ESXi Ransomware Update Outfoxes CISA Recovery Script

New ESXiArgs-ransomware attacks include a workaround for CISA's decryptor, researchers find.

Dark Reading Staff, Dark Reading

February 16, 2023

1 Min Read
Abstract image depicting ransomware
Source: Wavebreakmedia Ltd. via Alamy Stock Photo

Just a week after the Cybersecurity and Infrastructure Security Agency (CISA) released its recovery script against ransomware targeting VMWare ESXi virtual machines, a modified version of the malware is already in circulation that renders the decryptor script useless.

So far, around 3,800 servers across the globe have already fallen victim to EXSiArgs ransomware, CISA and the FBI warn.

"Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB," researchers at Malwarebytes said in a new report on the ESXi vulnerability. "This ensures that all files larger than 128MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant."

Targets of ESXi-Args ransomware can tell if they are infected with the new variant if the ransom note directs the victim to contact the threat actor via the TOX encrypted messenger, the report added. The ransom note from the old ESXiArgs variant that can be mitigated by the CISA-issued decryptor includes a Bitcoin address.

About the Author

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights