To help organizations impacted by the ESXiArgs ransomware campaign that is exploiting a two-year-old vulnerability in VMware ESXi servers, the U.S Cybersecurity and Infrastructure Agency has released a recovery guide that includes a recovery script to help organizations recover their files.
According to the agency, threat actors are targeting end-of-life ESXi servers or ESXi servers that have not been updated with patches that address the specific vulnerability being exploited. The vulnerability campaign is tracked as CVE-2021-21974, a critical-rated remote code execution bug that VMware patched in 2021. As of Wednesday, CISA says threat actors have compromised over 3,800 VMware ESXi servers globally.
According to CISA, the ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable. The ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file.
A recovery script released by the agency is designed to automate the process of recreating configuration files. The full list of file extensions created by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.
As with other ransomware campaigns, CISA and the FBI recommend against paying the ransom, which only serves to fund the cybercrime industry.According to CISA, some organizations have reported being able to recover files without paying a ransom.
The agency’s script, available at github.com/cisagov/ESXiArgs-Recover, is based on findings by third-party researchers.
However, organizations looking to leverage CISA’s ESXiArgs recovery script should carefully review it to determine if it is appropriate before deploying it, as the script creates new configuration files that enable access to the VMs rather than deleting the encrypted configuration files.
“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system,” the agency says.
However, organizations that run into issues with the script can create a GitHub issue, and the agency will try to resolve those concerns.
How to protect against ESXiArgs ransomware and recover
To protect against this ransomware campaign, CISA and FBI encourage all organizations managing VMware ESXi servers to:
- Update servers to the latest version of VMware ESXi software,
- Harden ESXi hypervisors by disabling the Service Location Protocol (SLP) service, and
- Ensure the ESXi hypervisor is not exposed to the public internet.
According to CISA, these are the steps organizations should take to recover:
- Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
- Download CISA’s recovery script and save it as /tmp/recover.sh.
For example, with wget: wget -O /tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh. - Give the script execute permissions: chmod +x /tmp/recover.sh
- Navigate to the folder of a VM you would like to recover and runls to view the files.
Note: You may browse these folders by running ls /vmfs/volumes/datastore1. For instance, if the folder is called example, run cd /vmfs/volumes/datastore1/example.
- View files by running ls. Note the name of the VM (via naming convention: [name].vmdk).
- Run the recovery script with /tmp/recover.sh [name], where [name] is the name of the VM determined previously.
- a. If the VM is a thin format, run /tmp/recover.sh [name] thin.
- b. If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
- If the script succeeded, re-register the VM.
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
- Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html.
- Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html.
- Reboot the ESXi server (e.g., with the reboot command). After a few minutes, you should be able to navigate to the web interface.
- In the ESXi web interface, navigate to the Virtual Machines page.
- If the VM you restored already exists, right click on the VM and select Unregister.
- Select Create / Register VM.
- Select Register an existing virtual machine.
- Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).
- Select Next and Finish. You should now be able to use the VM as normal.
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
- Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.
Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the ESXiArgs ransomware actors have established persistence, the agencies recommend organizations take the following additional incident response actions after applying the script to further protect VMware ESXi servers:
- Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
- Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections. Impacted organizationls should also contact CISA and the FBI, the agency says.