New ESXiArgs Ransomware Version Targeting VMware ESXi Users

Date:

February 8, 2023

World map

There are reports of a second wave of ransomware attacks after the operators updated the malware to encrypt flat files in an effort to fix a bug in their encryption algorithm that allowed the development of recovery script. The script was released by CISA after the first wave of attacks, but it will be ineffective on servers infected with the latest version of the ESXiArgs variant. 

Late last week, widespread automated ransomware attacks impacted thousands of vulnerable VMware ESXi servers using the novel ESXiArgs ransomware. The updated version of the ransomware is more disruptive to victim organizations because it is capable of encrypting more file types, making it more difficult to remediate. 

This wave of ransomware attacks have been targeting VMware ESXi virtual machines that are still at risk from a two year old vulnerability for which a patch has been available for some time. Victim organizations who fall prey to attackers due to vulnerabilities that have published patches often come under criticism for not having applied them in a timely manner. But sometimes patching presents issues themselves.

“Patching systems like VMware can be highly complex for some organizations. In order to avoid breaking critical business systems, patches often need to be applied in the development and tested prior to production, said Jon Miller, CEO and Co-founder at ransomware prevention specialist Halcyon.

“Even then, some issues prevent patching due to legacy systems/software or internal (home-brewed) scripts/applications that will break if the patch is applied. Thus, there can be months+ of work to do before they can be protected, greatly contributing to the large number of vulnerable ESXi/VMs/servers.”

CISA (the Cybersecurity and Infrastructure Security Agency) released a script that was effective in remediating against the first version of the ESXiArgs ransomware, but the agency included an exclamatory “no warranty” warning along with it.

"CISA releasing a script with no guarantee applying it will solve the issue for impacted organizations to regain access and control of their VMWare servers is a statement,” Miller continued. “It is rare for CISA to release a tool like this, and shows the level of concern surrounding ransomware operators moving to target beyond traditional corporate endpoints."

Takeaway: recovery from a ransomware attack is exceedingly difficult, and even agencies charged with protecting organizations and offering guidance for defending and responding to these attacks are still struggling to deliver a consistent and effective strategy. With the cost of responding to a ransomware attack running well into the millions of dollars per event, preventing a ransomware attack from being successful in the first place is the only viable strategy.