Feb 09, 2023 21:00:00

The authorities released a free ransomware damage recovery tool on GitHub, ending a large-scale attack in which more than 3,800 servers such as court systems were damaged worldwide

On February 8, 2023, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released `` ESXiArgs-Recover '', a tool for restoring virtual machines damaged by ransomware `` ESXiArgs ''. ESXiArgs has been raging worldwide since early February, and it is reported that more than 3,800 servers, including court systems in Florida, have been damaged.

ESXiArgs Ransomware Virtual Machine Recovery Guidance | CISA

https://www.cisa.gov/uscert/ncas/alerts/aa23-039a

CISA releases recovery script for ESXiArgs ransomware victims
https://www.bleepingcomputer.com/news/security/cisa-releases-recovery-script-for-esxiargs-ransomware-victims/

Florida state court system, US, EU universities hit by ransomware outbreak | Reuters
https://www.reuters.com/world/us/ransomware-outbreak-hits-florida-supreme-court-us-european-universities-2023-02-07/

'ESXiArgs-Recover' released by CISA on GitHub is available below. Detailed usage instructions are also included, but CISA states, ``This script is provided without warranty, so do not use it without understanding the impact on your system. We are not responsible for damage,' and call for careful use.

GitHub - cisagov/ESXiArgs-Recover: A tool to recover from ESXiArgs ransomware
https://github.com/cisagov/ESXiArgs-Recover

The threat of 'ESXiArgs' first came to light when CERT-FR, the French cybersecurity authority,

announced on February 3 that ransomware targeting virtual server construction software ' VMware ESXi ' was confirmed. It was when I did.

Reportedly, ESXiArgs exploits a known vulnerability found in a network protocol called OpenSLP and targets unpatched VMware ESXi servers. Once infected with this ransomware, your files will be encrypted and a ransom demand will be displayed.

According to a list of bitcoin addresses collected by CISA technical advisor Jack Cable, 2,800 servers are believed to have been encrypted so far.

In addition, CISA claims that there are 3,800 servers in the world that have been compromised by ESXiArgs, including many public institutions and higher education centers mainly in Europe and the United States, such as the court system in Florida, USA and the Georgia Institute of Technology. Includes institutions. In addition, the JPCERT Coordination Center, a general incorporated association in Japan, has also announced that ``We have confirmed a host running this product that can be connected from the Internet in Japan, and there is a possibility that it will be damaged by such attacks in the future.'' .

However, IT news site BleepingComputer points out that ``ESXiArgs has a mistake that can not encrypt the flat file where the virtual disk data is stored'', and the ransom collected so far is 88,000. There is also information that it is a dollar (about 11.5 million yen), which is quite small for a large-scale ransomware attack.

Based on the flaws that existed in ESXiArgs, Enes Sonmez and Ahmet Aykac of the Yore Group Tech Team, the technology department of the Turkish company Yöre Group, which deals with food and sports goods, discovered that ESXiArgs could not encrypt flat files. We announced that we have successfully discovered a method to reconstruct a virtual machine.

However, many commented that the YoreGroup Tech Team procedures were too complex and difficult to apply. Therefore, CISA created and published a script that automates part of the recovery method, which is ``ESXiArgs-Recover'' at the beginning.

In order to prevent future ransomware attacks and reduce the impact of any damage, CISA calls for regular backups, development of incident response plans, and introduction of anti-malware software.