Well, that didn’t take long.
The script that allowed VMware ESXi server owners infected with ransomware (opens in new tab) to restore the files no longer works, because the attackers updated the encryptor and patched the flaw it had. Now, those without endpoint protection most likely won’t be able to restore the files without getting the decryption key from the threat actors.
The news was confirmed by BleepingComputer (opens in new tab), whose researchers analyzed freshly obtained samples of the encryptor.
Abusing an old flaw
Late last week, national cybersecurity agencies of a few European countries, as well as those in the US and Canada, warned of a widespread, semi-automated attack against VMware’s ESXi servers. The attackers found more than 3,000 endpoints (at press time) that were vulnerable to a flaw that VMware patched two years ago, and used that flaw to deploy the ESXiArgs ransomware.
The attacked servers were located mostly in Europe (Italy, France, Finland), but also in the US and Canada. Businesses in France were allegedly worst-hit.
The country’s national government computer security incident response team, CERT-FR, said the attack was semi-automated, targeting servers vulnerable to CVE-2021-21974. The flaw is described as an OpenSLP HeapOverflow vulnerability, allowing threat actors to execute code remotely.
But soon after, researchers discovered that the encryptor was flawed and while in the process of encrypting big files, skipped large portions of them. That gave two researchers from YoreGroup Tech Team plenty of unencrypted files to work with, which helped them devise a way to decrypt the files and restore access to the compromised devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) later chimed in, creating a script to automate the work, and shared it on GitHub.
But good news didn’t last long, as the threat actors now started deploying an updated version of the encryptor, with the flaw eliminated. Still, everyone recommends victims try and use CISA’s script, just in case.