{"id":50586,"date":"2023-02-16T01:30:06","date_gmt":"2023-02-16T01:30:06","guid":{"rendered":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/"},"modified":"2023-02-16T01:30:06","modified_gmt":"2023-02-16T01:30:06","slug":"esxiargs-ransomware-fights-off-team-americas-data-recovery-script","status":"publish","type":"post","link":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/","title":{"rendered":"ESXiArgs ransomware fights off Team America&#8217;s data recovery script"},"content":{"rendered":"<p>That didn&#8217;t take long.<\/p>\n<p>A week after the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2023\/02\/08\/esxiargs_ransomware_recovery_script\/\" rel=\"noopener\">released<\/a> a recovery <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.cisa.gov\/uscert\/ncas\/alerts\/aa23-039a\">script<\/a> to help victims of the widespread ESXiArgs ransomware attacks recover infected systems, an updated variant of the malware aimed at vulnerable VMware ESXi virtual machines can&#8217;t be remediated with the government agencies&#8217; code, according to Malwarebytes.<\/p>\n<p>The variant can&#8217;t be decrypted using the script <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/github.com\/cisagov\/ESXiArgs-Recover\">released<\/a> to GitHub by CISA because, unlike earlier versions, it doesn&#8217;t leave large sections of data unencrypted, according to Pieter Arntz, a malware analyst at Malwarebytes.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"condor\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;This makes recovery next to impossible,&#8221; Arntz wrote in a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/new-esxiargs-encryption-routine-outmaneuvers-recovery-methods\">post<\/a> this week, noting reports from victims of recent ESXiArgs attacks about the ransomware&#8217;s new encryptor.<\/p>\n<p>The updated malware succeeds because CISA&#8217;s ESXiArgs-Recover tool was created with reference to publicly available resources, including a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/enes.dev\/\">tutorial<\/a> by Enes Sonmez and Ahmet Aykac, that describes the malware&#8217;s workings.<\/p>\n<p>In its alert explaining the recovery script, CISA noted that ESXiArgs encrypts particular configuration associated with VMS on vulnerable servers, making the virtual machines unusable.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xmd=\",fluid,mpu,leaderboard,\" data-lg=\",fluid,mpu,leaderboard,\" data-xlg=\",fluid,billboard,superleaderboard,mpu,leaderboard,\" data-xxlg=\",fluid,billboard,superleaderboard,brandwidth,brandimpact,leaderboard,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<div class=\"adun_eagle_desktop_story_wrapper\">\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"mid\" data-raptor=\"eagle\" data-xxlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<\/p><\/div>\n<p>&#8220;As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file,&#8221; CISA wrote. &#8220;The recovery script documented below automates the process of recreating configuration files.&#8221;<\/p>\n<p>The new variant of ESXiArgs encrypts more data than CISA&#8217;s recovery tool is designed to recover.<\/p>\n<div aria-hidden=\"true\" class=\"adun\" data-pos=\"top\" data-raptor=\"falcon\" data-xsm=\",fluid,mpu,\" data-sm=\",fluid,mpu,\" data-md=\",fluid,mpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=4&amp;c=44Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D426raptor%3Dfalcon%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>&#8220;Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB,&#8221; Arntz wrote. &#8220;This ensures that all files larger than 128 MB are encrypted for 50 percent. Files under 128MB are fully encrypted which was also the case in the old variant.&#8221;<\/p>\n<p>The ransomware note will tell victims if they&#8217;re dealing with the new variant. Also, unlike the original note, the new build doesn&#8217;t mention a Bitcoin address, he wrote. Instead, the victims are instructed to contact the miscreants on Tox Chat, an encrypted messaging service.<\/p>\n<p>Arntz speculated that it&#8217;s &#8220;likely that this change was triggered by the fear of tracking payments through the blockchain which might eventually lead to the threat actor.&#8221;<\/p>\n<div aria-hidden=\"true\" class=\"adun\" id=\"story_eagle_xsm_sm_md_xmd_lg_xlg\" data-pos=\"mid\" data-raptor=\"eagle\" data-xsm=\",mpu,dmpu,\" data-sm=\",mpu,dmpu,\" data-md=\",mpu,dmpu,\" data-xmd=\",mpu,dmpu,\" data-lg=\",mpu,dmpu,\" data-xlg=\",mpu,dmpu,\"> <noscript> <a href=\"https:\/\/pubads.g.doubleclick.net\/gampad\/jump?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" target=\"_blank\" rel=\"noopener\"> <img decoding=\"async\" src=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=3&amp;c=33Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0\" alt> <\/a> <\/noscript> <\/div>\n<p>CISA last week said that more than 3,800 servers around the world were infected with the original ESXiArgs ransomware, though researchers at Arctic Wolf <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/arcticwolf.com\/resources\/blog-uk\/active-esxiargs-ransomware-campaign-targeting-esxi-servers\/\">said<\/a> the count could be higher.<\/p>\n<p>The fast-emerging ransomware campaign came into the spotlight after cybersecurity agencies in France and Italy said a vulnerability in VMware&#8217;s bare metal hypervisor ESXi was being exploited. The flaw \u2013 <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/cve.mitre.org\/cgi-bin\/cvename.cgi?name=CVE-2021-21974\">CVE-2021-21974<\/a>, with a severity score of 9.1 out of 10 \u2013 was <a target=\"_blank\" href=\"https:\/\/www.theregister.com\/2021\/02\/23\/vmware_vsphere_critical_bugs\/\" rel=\"noopener\">disclosed and patched<\/a> in 2021.