That didn’t take long.
A week after the US Cybersecurity and Infrastructure Security Agency (CISA) and FBI released a recovery script to help victims of the widespread ESXiArgs ransomware attacks recover infected systems, an updated variant of the malware aimed at vulnerable VMware ESXi virtual machines can’t be remediated with the government agencies’ code, according to Malwarebytes.
The variant can’t be decrypted using the script released to GitHub by CISA because, unlike earlier versions, it doesn’t leave large sections of data unencrypted, according to Pieter Arntz, a malware analyst at Malwarebytes.
“This makes recovery next to impossible,” Arntz wrote in a post this week, noting reports from victims of recent ESXiArgs attacks about the ransomware’s new encryptor.
The updated malware succeeds because CISA’s ESXiArgs-Recover tool was created with reference to publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac, that describes the malware’s workings.
In its alert explaining the recovery script, CISA noted that ESXiArgs encrypts particular configuration associated with VMS on vulnerable servers, making the virtual machines unusable.
“As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file,” CISA wrote. “The recovery script documented below automates the process of recreating configuration files.”
The new variant of ESXiArgs encrypts more data than CISA’s recovery tool is designed to recover.
“Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB,” Arntz wrote. “This ensures that all files larger than 128 MB are encrypted for 50 percent. Files under 128MB are fully encrypted which was also the case in the old variant.”
The ransomware note will tell victims if they’re dealing with the new variant. Also, unlike the original note, the new build doesn’t mention a Bitcoin address, he wrote. Instead, the victims are instructed to contact the miscreants on Tox Chat, an encrypted messaging service.
Arntz speculated that it’s “likely that this change was triggered by the fear of tracking payments through the blockchain which might eventually lead to the threat actor.”
CISA last week said that more than 3,800 servers around the world were infected with the original ESXiArgs ransomware, though researchers at Arctic Wolf said the count could be higher.
The fast-emerging ransomware campaign came into the spotlight after cybersecurity agencies in France and Italy said a vulnerability in VMware’s bare metal hypervisor ESXi was being exploited. The flaw – CVE-2021-21974, with a severity score of 9.1 out of 10 – was disclosed and patched in 2021.
“The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied,” CISA wrote in its report. According to Malwarebytes’ Arntz, some victims told the cybersecurity vendor that the SLP network service was disabled, which VMware said was a workaround for the vulnerability.
He added that CVE-2021-21974 was “the prime, but not the only, suspect in this case.”
Malwarebytes researchers noted in their initial report last week about ESXiArgs that other vulnerabilities in the hypervisor – notably CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699 – can enable cybercriminals to take over infected systems through a remote code execution (RCE) attack.
That said, Malwarebytes is urging enterprises to either update ESXi or make the ESXi VMs inaccessible from the internet.
VMware has issued its own recommendations.
Initial reports pointed to ESXiArgs being linked to the Nevada ransomware family that hit the scene in December 2022. However, opinion shifted, with others suggesting the malware is based on the Babuk source code, which was leaked in 2021 and has been tied to other ESXi ransomware attacks. ®