CISA supplies ESXi Args Recover tool for data recovery

B2B Cyber ​​Security ShortNews

Share post

During the severe cyber attacks on thousands of older, unpatched VMare ESXi servers, many virtual machines were infected and encrypted with the ESXiArgs ransomware. ESXiArgs-Recover is a CISA tool that has already been able to recover data in some cases.

CISA is aware that some companies have reported successful file recovery without paying a ransom. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool reconstructs virtual machine metadata from virtual disks that were not encrypted by the malware.

This is what VMware currently says about the attack

VMware has commented on the observations of the past few days. The company notes that, according to current knowledge, only vulnerabilities that have been known for a long time are used for the attacks. However, a more detailed specification was not made. In this respect, it cannot be ruled out that, in addition to CVE-2021-21974, other security gaps that have already been patched will also be used.
While there are currently many indications that systems that have already been infected can no longer be restored due to the error-free encryption, it may have been possible to clean up isolated cases based on the script.

According to the BSI: Attacks on targets in Germany have been definitely confirmed. This week, several German institutions reported to the BSI after attacks on their servers had taken place. At the same time, the number of potentially vulnerable targets decreased according to the BSI in Germany. This indicates that these systems have been patched in the meantime or that their accessibility from the Internet has been restricted.

ESXiArgs recovery tool

As the BSI reports, CISA has published a script that can, in some cases, restore systems that were encrypted as part of the ESXiArgs attacks. The tool is based on the findings of various sources. ESXiArgs-Recover is a tool that companies can use to attempt to recover virtual machines affected by the ESXiArgs ransomware attacks.

In this regard confirmed the French CERT (CERT-FR)that there is a chance of recovery, especially if only configuration files (.vmdk) have been encrypted and renamed with the .args extension. Several successfully tested procedures are documented.

Go to the ESXiArgs recover tool at GitHub.com

 

Matching articles on the topic

Companies spend 10 billion euros on cybersecurity

Germany is arming itself against cyber attacks and is investing more than ever in IT and cyber security. In the current year the ➡ Read more

Qakbot remains dangerous

Sophos X-Ops has discovered and analyzed a new variant of the Qakbot malware. These cases first appeared in mid-December and they ➡ Read more

VexTrio: most malicious DNS threat actor identified

A DNS management and security provider has exposed and blocked VexTrio, a complex criminal affiliate program. This increases cybersecurity. ➡ Read more

A comeback from Lockbit is likely

It is fundamentally important for Lockbit to be visible again quickly. Victims are presumably less willing to pay as long as there are rumors ➡ Read more

LockBit is alive

A few days ago, international law enforcement authorities scored a decisive blow against Lockbit. According to a comment from Chester Wisniewski, Director, Global ➡ Read more

Cyber ​​danger Raspberry Robin

A leading provider of an AI-powered, cloud-delivered cybersecurity platform warns about Raspberry Robin. The malware was first released in the year ➡ Read more

New scam Deep Fake Boss

Unlike classic scams such as the email-based boss scam, the Deep Fake Boss method uses high-tech manipulation ➡ Read more

Classification of the LockBit breakup

European and American law enforcement authorities have managed to arrest two members of the notorious LockBit group. This important strike against the ransomware group ➡ Read more