<\/p>\n<p>&#8220;The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied,&#8221; CISA wrote in its report. According to Malwarebytes&#8217; Arntz, some victims told the cybersecurity vendor that the SLP network service was disabled, which VMware said was a <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/kb.vmware.com\/s\/article\/76372\">workaround<\/a> for the vulnerability.<\/p>\n<p>He added that CVE-2021-21974 was &#8220;the prime, but not the only, suspect in this case.&#8221;<\/p>\n<p>Malwarebytes researchers noted in their initial <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/www.malwarebytes.com\/blog\/news\/2023\/02\/two-year-old-vulnerability-used-in-ransomware-attack-against-vmware-esxi\">report<\/a> last week about ESXiArgs that other vulnerabilities in the hypervisor \u2013 notably CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699 \u2013 can enable cybercriminals to take over infected systems through a remote code execution (RCE) attack.<\/p>\n<p>That said, Malwarebytes is urging enterprises to either update ESXi or make the ESXi VMs inaccessible from the internet.<\/p>\n<p>VMware has issued its own <a target=\"_blank\" rel=\"nofollow noopener\" href=\"https:\/\/blogs.vmware.com\/security\/2023\/02\/83330.html\">recommendations<\/a>.<\/p>\n<p>Initial reports pointed to ESXiArgs being linked to the Nevada ransomware family that hit the scene in December 2022. However, opinion shifted, with others suggesting the malware is based on the Babuk source code, which was leaked in 2021 and has been tied to other ESXi ransomware attacks. \u00ae<\/p>\n<p> READ MORE <a href=\"https:\/\/go.theregister.com\/feed\/www.theregister.com\/2023\/02\/16\/esxiargs_ransomware_variant_cisa\/\">HERE<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Want a clue to what you\u2019re dealing with? Check the ransom note That didn&#8217;t take long.\u2026 READ MORE HERE&#8230;<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"colormag_page_layout":"default_layout","footnotes":""},"categories":[63],"tags":[],"class_list":["post-50586","post","type-post","status-publish","format-standard","hentry","category-the-register"],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.8 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>ESXiArgs ransomware fights off Team America&#039;s data recovery script 2026 | ThreatsHub Cybersecurity News<\/title>\n<meta name=\"description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"ESXiArgs ransomware fights off Team America&#039;s data recovery script 2026 | ThreatsHub Cybersecurity News\" \/>\n<meta property=\"og:description\" content=\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security &amp; Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/\" \/>\n<meta property=\"og:site_name\" content=\"ThreatsHub Cybersecurity News\" \/>\n<meta property=\"article:published_time\" content=\"2023-02-16T01:30:06+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\" \/>\n<meta name=\"author\" content=\"TH Author\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@threatshub\" \/>\n<meta name=\"twitter:site\" content=\"@threatshub\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"TH Author\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"3 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/\"},\"author\":{\"name\":\"TH Author\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\"},\"headline\":\"ESXiArgs ransomware fights off Team America&#8217;s data recovery script\",\"datePublished\":\"2023-02-16T01:30:06+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/\"},\"wordCount\":635,\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"articleSection\":[\"The Register\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/\",\"name\":\"ESXiArgs ransomware fights off Team America's data recovery script 2026 | ThreatsHub Cybersecurity News\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#primaryimage\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#primaryimage\"},\"thumbnailUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"datePublished\":\"2023-02-16T01:30:06+00:00\",\"description\":\"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#primaryimage\",\"url\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\",\"contentUrl\":\"https:\\\/\\\/pubads.g.doubleclick.net\\\/gampad\\\/ad?co=1&amp;iu=\\\/6978\\\/reg_security\\\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\\\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"ESXiArgs ransomware fights off Team America&#8217;s data recovery script\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#website\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"name\":\"ThreatsHub Cybersecurity News\",\"description\":\"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform\",\"publisher\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\"},\"alternateName\":\"Threatshub.org\",\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#organization\",\"name\":\"ThreatsHub.org\",\"alternateName\":\"Threatshub.org\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"contentUrl\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/wp-content\\\/uploads\\\/2025\\\/05\\\/Threatshub_Favicon1.jpg\",\"width\":432,\"height\":435,\"caption\":\"ThreatsHub.org\"},\"image\":{\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/logo\\\/image\\\/\"},\"sameAs\":[\"https:\\\/\\\/x.com\\\/threatshub\"]},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/www.threatshub.org\\\/blog\\\/#\\\/schema\\\/person\\\/12e0a8671ff89a863584f193e7062476\",\"name\":\"TH