Just
a
week
after
the
Cybersecurity
and
Infrastructure
Security
Agency
(CISA)
released
its
recovery
script
against
ransomware
targeting
VMWare
ESXi
virtual
machines,
a
modified
version
of
the
malware
is
already
in
circulation
that
renders
the
decryptor
script
useless.
So
far,
around
3,800
servers
across
the
globe
have
already
fallen
victim
to
EXSiArgs
ransomware,
CISA
and
the
FBI
warn.
“Where
the
old
encryption
routine
skipped
large
chunks
of
data
based
on
the
size
of
the
file,
the
new
encryption
routine
only
skips
small
(1MB)
pieces
and
then
encrypts
the
next
1MB,”
researchers
at
Malwarebytes
said
in
a
new
report
on
the
ESXi
vulnerability.
“This
ensures
that
all
files
larger
than
128MB
are
encrypted
for
50%.
Files
under
128MB
are
fully
encrypted
which
was
also
the
case
in
the
old
variant.”
Targets
of
ESXi-Args
ransomware
can
tell
if
they
are
infected
with
the
new
variant
if
the
ransom
note
directs
the
victim
to
contact
the
threat
actor
via
the
TOX
encrypted
messenger,
the
report
added.
The
ransom
note
from
the
old
ESXiArgs
variant
that
can
be
mitigated
by
the
CISA-issued
decryptor
includes
a
Bitcoin
address.