The ransomware gang behind ESXiArgs has hit back against law-enforcement efforts to shackle its malware with an updated version which encrypts larger batches of data than ever before. ESXiArgs has struck hundreds of private and public-sector organisations in recent weeks, taking advantage of flaws in VMware’s ESXi software.
Last week, US cyber defence agency CISA released a software workaround to thwart the ESXiargs malware. It was created using open-source information in response to the gang’s attacks on badly secured ESXi servers. Attacks have been detected in Italy, France, Finland and the US, among others, with thousands of users thought to have been hit.
More than 500 European organisations have become fresh targets for the ransomware according to a dashboard maintained by security researchers Mark Ellzey and Emily Austin of Censys. France has seen 217 new incidents, while 137 appeared in Germany, 28 in the Netherlands, 23 in the UK and 19 in Ukraine.
ESXiArgs releases workaround to CISA decryption key
CISA’s decryption key for ESXiArgs was released last week on Github after CISA became aware that some organisations were reporting success in recovering files without paying ransoms. It compiled a decryption tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac.
“This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” accompanying documentation states.
In typical cat-and-mouse cybersecurity fashion, the ransomware gang behind the ESXiArgs malware has released updated malware to combat the CISA tool.
According to Pieter Arntz, a researcher at Malwarebytes, the malware’s new iteration is more dangerous than the last, not only because it works despite CISA’s recovery script.
The new version encrypts far more of the infected data than the last, making recovery after an attack much harder. “Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB,” said Arntz. “This ensures that all files larger than 128MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the previous variant.
It is possible to tell the variants apart by looking at the ransom note, Arntz said. Notes attached with the new variant request the victim to contact the criminals via encrypted messenger service TOX, rather than a simple demand to send Bitcoin to a specific address. “It is likely that this change was triggered by the fear of tracking payments through the blockchain, which might eventually lead to the threat actor,” Arntz added.
Researchers think a variety of known vulnerabilities are being used to access systems initially are CVE-2021-21974, CVE-2022-31696, CVE-2022-31697, CVE-2022-31698 and CVE-2022-31699. CISA has listed the patches provided by VMware to these exploits here.