The Cybersecurity and Infrastructure Security Agency released a script Tuesday night to help organizations attempting to recover virtual machines affected by a spree of global cyberattacks targeting VMware ESXi servers.
The so-called ESXiArgs ransomware variant takes advantage of two-year-old vulnerability that attackers are able to remotely exploit. Last weekend, the attacks prompted warnings from several European cybersecurity authorities to quickly patch the OpenSLP bug.
It’s unclear how widespread the campaign is and who is behind it, however, France’s CERT-FR said that they became aware of the campaign starting on Feb. 3. The Austrian CERT noted that they saw at least 3,276 systems impacted worldwide using scans from Censys, a firm that indexes internet-connected devices.
The script released Tuesday is at least partially based on a recovery tutorial by cybersecurity researchers Enes Sonmez and Ahmet Aykac. It reconstructs VM metadata from virtual disks not encrypted by the ransomware.
However, CISA also warned that they are not going to assume any liability for damage caused by the script. “While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” CISA wrote.
CISA did not immediately respond to request for comment or how widespread the ESXiArg campaign may be in the U.S.
