Well, it didn’t last long.
A script that allowed owners of VMware ESXi servers to be infected with ransomware (opens in a new tab) restoring files no longer works because the attackers updated the encryption program and patched its vulnerability. Now, those without endpoint protection will most likely not be able to restore files without obtaining the decryption key from the threat actors.
The information was confirmed by Beeping Computer (opens in a new tab)whose researchers analyzed freshly downloaded samples of the encryption program.
Abuse of an old vice
Late last week, national cybersecurity agencies in several European countries, as well as in the United States and Canada, warned of a large-scale, semi-automatic attack on VMware’s ESXi servers. The attackers detected over 3,000 endpoints (at the time of publication) that were vulnerable to a vulnerability that VMware patched two years ago and used this vulnerability to deploy the ESXiArgs ransomware.
The attacked servers were mainly located in Europe (Italy, France, Finland), but also in the United States and Canada. Businesses in France are said to have suffered the most.
The national government computer security incident response team, CERT-FR, said the attack was semi-automatic and targeted servers vulnerable to the CVE-2021-21974 vulnerability. The vulnerability is described as the OpenSLP HeapOverflow vulnerability that allows cybercriminals to remotely execute code.
But soon after, the researchers discovered that the encryption program was flawed and they missed large parts of the files when encrypting large files. This gave two researchers from the YoreGroup Tech Team plenty of unencrypted files to work with, which helped them develop a way to decrypt files and restore access to compromised devices.
The U.S. Cybersecurity and Infrastructure Security Agency (CISA) later stepped in, creating a script to automate the work and making it available on GitHub.
But the good news didn’t last long as cybercriminals have now started rolling out an updated version of the encryption tool, with the vulnerability fixed. Despite this, all advise victims to try CISA script just in case.