www.cisa.gov
Open in
urlscan Pro
2a02:26f0:dc:392::447a
Public Scan
Submitted URL: https://www.cisa.gov/uscert/ncas/alerts/aa23-039a
Effective URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
Submission: On March 03 via api from IN — Scanned from DE
Effective URL: https://www.cisa.gov/news-events/cybersecurity-advisories/aa23-039a
Submission: On March 03 via api from IN — Scanned from DE
Form analysis 2 forms found in the DOM
<form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id1">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id50" class="gstl_50 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti50" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id1" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st50" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb50" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form><form class="gsc-search-box gsc-search-box-tools" accept-charset="utf-8">
<table cellspacing="0" cellpadding="0" role="presentation" class="gsc-search-box">
<tbody>
<tr>
<td class="gsc-input">
<div class="gsc-input-box" id="gsc-iw-id2">
<table cellspacing="0" cellpadding="0" role="presentation" id="gs_id51" class="gstl_51 gsc-input" style="width: 100%; padding: 0px;">
<tbody>
<tr>
<td id="gs_tti51" class="gsib_a"><input autocomplete="off" type="text" size="10" class="gsc-input" name="search" title="search" aria-label="search" id="gsc-i-id2" dir="ltr" spellcheck="false"
style="width: 100%; padding: 0px; border: none; margin: 0px; height: auto; outline: none;"></td>
<td class="gsib_b">
<div class="gsst_b" id="gs_st51" dir="ltr"><a class="gsst_a" href="javascript:void(0)" title="Clear search box" role="button" style="display: none;"><span class="gscb_a" id="gs_cb51" aria-hidden="true">×</span></a></div>
</td>
</tr>
</tbody>
</table>
</div>
</td>
<td class="gsc-search-button"><button class="gsc-search-button gsc-search-button-v2"><svg width="13" height="13" viewBox="0 0 13 13">
<title>search</title>
<path
d="m4.8495 7.8226c0.82666 0 1.5262-0.29146 2.0985-0.87438 0.57232-0.58292 0.86378-1.2877 0.87438-2.1144 0.010599-0.82666-0.28086-1.5262-0.87438-2.0985-0.59352-0.57232-1.293-0.86378-2.0985-0.87438-0.8055-0.010599-1.5103 0.28086-2.1144 0.87438-0.60414 0.59352-0.8956 1.293-0.87438 2.0985 0.021197 0.8055 0.31266 1.5103 0.87438 2.1144 0.56172 0.60414 1.2665 0.8956 2.1144 0.87438zm4.4695 0.2115 3.681 3.6819-1.259 1.284-3.6817-3.7 0.0019784-0.69479-0.090043-0.098846c-0.87973 0.76087-1.92 1.1413-3.1207 1.1413-1.3553 0-2.5025-0.46363-3.4417-1.3909s-1.4088-2.0686-1.4088-3.4239c0-1.3553 0.4696-2.4966 1.4088-3.4239 0.9392-0.92727 2.0864-1.3969 3.4417-1.4088 1.3553-0.011889 2.4906 0.45771 3.406 1.4088 0.9154 0.95107 1.379 2.0924 1.3909 3.4239 0 1.2126-0.38043 2.2588-1.1413 3.1385l0.098834 0.090049z">
</path>
</svg></button></td>
<td class="gsc-clear-button">
<div class="gsc-clear-button" title="clear results"> </div>
</td>
</tr>
</tbody>
</table>
</form>Text Content
Skip to main content
An official website of the United States government
Here’s how you know
Here’s how you know
Official websites use .gov
A .gov website belongs to an official government organization in the United
States.
Secure .gov websites use HTTPS
A lock (LockA locked padlock) or https:// means you’ve safely connected to the
.gov website. Share sensitive information only on official, secure websites.
Cybersecurity & Infrastructure Security Agency
America's Cyber Defense Agency
Search
×
search
Menu
Close
×
search
* Topics
Topics
Cybersecurity Best Practices
Cyber Threats and Advisories
Critical Infrastructure Security and Resilience
Election Security
Emergency Communications
Industrial Control Systems
Information and Communications Technology Supply Chain Security
Partnerships and Collaboration
Physical Security
Risk Management
How can we help?
