>
Well, that didn’t take long.
The script used to infect VMware ESXi server owners with ransomware (opens in new tab) to restore the files no longer works, because the attackers updated the encryptor and patched the flaw. Now those without endpoint protection will most likely not be able to recover the files without getting the decryption key from the threat actors.
The news was confirmed by Beeping computer (opens in new tab)whose researchers analyzed freshly obtained samples of the encryptor.
Taking advantage of an old mistake
Late last week, national cybersecurity authorities of some European countries, as well as those in the US and Canada, warned of a widespread, semi-automated attack on VMware’s ESXi servers. The attackers found over 3,000 endpoints (at the time of writing) vulnerable to a flaw VMware patched two years ago, and used that flaw to deploy the ESXiArgs ransomware.
The attacked servers were mainly located in Europe (Italy, France, Finland), but also in the US and Canada. Companies in France would have been hit the hardest.
The country’s national government’s computer security incident response team, CERT-FR, said the attack was semi-automatic and targeted servers vulnerable to CVE-2021-21974. The flaw is described as an OpenSLP HeapOverflow vulnerability, which could allow remote attackers to execute code.
But soon after, researchers discovered that the encryptor was flawed and while encrypting large files, they skipped large parts of it. That gave two YoreGroup Tech Team researchers a lot of unencrypted files to work with, which helped them figure out a way to decrypt the files and restore access to the compromised devices.
The US Cybersecurity and Infrastructure Security Agency (CISA) later agreed, created a script to automate the work and shared it on GitHub.
But good news didn’t last long as the threat actors now started deploying an updated version of the encryptor, eliminating the flaw. Still, everyone recommends that victims try to use the CISA script, just in case.