‘No Warranty’: ESXiArgs Ransomware Decryptor Is Not To Be Used Lightly

A federal cybersecurity agency on Wednesday took the rare step of releasing a script to help with recovering from widespread ransomware that is targeting VMware ESXi servers.


The U.S. government’s release of a tool that aims to aid recovery from the ESXiArgs ransomware is a promising development, but the decryptor script shouldn’t be deployed without fully understanding what it will do and whether it’s appropriate for your environment.

In a rare move, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released the script in response to a widespread ransomware campaign, known as ESXiArgs, which targets VMware ESXi servers that haven’t been patched against a two-year-old vulnerability.

[Related: Ransomware Targeting VMware Vulnerability Has Hit Hundreds Of Servers In US, Canada: Cyber Firm ]

Sponsored post

If it works effectively, the script should “let you get back to an operational state,” said Erick Galinkin, principal researcher at Rapid7, in an interview with CRN. The script works by allowing users to un-register their virtual machines (VMs) that’ve been encrypted by the ransomware, and then re-register them with a new configuration file, he said.

You’ll still need to have had a backup of the part of the VM that was encrypted to fully restore your system — but as long as you have that, the script “just gives you a way to function while you clean it up,” Galinkin said. He noted that he doesn’t believe CISA has ever provided a decryptor for ransomware recovery in the past.

While the script could be a valuable tool in recovering from the ransomware attacks, it’s not without its challenges, according to Efrem Gonzales, founder and CEO of Tec-Refresh, a Newport Beach, Calif.-based managed services provider.

As CISA itself says in its page for the tool on GitHub, “there is no warranty if the script doesn’t work,” Gonzales told CRN.

CISA said that its ESXiArgs decryptor script is based on the findings of researchers Enes Sonmez and Ahmet Aykac, and that “any organization seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it.”

“While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit,” CISA said in its page for the tool on GitHub. “Do not use this script without understanding how it may affect your system.”

Cybersecurity firm Wiz disclosed research on Tuesday showing that 12 percent of servers running the VMware ESXi hypervisor are unpatched against CVE-2021-21974, a vulnerability first disclosed in 2021. The vulnerability affects the OpenSLP service in older versions of ESXi, and can be exploited to enable remote execution of code.

The ESXiArgs ransomware campaign has struck thousands of VMware ESXi servers over the past few days, researchers have disclosed.

VMware noted that there’s a correlation between the cyberattacks and servers that are either at end-of-support or “significantly out-of-date.”

The OpenSLP service was disabled in ESXi in 2021 starting with ESXi 7.0 U2c and ESXi 8.0 GA, VMware said.

The company said Monday that it’s “advising customers to upgrade to the latest available supported releases of vSphere components to address currently known vulnerabilities,” and that it also continues to recommend that customers disable the OpenSLP service in ESXi.12.