The Cybersecurity and Infrastructure Security Agency has published a process for recovering files for organizations affected by the ESXiArgs ransomware, which has wreaked havoc on organizations across the world since last Friday.
On its GitHub page Tuesday evening, CISA said victims should evaluate the script before using it to try to recover access to affected files. The script is based on work by two Turkish developers who posted a step-by-step tutorial earlier this week.
The ransomware exploits a 2-year-old vulnerability affecting VMWare EXSi servers — CVE-2021-21974 — and has already encrypted files at more than 3,800 organizations across the United States, France, Italy and more. The company issued a patch in 2021. ESXi servers are used to access several operating systems through one server.
Reuters reported on Tuesday that Florida’s Supreme Court, the Georgia Institute of Technology, Rice University and several schools in Hungary and Slovakia were some of the ransomware’s victims.
CISA specifically pointed to the work of Enes Sönmez and Ahmet Aykaç, two developers for the Turkish food retail and distribution company Yöre Group.
The script works “by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” CISA said.
CISA went on to warn that it “does not assume liability for damage caused by this script.”
The FBI and CISA also issued a joint alert about blocking the ransomware and responding to attacks.
European cybersecurity authorities began warning of “massive active network exploitation” on Friday. Italy’s National Cybersecurity Agency (ACN) joined France’s computer emergency response team (CERT-FR) and Finland’s Kyberturvallisuuskeskus (Cybersecurity Center) in issuing warnings over the weekend about the campaign.
References:
National Cybersecurity Agency (ACN)
General Secretariat for Defense and National Security of the Republic of France