GovernmentEducational InstitutionsIndustryState, Local, Tribal, and
TerritorialIndividuals and FamiliesSmall and Medium Businesses
* Spotlight
* Resources & Tools
Resources & Tools
All Resources & Tools
Services
Programs
Resources
Training
Groups
* News & Events
News & Events
News
Events
Cybersecurity Alerts & Advisories
Directives
Request a CISA Speaker
Congressional Testimony
* Careers
Careers
Benefits & Perks
HireVue Applicant Reasonable Accommodations Process
Hiring
Resume & Application Tips
Students & Recent Graduates
Veteran and Military Spouses
Work @ CISA
* About
About
Culture
Divisions & Offices
Regions
Leadership
Doing Business with CISA
Contact Us
Site Links
CISA Administrative Subpoena
Reporting Employee and Contractor Misconduct
CISA GitHub
Report a Cyber Issue
Breadcrumb
1. Home
2. News & Events
3. Cybersecurity Advisories
4. Cybersecurity Advisory
Share:
Cybersecurity Advisory
ESXIARGS RANSOMWARE VIRTUAL MACHINE RECOVERY GUIDANCE
Release Date
February 08, 2023
Alert Code
AA23-039A
SUMMARY
The Cybersecurity and Infrastructure Security Agency (CISA) and the Federal
Bureau of Investigation (FBI) are releasing this joint Cybersecurity Advisory
(CSA) in response to the ongoing ransomware campaign, known as “ESXiArgs.”
Malicious actors may be exploiting known vulnerabilities in VMware ESXi servers
that are likely running unpatched and out-of-service or out-of-date versions of
VMware ESXi software to gain access and deploy ransomware. The ESXiArgs
ransomware encrypts configuration files on ESXi servers, potentially rendering
virtual machines (VMs) unusable.
CISA has released an ESXiArgs recovery script
at github.com/cisagov/ESXiArgs-Recover(link is external). Organizations that
have fallen victim to ESXiArgs ransomware can use this script to attempt to
recover their files. This CSA provides guidance on how to use the script.
ESXiArgs actors have compromised over 3,800 servers globally. CISA and FBI
encourage all organizations managing VMware ESXi servers to:
* Update servers to the latest version of VMware ESXi software,
* Harden ESXi hypervisors by disabling the Service Location Protocol (SLP)
service, and
* Ensure the ESXi hypervisor is not exposed to the public internet.
If malicious actors have compromised your organization with ESXiArgs ransomware,
CISA and FBI recommend following the script and guidance provided in this CSA to
attempt to recover access to your files.
Download the PDF version of this report:
ESXiArgs Ransomware Virtual Machine Recovery Guidance (PDF, 711.08 KB )
Note: CISA and FBI will update this CSA as more information becomes available.
TECHNICAL DETAILS
Open-source reporting indicates that malicious actors are exploiting known
vulnerabilities in VMware ESXi software to gain access to servers and deploy
ESXiArgs ransomware. The actors are likely targeting end-of-life ESXi servers or
ESXi servers that do not have the available ESXi software patches
applied.[1](link is external)
ESXiArgs ransomware encrypts certain configuration files on ESXi servers,
potentially rendering VMs unusable. Specifically, the ransomware encrypts
configuration files associated with the VMs; it does not encrypt flat files. As
a result, it is possible, in some cases, for victims to reconstruct the
encrypted configuration files based on the unencrypted flat file. The recovery
script documented below automates the process of recreating configuration
files. The full list of file extensions encrypted by the malware
is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.
RECOVERY GUIDANCE
CISA and FBI do not encourage paying the ransom as payment does not guarantee
victim files will be recovered. Furthermore, payment may also embolden
adversaries to target additional organizations, encourage other criminal actors
to engage in the distribution of ransomware, and/or fund illicit activities.
Regardless of whether you or your organization have decided to pay the ransom,
CISA and FBI urge you to promptly report ransomware incidents to a local FBI
Field Office(link is external), or to CISA at cisa.gov/report.
CISA is providing these steps to enable organizations to attempt recovery of
their VMs. CISA’s GitHub ESXiArgs recovery script, which also outlines these
steps, is available at github.com/cisagov/ESXiArgs-Recover(link is external).
CISA is aware that some organizations have reported success in recovering files
without paying ransoms. CISA’s script is based on findings published by
third-party researchers.[2](link is external)
Any organization seeking to use CISA’s ESXiArgs recovery script should carefully
review the script to determine if it is appropriate for their environment before
deploying it. This script does not seek to delete the encrypted configuration
files, but instead seeks to create new configuration files that enable access to
the VMs. While CISA works to ensure that scripts like this one are safe and
effective, this script is delivered without warranty, either implicit or
explicit. Do not use this script without understanding how it may affect your
system. CISA does not assume liability for damage caused by this
script. Note: Organizations that run into problems with the script can create a
GitHub issue at https://github.com/cisagov/ESXiArgs-Recover/issues(link is
external); CISA will do our best to resolve concerns.
