In a constant arms race between cybercriminals and cybersecurity experts, the ransomware group behind the massive attack on ESXi Virtual Machines (VMs) has developed a new variant that cannot be decrypted with the recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).
New Encryption Routine
The new variant of the ESXiArgs ransomware uses an updated encryption routine that encrypts all files larger than 128 MB for 50%, leaving no large chunks of data unencrypted.
The recovery script released by CISA for the old variant reportedly no longer works for this new variant.
While the initial report about this attack wave pointed to CVE-2021-21974, several critical vulnerabilities in VMware ESXi like CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699 can potentially lead to remote code execution on affected systems.
Some victims had SLP disabled, which was a workaround suggested by VMware for the two-year-old vulnerability that is the prime suspect in this case.
According to CISA and the FBI, around 3800 servers have fallen victim to EXSiArgs globally.
To prevent falling prey to this new variant of the ransomware, it is recommended that organizations update their ESXi software and make their ESXi VMs inaccessible from the internet.
Dimitris is an Information Technology and Cybersecurity professional with more than 20 years of experience in designing, building and maintaining efficient and secure IT infrastructures.
Among others, he is a certified: CISSP, CISA, CISM, ITIL, COBIT and PRINCE2, but his wide set of knowledge and technical management capabilities go beyond these certifications. He likes acquiring new skills on penetration testing, cloud technologies, virtualization, network security, IoT and many more.