CISA and FBI releases recovery script for VMware EXSi servers targeted by ransom...
source link: https://siliconangle.com/2023/02/08/cisa-fbi-releases-recovery-script-vmware-exsi-servers-targeted-ransomware/
Go to the source link to view the article. You can view the picture content, updated content and better typesetting reading experience. If the link is broken, please click the button below to view the snapshot at that time.
CISA and FBI releases recovery script for VMware EXSi servers targeted by ransomware
The U.S. Cybersecurity and Infrastructure Security Agency and the Federal Bureau of Investigation have released a free recovery script in response to a widespread ransomware campaign targeting unpatched installations of VMware Inc.’s ESXi.
VMware Inc. and government agencies in Europe warned of the ransomware attacks earlier this week, saying that a malicious actor was targeting a vulnerability in VMware ESXi servers that was patched in 2021. The issue is a heap overflow vulnerability in OpenSLP used in ESXi in certain versions of 6.5, 6.7 and 7.0 of the software.
Two years after the patch was released, some VMware EXSi users have not implemented the patch or upgraded their software. VMware noted that the attacks are targeting installations that are generally at the end of general support or significantly out-of-date.
The new EXSiArgs recovery script, available on GitHub, allows organizations who have fallen victim to EXSiArs ransomware to attempt to recover their files. In an alert today, CISA said that there are now believed to be more than 3,800 EXSi servers compromised globally.
The script doesn’t seek to delete encrypted config files but instead tries to create new config files that enable access to affected virtual machines. Any organization considering using the ESXiArgs recovery script is warned that they should carefully review it to determine if it is appropriate for their environment before deploying it.
The quickness of the response by CISA and the FBI is undoubtedly welcome, but there’s a reason why it was relatively simple for them to code the script: The ransomware didn’t encrypt all data files.
“We got lucky this time,” Morten Gammelgard, executive vice president EMEA at ransomware protection company BullWall A/S, told SiliconANGLE. “The attackers failed to encrypt the flat data files where the data for virtual disks are stored. While these recent attacks on VMWare servers were only partially successful, it highlights the issues with protecting the entire attack surface and maintaining perfect cyber hygiene. The next attack may work better and successfully encrypt all files and perhaps next time a rescue script will not be available.”
Image: CISA
A message from John Furrier, co-founder of SiliconANGLE:
Show your support for our mission by joining our Cube Club and Cube Event Community of experts. Join the community that includes Amazon Web Services and Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger and many more luminaries and experts.
Join Our Community
Click here to join the free and open Startup Showcase event.
We really want to hear from you, and we’re looking forward to seeing you at the event and in theCUBE Club.
Click here to join the free and open Startup Showcase event.
Recommend
-
3
We’re excited to announce that as of today, VMware Cloud Disaster Recovery is available for VMware Managed Service Providers (MSPs). Delivered as an easy-to-use SaaS solution with cloud economics, VMware Cloud Disaster Recovery com...
-
6
Disaster Recovery
-
13
Threat details Introduction An unknown threat group has been observed targeting VMware Horizon servers running versions affected by
-
9
New Linux-Based Ransomware Targets VMware Servers Become a fan of Slashdot on
-
12
News New Linux-based ransomware targets VMware servers Cheerscript plants do...
-
7
PowerShell cmdlets for VMware Cloud Disaster Recovery What is VMware PowerCLI for VMware Cloud Disaster Recovery PowerCLI for VCDR is a PowerShell module that abstracts the VMware Cloud Disaster Recovery API to a set of easily us...
-
3
News Massive ransomware attack targets VMware ESXi servers worldwide Cybersecurit...
-
6
CISA releases recovery script for massive worldwide VMware ESXiArgs ransomware attacks...
-
5
VMware ESXi server ransomware evolves, after recovery script released The FBI and CISA have released a recovery script for the global ESXiArgs ransomware...
-
4
New ESXiArgs ransomware variant can evade CISA's recovery script...
About Joyk
Aggregate valuable and interesting links.
Joyk means Joy of geeK