Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.
Recovery Guidance
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.
- Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
- Download CISA’s recovery script and save it as
/tmp/recover.sh.
For example, withwget:wget -O /tmp/recover.shhttps://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh. - Give the script execute permissions:
chmod +x /tmp/recover.sh - Navigate to the folder of a VM you would like to recover and run
lsto view the files.- Note: You may browse these folders by running
ls /vmfs/volumes/datastore1. For instance, if the folder is calledexample, runcd /vmfs/volumes/datastore1/example.
- Note: You may browse these folders by running
- View files by running
ls. Note the name of the VM (via naming convention:[name].vmdk). - Run the recovery script with
/tmp/recover.sh [name], where[name]is the name of the VM determined previously.- If the VM is a thin format, run
/tmp/recover.sh [name] thin. - If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
- If the VM is a thin format, run
- If the script succeeded, re-register the VM.
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
- Run
cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html. - Run
cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html. - Reboot the ESXi server (e.g., with the
rebootcommand). After a few minutes, you should be able to navigate to the web interface. - In the ESXi web interface, navigate to the Virtual Machines page.
- If the VM you restored already exists, right click on the VM and select
Unregister(see figure 1).
- Run
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
Figure 1: Unregistering the virtual machine.
- Select
Create / Register VM(see figure 2). - Select
Register an existing virtual machine(see figure 2).
Figure 2: Registering the virtual machine, selecting machine to register.
Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
- Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.
Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
- Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
- Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.
Recovery Guidance
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues; CISA will do our best to resolve concerns.
- Quarantine or take affected hosts offline to ensure that repeat infection does not occur.
- Download CISA’s recovery script and save it as
/tmp/recover.sh.
For example, withwget:wget -O /tmp/recover.shhttps://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh. - Give the script execute permissions:
chmod +x /tmp/recover.sh - Navigate to the folder of a VM you would like to recover and run
lsto view the files.- Note: You may browse these folders by running
ls /vmfs/volumes/datastore1. For instance, if the folder is calledexample, runcd /vmfs/volumes/datastore1/example.
- Note: You may browse these folders by running
- View files by running
ls. Note the name of the VM (via naming convention:[name].vmdk). - Run the recovery script with
/tmp/recover.sh [name], where[name]is the name of the VM determined previously.- If the VM is a thin format, run
/tmp/recover.sh [name] thin. - If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
- If the VM is a thin format, run
- If the script succeeded, re-register the VM.
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
- Run
cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html. - Run
cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html. - Reboot the ESXi server (e.g., with the
rebootcommand). After a few minutes, you should be able to navigate to the web interface. - In the ESXi web interface, navigate to the Virtual Machines page.
- If the VM you restored already exists, right click on the VM and select
Unregister(see figure 1).
- Run
- If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
Figure 1: Unregistering the virtual machine.
- Select
Create / Register VM(see figure 2). - Select
Register an existing virtual machine(see figure 2).
Figure 2: Registering the virtual machine, selecting machine to register.
Click Select one or more virtual machines, a datastore or a directory to navigate to the folder of the VM you restored. Select the vmx file in the folder (see figure 3).
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
- Update servers to the latest software version, disable the Service Location Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to be exposed to the public internet before putting systems back online.
Additional Incident Response
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
- Review network logging to and from ESXi hosts and the guest VMs for unusual scanning activity.
- Review traffic from network segments occupied by the ESXi hosts and guests. Consider restricting non-essential traffic to and from these segments.
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering .vmdk files can be found on a third-party researcher’s website.[2]
