US CISA publishes ESXi ransomware recovery tool

1 year ago AndyC

America’s
Cyber
and
Infrastructure
Security
Agency
(CISA)
is
helping
out
organisations
hit
by
the
ransomware
known
as
ESXiArgs.

US CISA publishes ESXi ransomware recovery tool

America’s
Cyber
and
Infrastructure
Security
Agency
(CISA)
is
helping
out
organisations
hit
by
the
ransomware
known
as
ESXiArgs.

Since
the
ransomware
attacks
were
first
observed
in

Italy
over
the
weekend,
the
campaign
has
spread
to
other
European
countries
and
to
North
America.

The
attackers
are
targeting
a
bug
in
VMware’s
ESXi
that
has
had
a

patch
available
since
February
2021.

CISA
has
published
a
script
which
it
said
will
allow
organisations
to
attempt
to
recover
virtual
machines
affected
by
the
ransomware
attacks.

The
script,

published
at
Github,
is
based
on
work
by
Enes
Sonmez
and
Ahmet
Aykac
of
YoreGroup
Tech
Team,
CISA
said.

“This
tool
works
by
reconstructing
virtual
machine
metadata
from
virtual
disks
that
were
not
encrypted
by
the
malware”,
the
agency
said.

“Any
organisation
seeking
to
use
CISA’s
ESXiArgs
recovery
script
should
carefully
review
the
script
to
determine
if
it
is
appropriate
for
their
environment
before
deploying
it. 

“This
script
does
not
seek
to
delete
the
encrypted
config
files,
but
instead
seeks
to
create
new
config
files
that
enable
access
to
the
VMs.”

About Author

AndyC

Andy Curtis is an award-winning security consultant, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by state and federal government, leading healthcare and banking providers across three continents. He has given talks about computer security for some of the world’s largest companies, worked with law enforcement agencies on investigations into hacking groups, and is a regular voice on TV and radio explaining IT security threats.

See author's posts

More Stories

Too much of a good thing? How security sprawl can weaken defences

Too much of a good thing? How security sprawl can weaken defences

23 hours ago AndyC
Kinsing malware exploits Apache Tomcat on Linux clouds

Kinsing malware exploits Apache Tomcat on Linux clouds

1 day ago AndyC
LogicMonitor launches LM Cost Optimisation tool for businesses

LogicMonitor launches LM Cost Optimisation tool for businesses

1 day ago AndyC
Organisations battle AI risks amid rise in supply chain attacks

Organisations battle AI risks amid rise in supply chain attacks

1 day ago AndyC
AUCloud Ramps Expands its Senior Leadership Team

AUCloud Ramps Expands its Senior Leadership Team

1 day ago AndyC
Cyberattacks exploiting trusted ties spanned over a month in 2023

Cyberattacks exploiting trusted ties spanned over a month in 2023

1 day ago AndyC

You may have missed

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

Turla APT used two new backdoors to infiltrate a European ministry of foreign affairs

5 hours ago AndyC

Friday Squid Blogging: Emotional Support Squid

5 hours ago AndyC

How to Protect Yourself on Social Networks

11 hours ago AndyC
Nissan reveals ransomware attack exposed 53,000 workers' social security numbers

Nissan reveals ransomware attack exposed 53,000 workers’ social security numbers

11 hours ago AndyC
With three zero-days, it’s a patch-now Patch Tuesday for May

With three zero-days, it’s a patch-now Patch Tuesday for May

11 hours ago AndyC

Subscribe To InfoSec Today News

You have successfully subscribed to the newsletter

There was an error while trying to send your request. Please try again.

World Wide Crypto will use the information you provide on this form to be in touch with you and to provide updates and marketing.