The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.” Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers that are likely running unpatched and out-of-service or out-of-date versions of VMware ESXi software to gain access and deploy ransomware. The ESXiArgs ransomware encrypts configuration files on ESXi servers, potentially rendering virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script at github.com/cisagov/ESXiArgs-Recover. Organizations that have fallen victim to ESXiArgs ransomware can use this script to attempt to recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI encourage all organizations managing VMware ESXi servers to:
If malicious actors have compromised your organization with ESXiArgs ransomware, CISA and FBI recommend following the script and guidance provided in this CSA to attempt to recover access to your files.
Download the PDF version of this report:
ESXiArgs Ransomware Virtual Machine Recovery Guidance (PDF, 711.08 KB )
Note: CISA and FBI will update this CSA as more information becomes available.
Open-source reporting indicates that malicious actors are exploiting known vulnerabilities in VMware ESXi software to gain access to servers and deploy ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or ESXi servers that do not have the available ESXi software patches applied.[1]
ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk
, vmx
, vmxf
, vmsd
, vmsn
, vswp
, vmss
, nvram
, vmem
.
CISA and FBI do not encourage paying the ransom as payment does not guarantee victim files will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities. Regardless of whether you or your organization have decided to pay the ransom, CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these steps, is available at github.com/cisagov/ESXiArgs-Recover. CISA is aware that some organizations have reported success in recovering files without paying ransoms. CISA’s script is based on findings published by third-party researchers.[2]
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted configuration files, but instead seeks to create new configuration files that enable access to the VMs. While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script. Note: Organizations that run into problems with the script can create a GitHub issue at <https://github.com/cisagov/ESXiArgs-Recover/issues>; CISA will do our best to resolve concerns.
/tmp/recover.sh
.For example, with wget
: wget -O /tmp/recover.sh
https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
3. Give the script execute permissions: chmod +x /tmp/recover.sh
4. Navigate to the folder of a VM you would like to recover and run ls
to view the files.
* Note: You may browse these folders by running ls /vmfs/volumes/datastore1
. For instance, if the folder is called example
, run cd /vmfs/volumes/datastore1/example
.
5. View files by running ls
. Note the name of the VM (via naming convention: [name].vmdk
).
6. Run the recovery script with /tmp/recover.sh [name]
, where [name]
is the name of the VM determined previously.
* If the VM is a thin format, run /tmp/recover.sh [name] thin
.
* If successful, the recovery script will output that it has successfully run. If unsuccessful, it may not be possible for the recovery script to recover your VMs; consider engaging external incident response help.
7. If the script succeeded, re-register the VM.
1. If the ESXi web interface is inaccessible, remove the ransom note and restore access via the following steps. (Note: Taking the steps below moves the ransom note to the file ransom.html. Consider archiving this file for future incident review.)
* Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html && mv index1.html index.html
.
* Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm index.html && mv index1.html index.html
.
* Reboot the ESXi server (e.g., with the reboot
command). After a few minutes, you should be able to navigate to the web interface.
* In the ESXi web interface, navigate to the Virtual Machines page.
* If the VM you restored already exists, right click on the VM and select Unregister
(see figure 1).
Figure 1: Unregistering the virtual machine.
Create / Register VM
(see figure 2).Register an existing virtual machine
(see figure 2).Figure 2: Registering the virtual machine, selecting machine to register.
Click Select one or more virtual machines, a datastore or a directory
to navigate to the folder of the VM you restored. Select the vmx
file in the folder (see figure 3).
Figure 3: Registering the virtual machine, finalizing registration.
Select Next
and Finish
. You should now be able to use the VM as normal.
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
The above script only serves as a method to recover essential services. Although CISA and FBI have not seen any evidence that the actors have established persistence, we recommend organizations take the following additional incident response actions after applying the script:
If you detect activity from the above, implement your incident response plan. CISA and FBI urge you to promptly report ransomware incidents to a local FBI Field Office, or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New Zealand, the United Kingdom, and the United States on Technical Approaches to Uncovering and Remediating Malicious Activity for additional guidance on hunting or investigating a network, and for common mistakes in incident handling. CISA also encourages government network administrators to see CISA’s Federal Government Cybersecurity Incident and Vulnerability Response Playbooks. Although tailored to federal civilian branch agencies, these playbooks provide operational procedures for planning and conducting cybersecurity incident and vulnerability response activities and detail steps for both incident and vulnerability response.
Additional resources for recovering .vmdk
files can be found on a third-party researcher’s website.[2]
Note: These mitigations align with the cross-sector Cybersecurity Performance Goals (CPGs) developed by CISA and the National Institute of Standards and Technology (NIST). The CPGs provide a minimum set of practices and protections that CISA and NIST recommend all organizations implement. CISA and NIST based the CPGs on existing cybersecurity frameworks and guidance to protect against the most common and impactful threats, tactics, techniques, and procedures. For more information on the CPGs, including additional recommended baseline protections, see cisa.gov/cpg.
CISA and FBI recommend all organizations:
In addition, CISA and FBI recommend organizations apply the following recommendations to prepare for, mitigate/prevent, and respond to ransomware incidents.
If a ransomware incident occurs at your organization:
Note: CISA and FBI strongly discourage paying ransoms as doing so does not guarantee files and records will be recovered. Furthermore, payment may also embolden adversaries to target additional organizations, encourage other criminal actors to engage in the distribution of ransomware, and/or fund illicit activities.
See Stopransomware.gov, a whole-of-government approach, for ransomware resources and alerts.
CISA and FBI would like to thank VMware for their contributions to this CSA.
VMware Security Response Center (vSRC) Response to ‘ESXiArgs’ Ransomware Attack…
Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files in…
February, 2023: Initial Version
www.secretservice.gov/contact/field-offices/
blogs.vmware.com/security/2023/02/83330.html
blogs.vmware.com/security/2023/02/83330.html
csrc.nist.gov/publications/detail/sp/800-63b/final
edit-testint.cisa.gov/report
enes.dev/
enes.dev/
enes.dev/
github.com/cisagov/ESXiArgs-Recover
github.com/cisagov/ESXiArgs-Recover
github.com/cisagov/ESXiArgs-Recover/issues
kb.vmware.com/s/article/76372
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=ESXiArgs%20Ransomware%20Virtual%20Machine%20Recovery%20Guidance+https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
us-cert.cisa.gov/ncas/alerts/aa20-245a
us-cert.cisa.gov/ncas/alerts/aa20-245a
www.cisa.gov/ais
www.cisa.gov/cpg
www.cisa.gov/report
www.cisa.gov/report
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/2022_00092_CISA_CPG_Report_508c.pdf
www.cisa.gov/sites/default/files/publications/fact-sheet-implementing-phishing-resistant-mfa-508c.pdf
www.cisa.gov/stopransomware
www.cisa.gov/tips/st04-002
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a&title=ESXiArgs%20Ransomware%20Virtual%20Machine%20Recovery%20Guidance
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.fbi.gov/contact-us/field-offices
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
www.oig.dhs.gov/
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=ESXiArgs%20Ransomware%20Virtual%20Machine%20Recovery%20Guidance&body=www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a