During the severe cyber attacks on thousands of older, unpatched VMare ESXi servers, many virtual machines were infected and encrypted with the ESXiArgs ransomware. ESXiArgs-Recover is a CISA tool that has already been able to recover data in some cases.
CISA is aware that some companies have reported successful file recovery without paying a ransom. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool reconstructs virtual machine metadata from virtual disks that were not encrypted by the malware.
This is what VMware currently says about the attack
VMware has commented on the observations of the past few days. The company notes that, according to current knowledge, only vulnerabilities that have been known for a long time are used for the attacks. However, a more detailed specification was not made. In this respect, it cannot be ruled out that, in addition to CVE-2021-21974, other security gaps that have already been patched will also be used.
While there are currently many indications that systems that have already been infected can no longer be restored due to the error-free encryption, it may have been possible to clean up isolated cases based on the script.
According to the BSI: Attacks on targets in Germany have been definitely confirmed. This week, several German institutions reported to the BSI after attacks on their servers had taken place. At the same time, the number of potentially vulnerable targets decreased according to the BSI in Germany. This indicates that these systems have been patched in the meantime or that their accessibility from the Internet has been restricted.
ESXiArgs recovery tool
As the BSI reports, CISA has published a script that can, in some cases, restore systems that were encrypted as part of the ESXiArgs attacks. The tool is based on the findings of various sources. ESXiArgs-Recover is a tool that companies can use to attempt to recover virtual machines affected by the ESXiArgs ransomware attacks.
In this regard confirmed the French CERT (CERT-FR)that there is a chance of recovery, especially if only configuration files (.vmdk) have been encrypted and renamed with the .args extension. Several successfully tested procedures are documented.
Go to the ESXiArgs recover tool at GitHub.com