It might be impossible now to recover data from VMware ransomware attacks

Scott Marlette

2 years ago

Well, that didn’t take long.

The script that allowed VMware ESXi server owners infected with ransomware (opens in new tab) to restore the files no longer works, because the attackers updated the encryptor and patched the flaw it had. Now, those without endpoint protection most likely won’t be able to restore the files without getting the decryption key from the threat actors.

The news was confirmed by BleepingComputer (opens in new tab), whose researchers analyzed freshly obtained samples of the encryptor.

Abusing an old flaw

Late last week, national cybersecurity agencies of a few European countries, as well as those in the US and Canada, warned of a widespread, semi-automated attack against VMware’s ESXi servers. The attackers found more than 3,000 endpoints (at press time) that were vulnerable to a flaw that VMware patched two years ago, and used that flaw to deploy the ESXiArgs ransomware.

The attacked servers were located mostly in Europe (Italy, France, Finland), but also in the US and Canada. Businesses in France were allegedly worst-hit.

The country’s national government computer security incident response team, CERT-FR, said the attack was semi-automated, targeting servers vulnerable to CVE-2021-21974. The flaw is described as an OpenSLP HeapOverflow vulnerability, allowing threat actors to execute code remotely.

But soon after, researchers discovered that the encryptor was flawed and while in the process of encrypting big files, skipped large portions of them. That gave two researchers from YoreGroup Tech Team plenty of unencrypted files to work with, which helped them devise a way to decrypt the files and restore access to the compromised devices.

The US Cybersecurity and Infrastructure Security Agency (CISA) later chimed in, creating a script to automate the work, and shared it on GitHub.

But good news didn’t last long, as the threat actors now started deploying an updated version of the encryptor, with the flaw eliminated. Still, everyone recommends victims try and use CISA’s script, just in case.

For all the latest Technology News Click Here

For the latest news and updates, follow us on Google News.

Read original article here

Denial of responsibility! TechNewsBoy.com is an automatic aggregator around the global media. All the content are available free on Internet. We have just arranged it in one platform for educational purpose only. In each content, the hyperlink to the primary source is specified. All trademarks belong to their rightful owners, all materials to their authors. If you are the owner of the content and do not want us to publish your materials on our website, please contact us by email – abuse@technewsboy.com. The content will be deleted within 24 hours.