View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Technology
  2. Cybersecurity
February 16, 2023

ESXiArgs ransomware gang releases new malware to fight CISA workaround

After law-enforcement agencies took steps to stifle its malware, the gang has fought back with an updated version.

By Claudia Glover

The ransomware gang behind ESXiArgs has hit back against law-enforcement efforts to shackle its malware with an updated version which encrypts larger batches of data than ever before. ESXiArgs has struck hundreds of private and public-sector organisations in recent weeks, taking advantage of flaws in VMware’s ESXi software.

ESXiArgs releases CISA workaround. (Photo by Tada Images/Shutterstock)

Last week, US cyber defence agency CISA released a software workaround to thwart the ESXiargs malware. It was created using open-source information in response to the gang’s attacks on badly secured ESXi servers. Attacks have been detected in Italy, France, Finland and the US, among others, with thousands of users thought to have been hit. 

More than 500 European organisations have become fresh targets for the ransomware according to a dashboard maintained by security researchers Mark Ellzey and Emily Austin of Censys. France has seen 217 new incidents, while 137 appeared in Germany, 28 in the Netherlands, 23 in the UK and 19 in Ukraine.

ESXiArgs releases workaround to CISA decryption key

CISA’s decryption key for ESXiArgs was released last week on Github after CISA became aware that some organisations were reporting success in recovering files without paying ransoms. It compiled a decryption tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac.

“This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware,” accompanying documentation states.

In typical cat-and-mouse cybersecurity fashion, the ransomware gang behind the ESXiArgs malware has released updated malware to combat the CISA tool.

According to Pieter Arntz, a researcher at Malwarebytes, the malware’s new iteration is more dangerous than the last, not only because it works despite CISA’s recovery script.

Content from our partners
Rethinking cloud: challenging assumptions, learning lessons
DTX Manchester welcomes leading tech talent from across the region and beyond
The hidden complexities of deploying AI in your business

The new version encrypts far more of the infected data than the last, making recovery after an attack much harder. “Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB,” said Arntz. “This ensures that all files larger than 128MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the previous variant. 

It is possible to tell the variants apart by looking at the ransom note, Arntz said. Notes attached with the new variant request the victim to contact the criminals via encrypted messenger service TOX, rather than a simple demand to send Bitcoin to a specific address. “It is likely that this change was triggered by the fear of tracking payments through the blockchain, which might eventually lead to the threat actor,” Arntz added. 

Researchers think a variety of known vulnerabilities are being used to access systems initially are CVE-2021-21974, CVE-2022-31696, CVE-2022-31697, CVE-2022-31698 and CVE-2022-31699. CISA has listed the patches provided by VMware to these exploits here.

Read more: New malware helps low-skill hackers hit critical infrastructure

Topics in this article :
Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how Progressive Media Investments may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.