Well, that didn’t take long.
The script that allowed VMware ESXi server owners infected with ransomware (opens in new tab) to restore the files no longer works, because the attackers updated the encryptor and patched the flaw it had. Now, those without endpoint protection most likely won’t be able to restore the files without getting the decryption key from the threat actors.
The news was confirmed by BleepingComputer (opens in new tab), whose researchers analyzed freshly obtained samples of the encryptor.
Abusing an old flaw
Late last week, national cybersecurity agencies of a few European countries, as well as those in the US and Canada, warned of a widespread, semi-automated attack against VMware’s ESXi servers. The attackers found more than 3,000 endpoints (at press time) that were vulnerable to a flaw that VMware patched two years ago, and used that flaw to deploy the ESXiArgs ransomware.
The attacked servers were located mostly in Europe (Italy, France, Finland), but also in the US and Canada. Businesses in France were allegedly worst-hit.
The country’s national government computer security incident response team, CERT-FR, said the attack was semi-automated, targeting servers vulnerable to CVE-2021-21974. The flaw is described as an OpenSLP HeapOverflow vulnerability, allowing threat actors to execute code remotely.
But soon after, researchers discovered that the encryptor was flawed and while in the process of encrypting big files, skipped large portions of them. That gave two researchers from YoreGroup Tech Team plenty of unencrypted files to work with, which helped them devise a way to decrypt the files and restore access to the compromised devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) later chimed in, creating a script to automate the work, and shared it on GitHub.
But good news didn’t last long, as the threat actors now started deploying an updated version of the encryptor, with the flaw eliminated. Still, everyone recommends victims try and use CISA’s script, just in case.
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba