CISA Releases Recovery Tool for VMware Ransomware Victims

Written by

The US Cybersecurity and Infrastructure Security Agency (CISA) has published a new script designed to help ransomware victims recover any VMware virtual machines (VMs) impacted by a current global campaign.

Ransomware payment tracker Ransomwhere estimated the number of victims at 3800, based on an “internet-wide” scanning effort on Monday. It said four payments had been made totalling $88,000, although this is likely to underestimate the scale of the campaign.

Initial reports from country-level CERTs claimed the threat actors behind it are exploiting CVE-2021-21974, a legacy bug which enables attackers to perform remote code execution on VMware’s ESXi hypervisors by triggering a heap-overflow issue in OpenSLP.

However, an update from VMware claimed “significantly out-of-date products are being targeted with known vulnerabilities,” which would suggest more than one vulnerability is being exploited.

“With this in mind, we are advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” it said. “In addition, VMware has recommended disabling the OpenSLP service in ESXi. In 2021, ESXi 7.0 U2c and ESXi 8.0 GA began shipping with the service disabled by default.”

Now CISA has unveiled a tool to help compromised users to recover their VMs.

Based on findings by researchers Enes Sonmez and Ahmet Aykac, the script works by reconstructing VM metadata from virtual disks that were not encrypted by the ransomware.

“Any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it. This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs,” CISA explained.

“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system.”

Editorial credit icon image: Pavel Kapysh /

What’s hot on Infosecurity Magazine?