The U.S. Cybersecurity and Infrastructure Security Agency (CISA) recently released a script that can be used to restore servers affected by the ESXiArgs ransomware. The cybersecurity agency made this script available on GitHub.
The published CISA ESXiArgs-Recover script from the U.S. government’s cyber regulator should help affected organisations to recover their servers without having to pay for it.
Mistake by cybercriminals
This script is possible because the cybercriminals failed to encrypt so-called “flat” files during their attack. These files contain the data for the virtual disks. Experts from the YoreGroup Tech Team succeeded in developing a fairly complicated method to rebuild the encrypted vm’s based on the unencrypted flat files.
The CISA ESXiArgs-Recover script can now automate this developed recovery method, making recovery operations easier to perform. The script helps rebuild the vm metadata of virtual disks not affected by the malware. It helps clean up a vm’s encrypted files and then attempts to rebuild the vm’s .vmdk file using the unencrypted ‘flat’ file. Once this process is complete, administrators can register the vm back into VMware ESXi to gain access.
CISA strongly advises administrators to study the script before using it. This is to know how the script works and to avoid possible complications. It is also wise to make backups before starting the recovery process.
Also read: Global ransomware attack on thousands of VMware ESXi servers