FBI, CISA Issue Advisory Regarding ESXiArgs Ransomware

The Cybersecurity and Infrastructure Security Agency and the FBI have issued joint guidance regarding the recovery of virtual machines infected with ESXiArgs ransomware. According to CISA, attackers are using vulnerabilities in outdated or out-of-service versions of VMware’s ESXi software to inject ransomware that encrypts configuration files on ESXi servers.

CISA has developed a recovery script and posted it on GitHub. Affected entities are encouraged to use the code to recover files as well as adopt preventive measures outlined in the advisory, CISA said Wednesday.

The exploit has affected thousands of servers across the globe. It was initially flagged by administrators, hosting providers and the French Computer Emergency Response Team.

Affected entities include the Supreme Court of Florida and academic institutions in the U.S. and Europe. A spokesperson for the Florida court told Reuters that the affected system was isolated from the main network.

VMware clarified in a Feb. 6 post that the vulnerability is not a zero-day exploit.

It was recently reported that newer versions of the ESXiArgs ransomware are able to circumvent recovery efforts. According to a Bleeping Computer report, a second wave of attacks that began Wednesday is encrypting files on a larger scale, rendering CISA’s script ineffective.