ESXiArgs Ransomware Strikes Again with Improved Encryption Routine

by | Feb 9, 2023 | News

ESXiArgs ransomware new version vmware esxi

Post Views: 409

Premium Content

Patreon

Subscribe to Patreon to watch this episode.

Reading Time: 3 Minutes

New Version of ESXiArgs Ransomware

Ransomware attacks on VMware ESXi servers have taken a turn for the worse, with a new version of ESXiArgs ransomware making data recovery close to impossible.

Over the last week, more than 3,000 Internet-exposed VMware ESXi servers were encrypted in a widespread automated attack using this new ransomware strain.

The malware uses an encrypt.sh script that looks for virtual machine files and encrypts them in increments, but the latest version has changed the encryption routine to encrypt much more data. The change is so significant that the previous recovery methods are no longer effective.

See Also: So you want to be a hacker?
Offensive Security, Bug Bounty Courses

Encryption routine changed making recovery unlikely

An admin reported the new wave of attacks after their server was encrypted and couldn’t be recovered using the previous methods. The new version of the encrypt.sh script has removed the size_step routine, meaning that all files over 128 MB will have half their data encrypted, making recovery unlikely.

In addition, the new version of the ransom note no longer includes bitcoin addresses, making it harder to track ransom payments. Even more concerning is the fact that the server that was breached had SLP disabled, raising questions about how the breach occurred.

Ransomware expert Michael Gillespie stated that the change in the encryption routine means that the encryptor alternates between encrypting and skipping 1 MB of data, making recovery close to impossible.

Trending: Major Cyber Attacks of 2022

Trending: Recon Tool: ScopeHunter

Security experts recommend recovery attempt using CISA’s script

While security experts still recommend attempting to recover encrypted ESXi servers using CISA’s recovery script, it is likely to be ineffective if you were infected in the second wave of attacks using the new encryption routine.

For support and further information on the ESXiArgs ransomware, there is a dedicated support topic available in the BleepingComputer forums.

Trending: QNAP NAS Devices at Risk of Remote Malicious Code Injection

Are u a security researcher? Or a company that writes articles or write ups about Cyber Security, Offensive Security (related to information security in general) that match with our specific audience and is worth sharing?

If you want to express your idea in an article contact us here for a quote: [email protected]

Source: bleepingcomputer.com

Source Link

Merch

Recent News

EXPLORE OUR STORE

Offensive Security & Ethical Hacking Course

Begin the learning curve of hacking now!

Information Security Solutions

Find out how Pentesting Services can help you.

Join our Community

Share This