The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new script designed to help ransomware victims recover VMware virtual machines (VMs) affected by the current global campaign.
ransomware payment tracker Estimated ransom location The number of victims based on Monday’s “entire internet” scanning effort is 3800. While this likely underestimates the size of the campaign, it said four payments totaling $88,000 were made.
An initial report from national-level CERT claimed that the actors behind it were exploiting CVE-2021-21974. CVE-2021-21974 is a legacy bug that allows an attacker to perform remote code execution on his ESXi hypervisor from VMware by triggering a heap overflow issue in his OpenSLP.
However, VMware’s latest update claims that “extremely old products are being targeted by known vulnerabilities,” suggesting that multiple vulnerabilities are being exploited.
“With this in mind, we advise our customers to upgrade to the latest available supported releases of vSphere components to address the currently known vulnerabilities.” We recommend disabling the OpenSLP service on ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default. “
Now CISA has announced a tool to help compromised users recover their VMs.
Based on findings by researchers Enes Sonmez and Ahmet Aykac, the script works by reconstructing VM metadata from virtual disks unencrypted by the ransomware.
“Organizations wishing to use CISA’s ESXiArgs recovery script should carefully review the script before deploying it to determine if it is suitable for their environment. Instead of trying to delete the config file, it will try to create a new config file that allows access to the VM,” CISA explained.
“Although CISA works to ensure that such scripts are safe and effective, this script is delivered without warranty, either implied or expressed. Do not use this script without
Editorial Credit Icon Image: Pavel Kapysh / Shutterstock.com