1. Quarantine or take affected hosts offline to ensure that repeat infection
does not occur.
2. Download CISA’s recovery script and save it as /tmp/recover.sh.
For example, with wget: wget -O
/tmp/recover.sh https://raw.githubusercontent.com/cisagov/ESXiArgs-Recover/main/recover.sh.
3. Give the script execute permissions: chmod +x /tmp/recover.sh
4. Navigate to the folder of a VM you would like to recover and run ls to view
the files.
* Note: You may browse these folders by running ls /vmfs/volumes/datastore1.
For instance, if the folder is called example, run cd
/vmfs/volumes/datastore1/example.
5. View files by running ls. Note the name of the VM (via naming
convention: [name].vmdk).
6. Run the recovery script with /tmp/recover.sh [name], where [name] is the
name of the VM determined previously.
* If the VM is a thin format, run /tmp/recover.sh [name] thin.
* If successful, the recovery script will output that it has successfully
run. If unsuccessful, it may not be possible for the recovery script to
recover your VMs; consider engaging external incident response help.
7. If the script succeeded, re-register the VM.
1. If the ESXi web interface is inaccessible, remove the ransom note and
restore access via the following steps. (Note: Taking the steps below
moves the ransom note to the file ransom.html. Consider archiving this
file for future incident review.)
* Run cd /usr/lib/vmware/hostd/docroot/ui/ && mv index.html ransom.html
&& mv index1.html index.html.
* Run cd /usr/lib/vmware/hostd/docroot && mv index.html ransom.html && rm
index.html && mv index1.html index.html.
* Reboot the ESXi server (e.g., with the reboot command). After a few
minutes, you should be able to navigate to the web interface.
* In the ESXi web interface, navigate to the Virtual Machines page.
* If the VM you restored already exists, right click on the VM and
select Unregister (see figure 1).
Figure 1: Unregistering the virtual machine.
* Select Create / Register VM (see figure 2).
* Select Register an existing virtual machine (see figure 2).
Figure 2: Registering the virtual machine, selecting machine to register.
Click Select one or more virtual machines, a datastore or a directory to
navigate to the folder of the VM you restored. Select the vmx file in the folder
(see figure 3).
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
Figure 3: Registering the virtual machine, finalizing registration.
Select Next and Finish. You should now be able to use the VM as normal.
8. Update servers to the latest software version, disable the Service Location
Protocol (SLP) service, and ensure the ESXi hypervisor is not configured to
be exposed to the public internet before putting systems back online.
ADDITIONAL INCIDENT RESPONSE
The above script only serves as a method to recover essential services. Although
CISA and FBI have not seen any evidence that the actors have established
persistence, we recommend organizations take the following additional incident
response actions after applying the script:
1. Review network logging to and from ESXi hosts and the guest VMs for unusual
scanning activity.
2. Review traffic from network segments occupied by the ESXi hosts and guests.
Consider restricting non-essential traffic to and from these segments.
If you detect activity from the above, implement your incident response plan.
CISA and FBI urge you to promptly report ransomware incidents to a local FBI
Field Office(link is external), or to CISA at cisa.gov/report.
Organizations should also collect and review artifacts, such as running
processes/services, unusual authentications, and recent network connections.
See the joint CSA from the cybersecurity authorities of Australia, Canada, New
Zealand, the United Kingdom, and the United States on Technical Approaches to
Uncovering and Remediating Malicious Activity for additional guidance on hunting
or investigating a network, and for common mistakes in incident handling. CISA
also encourages government network administrators to see CISA’s Federal
Government Cybersecurity Incident and Vulnerability Response Playbooks. Although
tailored to federal civilian branch agencies, these playbooks provide
operational procedures for planning and conducting cybersecurity incident and
vulnerability response activities and detail steps for both incident and
vulnerability response.
Additional resources for recovering .vmdk files can be found on a third-party
researcher’s website.[2](link is external)
MITIGATIONS
Note: These mitigations align with the cross-sector Cybersecurity Performance
Goals (CPGs) developed by CISA and the National Institute of Standards and
Technology (NIST). The CPGs provide a minimum set of practices and protections
that CISA and NIST recommend all organizations implement. CISA and NIST based
the CPGs on existing cybersecurity frameworks and guidance to protect against
the most common and impactful threats, tactics, techniques, and procedures. For
more information on the CPGs, including additional recommended baseline
protections, see cisa.gov/cpg.
