Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50 percent. Files under 128MB are fully encrypted which was also the case in the old variant," wrote Malwarebytes malware analyst Pieter Arntz. Operators of the updated malware were able to avert the government-issued recovery tool due to the tool's use of publicly available data. Aside from encryption changes, the new ESXiArgs ransomware variant also modified contact instructions in its ransomware note.