Recovery scripts no longer work against ESXiArgs ransomware

Recovery scripts no longer work against ESXiArgs ransomware

Cyber criminals recently modified the ESXi ransomware against scripts that managed to recover affected servers. The new version encrypts 50 percent of all files starting at 128 MB, making recovery operations nearly impossible. This writes Bleeping Computer.

The recent ransomware attack on VMware ESXi servers is entering a new phase as cybercriminals have begun a second wave of attacks with a recently updated version. With this, the cybercriminals are responding to the recent scripts that still allowed recovery operations to be performed.

The recovery operations were possible because the first version of the ransomware did not encrypt all data in a vm. In particular, this involved larger files. It was possible to develop scripts that used these larger mainly unencrypted “flat files” for recovery. These flat files are in fact where the disk data of a vm is stored.

New phase

The now-discovered second wave and latest version of the ESXi ransomware appear to have made short work of this recovery method. Further investigation shows that the code of the ransomware has now been modified and that the malware encrypts more data than the first version.

More specifically, the second version did not change the encryptor, but it did change the encrypt.sh size_step routine. This went from 0 to 1. As a result, the encryptor switches between encrypting 1 MB of data and then skipping 1 MB of data.

As a result, all larger files of 128 Mb and above are also 50 percent encrypted. The remaining unencrypted data is too little for known recovery scripts to perform the recovery process, experts said.

Furthermore, Bleeping Computer noted that the cybercriminal criminals have modified the ransomware note. In it, they no longer ask for payment in bitcoins. This is to prevent possible tracking via bitcoin addresses.

Still continue to use scripts and upgrade

Bleeping Computer continues to advise users of VMware ESXi servers to continue to use recovery scripts, such as those provided by the U.S.-based CISA. Whether they actually work, the site can no longer guarantee now that the second version is rotating. Earlier, VMware indicated it would upgrade to newer versions as much as possible.