The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script on GitHub aimed at helping the VMware ESXi ransomware (opens in new tab) attack victims rebuild their endpoints.
Thousands of VMware ESXi servers have recently been targeted across Europe and North America, with initial reports mentioning some 500 victims, and newer assessments putting the number at 2,800.
The unnamed attackers scanned VMware ESXi servers in search of CVE-2021-21974, a known vulnerability that was patched by the company two years ago. Those that were vulnerable ended up infected with ransomware.
Failed encryption campaign
However, the cybercrime campaign seems to have been mostly unsuccessful, as the ransomware did not encrypt flat files which hold data for virtual disks.
Two researchers from YoreGroup Tech Team found a way to use those files to rebuild virtual machines. While many were successful in using their method to recover their servers, the process is allegedly relatively complex, prompting CISA to jump in and help automate the process with a script.
“CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac,” the agency said. “This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.”
While immensely helpful, the script still needs to be carefully considered, CISA says. Administrators should first review it, to eliminate any possible complications. Backing up the files before engaging in any recovery process is also highly welcome.
“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.” the agency concluded. “Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.”
Via: BleepingComputer (opens in new tab)