2023-02-08
CISA and FBI Offer Guidance for ESXiArgs Ransomware Virtual Machine Recovery
Editor's Note
Great move by CISA to provide the recovery script. The sad part is that this doesn't come from VMWare. It also appears to be easier to create a script to recover from ransomware vs. a script to patch systems.
Johannes Ullrich
First off, make sure that your ESXi management interface is not exposed to the Internet. Second, make sure that you're on the latest version of ESXi and third make sure that you've disabled the Service Location Protocol (SLP) which is a target for this attack. If you've been attacked, work on the recovery before upgrading. Some organizations have been able to recover their VMs with the recovery script and not pay the ransom. It's worth a shot, particularly if you image the datastore first. CISA and the FBI would like you to report any discovered attacks to help their response efforts. Read the guidance for artifacts you should preserve.
Lee Neely
As CISA and the FBI point out: make sure you have skilled staff that can use this tool safely. If you do, once they are done put them to work making sure you don’t have other 2-year-old missing patches or obsolete versions of software running exposed on critical business networks.
John Pescatore
Read more in
CISA: ESXiArgs Ransomware Virtual Machine Recovery Guidance
GitHub: ESXiArgs-Recover
The Register: Among the thousands of ESXiArgs ransomware victims? FBI and CISA to the rescue
SC Magazine: CISA releases ESXiArgs-recovery tool for VMware ransomware victims
Dark Reading: CISA Releases Recovery Script for Victims of ESXiArgs Ransomware