ESXi Ransomware Update Outfoxes CISA Recovery ScriptESXi Ransomware Update Outfoxes CISA Recovery Script
New ESXiArgs-ransomware attacks include a workaround for CISA's decryptor, researchers find.
February 16, 2023
Just a week after the Cybersecurity and Infrastructure Security Agency (CISA) released its recovery script against ransomware targeting VMWare ESXi virtual machines, a modified version of the malware is already in circulation that renders the decryptor script useless.
So far, around 3,800 servers across the globe have already fallen victim to EXSiArgs ransomware, CISA and the FBI warn.
"Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB," researchers at Malwarebytes said in a new report on the ESXi vulnerability. "This ensures that all files larger than 128MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant."
Targets of ESXi-Args ransomware can tell if they are infected with the new variant if the ransom note directs the victim to contact the threat actor via the TOX encrypted messenger, the report added. The ransom note from the old ESXiArgs variant that can be mitigated by the CISA-issued decryptor includes a Bitcoin address.
About the Author(s)
You May Also Like
Modern Supply Chain Security: Integrated, Interconnected, and Context-DrivenNov 06, 2023
How to Combat the Latest Cloud Security ThreatsNov 06, 2023
Reducing Cyber Risk in Enterprise Email Systems: It's Not Just Spam and PhishingNov 01, 2023
SecOps & DevSecOps in the CloudNov 06, 2023
What's In Your Cloud?Nov 30, 2023