The US Cybersecurity and Infrastructure Security Agency (CISA) has released a recovery script to help companies whose servers were scrambled in the recent ESXiArgs ransomware outbreak.
The malware attack hit thousands of servers over the globe but there’s no need to enrich criminals any more. In addition to the script, CISA and the FBI today published ESXiArgs ransomware virtual machine recovery guidance on how to recover systems as soon as possible.
The software nasty is estimated to be on more than 3,800 servers globally, according to the Feds. However, “the victim count is likely higher due to Internet search engines being a point-in-time scan and devices being taken offline for remediation before a second scan,” Arctic Wolf Labs’ security researchers noted.
Uncle Sam urged all organizations managing VMware ESXi servers to update to the latest version of the software, harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and make sure that ESXi isn’t exposed to the public internet.
VMware has its own guidance here for administrators.
Also: the government agencies really don’t encourage paying the ransom, except when they do.
Bad news, good news
Last Friday, France and Italy’s cybersecurity agencies sounded the alarm on the ransomware campaign that exploits CVE-2021-21974 – a 9.1/10 rated bug disclosed and patched two years ago.
The bad news: the ransomware infects ESXi, VMware’s bare metal hypervisor, which is a potential goldmine for attackers. Once they’ve compromised ESXi, they could move onto guest machines that run critical