Feb 11

Artículo: CISA releases recovery script for ESXiArgs ransomware victims.

The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by the recent widespread ESXiArgs ransomware attacks.

Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack.

Since then, the attacks encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA technical advisor Jack Cable.

While many devices were encrypted, the campaign was largely unsuccessful as the threat actors failed to encrypt flat files, where the data for virtual disks are stored.

This mistake allowed Enes Sonmez & Ahmet Aykac of the YoreGroup Tech Team to devise a method to rebuild virtual machines from unencrypted flat files.

This method has helped numerous people recover their servers, but the process has been complicated for some, with many people asking for help in our ESXiArgs support topic.

Script released to automate recovery

To assist users in recovering their servers, CISA released an ESXiArgs-Recover script on GitHub to automate the recovery process.

“CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac,” explains CISA.

“This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.”

While the GitHub project page has the steps you need to recover VMs, in summary, the script will clean up a virtual machine’s encrypted files and then attempt to rebuild the virtual machine’s .vmdk file using the unencrypted flat file.

When finished, if successful, you can then register the virtual machine again in VMware ESXi to gain access to the VM again.

CISA urges admins to review the script before using it to understand how it works and avoid possible complications. While the script should not cause any issues, BleepingComputer strongly advises that backups are created before attempting recovery.

“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit.” warns CISA.

“Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.”

The Week in Ransomware – February 3rd 2023 – Ending with a mess

The following two tabs change content below.
Consultor freelance de Ciberseguridad. Técnico Superior Informático en Desarrollo de Aplicaciones Multiplataforma y Perito Judicial Informático Forense inscrito con el nº 120 en la Asociación Profesional de Peritos de las Nuevas Tecnologías (PETEC). **Profesional del campo de la Informática desde el año 1988, desarrollando diversos perfiles ocupacionales. Desarrollador Web, Programador de soluciones a medida en diversos lenguajes: Clipper, C++, Visual Basic y Visual Basic .NET. **En el campo de la pericial informática: * Especializado en la identificación, extracción y análisis de evidencias digitales en dispositivos de almacenamiento físicos. * Autentificación y Verificación de correos electrónicos. * Suplantación de identidad y verificación de mensajes en redes sociales. * Recuperación de datos de dispositivos de almacenamiento físicos. * Peritación informática sobre el uso de aplicaciones informáticas durante la actividad laboral. * Fraudes informáticos y phising. ............ Radioaficionado desde hace más de 30 años y fotógrafo nocturno, disfrutando de la noche admirando el patrimonio nacional con otros ojos.
A %d blogueros les gusta esto: