After the FBI and CISA on Wednesday released a recovery script for organisations affected by a massive ransomware attack targetting VMWare ESXi servers worldwide, reports surfaced that the malware evolved in a way that made earlier recovery procedures ineffective.
The attacks, aimed at VMware’s ESXi bare metal hypervisor, were first made public February 3 by the French Computer Emergency Response Team (CERT-FR), and target ESXi instances running older versions of the software, or those that have not been patched to current standards. Some 3,800 servers have been affected globally, CISA and the FBI said.
Theransomware encrypts configuration files on vulnerable virtual machines, making them potentially unusable. One ransom note issued to an affected company asked for about $23,000 in bitcoin.
CISA, in conjunction with the FBI, has released a recovery script. The group said that the script does not delete the affected configuration files, but attempts to create new ones. It’s not a guaranteed way to circumvent the ransom demands, and doesn’t fix the root vulnerability that allowed the ESXiArgs attack to function in the first place, but it could be a crucial first step for affected companies.
CISA notes that after running the script, organisations should immediately update their servers to the latest versions, disable the Service Location Protocol service that the ESXiArgs attackers used to compromise the VMs, and cut the ESXi hypervisors off from the public Internet before reinitialising systems.
After CISA released its guidance, however, reports surfaced that a new version of the ransomware was infecting servers and rendering prior recovery methods ineffective. The new version of the ransomware was first reported by Bleeping Computer.
CISA says: Take these server security procedures
Whether or not the CISA script is usable in a specific organisation’s situation, the FBI and CISA recommend that affected organisations follow the last three steps anyway — if at all possible, patching the machines to the latest standard (which is not vulnerable to the ESXiArgs attack), shutting down the SLP service and cutting them off from the public Internet are all important steps for mitigation.
The root vulnerability was first reported in CVE-2021-21974, and a patch has been available for almost a year.
The attacks primarily targeted servers in France, the US, and Germany, with substantial numbers of victims in Canada and the UK as well, according to cyber security company Censys.
To forestall further attacks, CISA and the FBI issued a list of additional steps to be taken, including maintaining regular and robust offline backups, restricting known malware vectors like early versions of the SMB network protocol, and requiring a generally high level of internal security — phishing-resistant 2FA, user account auditing and several other techniques were particularly recommended.