Nicely, that didn’t take lengthy.
The script that allowed VMware ESXi server homeowners contaminated with ransomware (opens in new tab) to revive the recordsdata now not works, as a result of the attackers up to date the encryptor and patched the flaw it had. Now, these with out endpoint safety most definitely gained’t be capable of restore the recordsdata with out getting the decryption key from the menace actors.
The information was confirmed by BleepingComputer (opens in new tab), whose researchers analyzed freshly obtained samples of the encryptor.
Abusing an previous flaw
Late final week, nationwide cybersecurity companies of some European international locations, in addition to these within the US and Canada, warned of a widespread, semi-automated assault in opposition to VMware’s ESXi servers. The attackers discovered greater than 3,000 endpoints (at press time) that have been weak to a flaw that VMware patched two years in the past, and used that flaw to deploy the ESXiArgs ransomware.
The attacked servers have been positioned largely in Europe (Italy, France, Finland), but additionally within the US and Canada. Companies in France have been allegedly worst-hit.
The nation’s nationwide authorities laptop safety incident response crew, CERT-FR, mentioned the assault was semi-automated, focusing on servers weak to CVE-2021-21974. The flaw is described as an OpenSLP HeapOverflow vulnerability, permitting menace actors to execute code remotely.
However quickly after, researchers found that the encryptor was flawed and whereas within the technique of encrypting large recordsdata, skipped massive parts of them. That gave two researchers from YoreGroup Tech Crew loads of unencrypted recordsdata to work with, which helped them devise a option to decrypt the recordsdata and restore entry to the compromised gadgets.
The US Cybersecurity and Infrastructure Safety Company (CISA) later chimed in, making a script to automate the work, and shared it on GitHub.
However excellent news didn’t final lengthy, because the menace actors now began deploying an up to date model of the encryptor, with the flaw eradicated. Nonetheless, everybody recommends victims try to use CISA’s script, simply in case.