The US Cybersecurity and Infrastructure Security Agency (CISA) has released a new script developed to assistance ransomware victims recuperate any VMware digital machines (VMs) impacted by a latest world wide campaign.
Ransomware payment tracker Ransomwhere believed the variety of victims at 3800, based on an “internet-wide” scanning exertion on Monday. It stated four payments experienced been created totalling $88,000, while this is probable to underestimate the scale of the campaign.
Original studies from country-stage CERTs claimed the threat actors driving it are exploiting CVE-2021-21974, a legacy bug which permits attackers to conduct distant code execution on VMware’s ESXi hypervisors by triggering a heap-overflow issue in OpenSLP.

Protect your privacy by Mullvad VPN. Mullvad VPN is one of the famous brands in the security and privacy world. With Mullvad VPN you will not even be asked for your email address. No log policy, no data from you will be saved. Get your license key now from the official distributor of Mullvad with discount: SerialCart® (Limited Offer).
➤ Get Mullvad VPN with 12% Discount
Even so, an update from VMware claimed “significantly out-of-date products are currently being specific with identified vulnerabilities,” which would recommend additional than a single vulnerability is remaining exploited.
“With this in intellect, we are advising buyers to enhance to the most recent offered supported releases of vSphere components to deal with at the moment recognized vulnerabilities,” it explained. “In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7. U2c and ESXi 8. GA started shipping with the service disabled by default.”
Now CISA has unveiled a tool to enable compromised consumers to recuperate their VMs.
Primarily based on findings by scientists Enes Sonmez and Ahmet Aykac, the script is effective by reconstructing VM metadata from digital disks that ended up not encrypted by the ransomware.
“Any organization trying to find to use CISA’s ESXiArgs recovery script ought to carefully overview the script to establish if it is proper for their natural environment just before deploying it. This script does not request to delete the encrypted config data files, but in its place seeks to build new config documents that permit entry to the VMs,” CISA explained.
“While CISA functions to assure that scripts like this 1 are protected and effective, this script is shipped without the need of guarantee, both implicit or specific. Do not use this script without knowledge how it might affect your process.”
Editorial credit score icon image: Pavel Kapysh / Shutterstock.com
Some areas of this write-up are sourced from:
www.infosecurity-magazine.com