The US Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) have published a joint security alert providing guidance on ESXiArgs ransomware virtual machine recovery. CISA has released a recovery script; the security alert offers guidance on using that script.
Note
- Great move by CISA to provide the recovery script. The sad part is that this doesn’t come from VMWare. It also appears to be easier to create a script to recover from ransomware vs. a script to patch systems.
- First off, make sure that your ESXi management interface is not exposed to the Internet. Second, make sure that you’re on the latest version of ESXi and third make sure that you’ve disabled the Service Location Protocol (SLP) which is a target for this attack. If you’ve been attacked, work on the recovery before upgrading. Some organizations have been able to recover their VMs with the recovery script and not pay the ransom. It’s worth a shot, particularly if you image the datastore first. CISA and the FBI would like you to report any discovered attacks to help their response efforts. Read the guidance for artifacts you should preserve.
- As CISA and the FBI point out: make sure you have skilled staff that can use this tool safely. If you do, once they are done put them to work making sure you don’t have other 2-year-old missing patches or obsolete versions of software running exposed on critical business networks.
Read more in