Author\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g\",\"caption\":\"TH Author\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"ESXiArgs ransomware fights off Team America's data recovery script 2026 | ThreatsHub Cybersecurity News","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/","og_locale":"en_US","og_type":"article","og_title":"ESXiArgs ransomware fights off Team America's data recovery script 2026 | ThreatsHub Cybersecurity News","og_description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","og_url":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/","og_site_name":"ThreatsHub Cybersecurity News","article_published_time":"2023-02-16T01:30:06+00:00","og_image":[{"url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","type":"","width":"","height":""}],"author":"TH Author","twitter_card":"summary_large_image","twitter_creator":"@threatshub","twitter_site":"@threatshub","twitter_misc":{"Written by":"TH Author","Est. reading time":"3 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#article","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/"},"author":{"name":"TH Author","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476"},"headline":"ESXiArgs ransomware fights off Team America&#8217;s data recovery script","datePublished":"2023-02-16T01:30:06+00:00","mainEntityOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/"},"wordCount":635,"publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","articleSection":["The Register"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/","url":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/","name":"ESXiArgs ransomware fights off Team America's data recovery script 2026 | ThreatsHub Cybersecurity News","isPartOf":{"@id":"https:\/\/www.threatshub.org\/blog\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#primaryimage"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#primaryimage"},"thumbnailUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","datePublished":"2023-02-16T01:30:06+00:00","description":"ThreatsHub Cybersecurity News | ThreatsHub.org | Cloud Security & Cyber Threats Analysis Hub. 100% Free OSINT Threat Intelligent and Cybersecurity News.","breadcrumb":{"@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#primaryimage","url":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0","contentUrl":"https:\/\/pubads.g.doubleclick.net\/gampad\/ad?co=1&amp;iu=\/6978\/reg_security\/front&amp;sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&amp;tile=2&amp;c=2Y@3LvNk3PQYvJILjtimPWwAAAIg&amp;t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0"},{"@type":"BreadcrumbList","@id":"https:\/\/www.threatshub.org\/blog\/esxiargs-ransomware-fights-off-team-americas-data-recovery-script\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.threatshub.org\/blog\/"},{"@type":"ListItem","position":2,"name":"ESXiArgs ransomware fights off Team America&#8217;s data recovery script"}]},{"@type":"WebSite","@id":"https:\/\/www.threatshub.org\/blog\/#website","url":"https:\/\/www.threatshub.org\/blog\/","name":"ThreatsHub Cybersecurity News","description":"%%focuskw%% Threat Intel \u2013 Threat Intel Services \u2013 CyberIntelligence \u2013 Cyber Threat Intelligence - Threat Intelligence Feeds - Threat Intelligence Reports - CyberSecurity Report \u2013 Cyber Security PDF \u2013 Cybersecurity Trends - Cloud Sandbox \u2013- Threat IntelligencePortal \u2013 Incident Response \u2013 Threat Hunting \u2013 IOC - Yara - Security Operations Center \u2013 SecurityOperation Center \u2013 Security SOC \u2013 SOC Services - Advanced Threat - Threat Detection - TargetedAttack \u2013 APT \u2013 Anti-APT \u2013 Advanced Protection \u2013 Cyber Security Services \u2013 Cybersecurity Services -Threat Intelligence Platform","publisher":{"@id":"https:\/\/www.threatshub.org\/blog\/#organization"},"alternateName":"Threatshub.org","potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.threatshub.org\/blog\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.threatshub.org\/blog\/#organization","name":"ThreatsHub.org","alternateName":"Threatshub.org","url":"https:\/\/www.threatshub.org\/blog\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/","url":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","contentUrl":"https:\/\/www.threatshub.org\/blog\/coredata\/uploads\/2025\/05\/Threatshub_Favicon1.jpg","width":432,"height":435,"caption":"ThreatsHub.org"},"image":{"@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/threatshub"]},{"@type":"Person","@id":"https:\/\/www.threatshub.org\/blog\/#\/schema\/person\/12e0a8671ff89a863584f193e7062476","name":"TH Author","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/066276f086d5155df79c850206a779ad368418a844da0182ce43f9cd5b506c3d?s=96&d=mm&r=g","caption":"TH Author"}}]}},"_links":{"self":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50586","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/comments?post=50586"}],"version-history":[{"count":0,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/posts\/50586\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/media?parent=50586"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/categories?post=50586"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.threatshub.org\/blog\/wp-json\/wp\/v2\/tags?post=50586"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}