{"id":50493,"date":"2023-02-09T17:00:00","date_gmt":"2023-02-09T17:00:00","guid":{"rendered":"https:\/\/www.networkworld.com\/article\/3687610\/vmware-esxi-server-ransomware-evolves-after-recovery-script-released.html#tk.rss_security"},"modified":"2023-02-09T17:00:00","modified_gmt":"2023-02-09T17:00:00","slug":"vmware-esxi-server-ransomware-evolves-after-recovery-script-released","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/vmware-esxi-server-ransomware-evolves-after-recovery-script-released\/","title":{"rendered":"VMware ESXi server ransomware evolves, after recovery script released"},"content":{"rendered":"
<\/div>\n

After the FBI and the Cybersecurity and Infrastructure Security Agency (CISA) on Wednesday released a recovery script for organizations affected by a massive ransomware attack targeting VMWare ESXi servers worldwide<\/a>, reports surfaced that the malware evolved in a way that made earlier recovery procedures ineffective.<\/p>\n

The attacks, aimed at VMware\u2019s ESXi bare metal hypervisor<\/a>, were first made public February 3 by the French Computer Emergency Response Team (CERT-FR), and target ESXi instances running older versions of the software, or those that have not been patched to current standards. Some 3,800 servers have been affected globally, CISA and the FBI said.<\/p>\n

The ransomware<\/a> encrypts configuration files on vulnerable virtual machines, making them potentially unusable. One ransom note issued to an affected company asked for about $23,000 in bitcoin.<\/p>\n

CISA, in conjunction with the FBI, has released a recovery script<\/a>. The group said that the script does not delete the affected configuration files, but attempts to create new ones. It\u2019s not a guaranteed way to circumvent the ransom demands, and doesn\u2019t fix the root vulnerability that allowed the ESXiArgs attack to function in the first place, but it could be a crucial first step for affected companies.<\/p>\n

CISA notes that after running the script, organizations should immediately update their servers to the latest versions, disable the Service Location Protocol (SLP) service that the ESXiArgs attackers used to compromise the virtual machines<\/a>, and cut the ESXi hypervisors off from the public Internet before reinitializing systems.<\/p>\n

After CISA released its guidance, however, reports surfaced that a new version of the ransomware was infecting servers and rendering prior recovery methods ineffective. The new version of the ransomware was first reported by Bleeping Computer<\/a>.<\/p>\n