CISA and FBI recommend all organizations:
* Temporarily remove connectivity for the associated ESXi server(s).
* Upgrade your ESXi servers to the latest version of VMware ESXi
software [CPG 5.1]. ESXi releases are cumulative, and the latest builds are
documented in VMware’s article, Build numbers and versions of VMware
ESXi/ESX.
* Harden ESXi hypervisors by disabling the Service Location Protocol (SLP)
service, which ESXiArgs may leverage. For more information on executing
workarounds, see VMware’s guidance How to Disable/Enable the SLP Service on
VMware ESXi(link is external).
* Ensure your ESXi hypervisor is not configured to be exposed to the public
internet.
In addition, CISA and FBI recommend organizations apply the following
recommendations to prepare for, mitigate/prevent, and respond to ransomware
incidents.
PREPARING FOR RANSOMWARE
* Maintain offline backups of data, and regularly test backup and
restoration [CPG 7.3]. These practices safeguard an organization’s continuity
of operations or at least minimize potential downtime from a ransomware
incident and protect against data losses.
* Ensure all backup data is encrypted, immutable (i.e., cannot be altered or
deleted), and covers the entire organization’s data infrastructure.
* Create, maintain, and exercise a basic cyber incident response plan and
associated communications plan that includes response procedures for a
ransomware incident [CPG 7.1, 7.2].
MITIGATING AND PREVENTING RANSOMWARE
* Restrict Server Message Block (SMB) Protocol within the network to only
access servers that are necessary and remove or disable outdated versions of
SMB (i.e., SMB version 1). Threat actors use SMB to propagate malware across
organizations.
* Require phishing-resistant MFA for as many services as possible [CPG
1.3]—particularly for webmail, VPNs, accounts that access critical systems,
and privileged accounts that manage backups.
* Review the security posture of third-party vendors and those interconnected
with your organization. Ensure all connections between third-party vendors
and outside software or hardware are monitored and reviewed for suspicious
activity.
* Implement allow-listing policies for applications and remote access that only
allow systems to execute known and permitted programs.
* Open document readers in protected viewing modes to help prevent active
content from running.
* Implement user training program and phishing exercises to raise awareness
among users about the risks of visiting suspicious websites, clicking on
suspicious links, and opening suspicious attachments. Reinforce the
appropriate user response to phishing and spearphishing emails.
* Use strong passwords [CPG 1.4] and avoid reusing passwords for multiple
accounts. See CISA Tip Choosing and Protecting Passwords and the
NIST’s Special Publication 800-63B: Digital Identity Guidelines(link is
external) for more information.
* Require administrator credentials to install software [CPG 1.5].
* Audit user accounts with administrative or elevated privileges and configure
access controls with least privilege in mind [CPG 1.5].
* Install and regularly update antivirus and antimalware software on all hosts.
* Consider adding an email banner to messages coming from outside your
organizations.
* Disable hyperlinks in received emails.
* Consider participating in CISA’s no-cost Automated Indicator Sharing (AIS)
program to receive real-time exchange of machine-readable cyber threat
indicators and defensive measures.
RESPONDING TO RANSOMWARE INCIDENTS
If a ransomware incident occurs at your organization:
* Follow your organization’s Ransomware Response Checklist (see Preparing for
Ransomware section).
* Scan backups. If possible, scan backup data with an antivirus program to
check that it is free of malware. This should be performed using an isolated,
trusted system to avoid exposing backups to potential compromise.
* Follow the notification requirements as outlined in your cyber incident
response plan.
* Report incidents to CISA at cisa.gov/report, FBI at a local FBI Field
Office(link is external), or the U.S. Secret Service (USSS) at a USSS Field
Office(link is external).
* Apply incident response best practices found in the joint Cybersecurity
Advisory, Technical Approaches to Uncovering and Remediating Malicious
Activity, developed by CISA and the cybersecurity authorities of Australia,
Canada, New Zealand, and the United Kingdom.
Note: CISA and FBI strongly discourage paying ransoms as doing so does not
guarantee files and records will be recovered. Furthermore, payment may also
embolden adversaries to target additional organizations, encourage other
criminal actors to engage in the distribution of ransomware, and/or fund illicit
activities.
RESOURCES
See Stopransomware.gov, a whole-of-government approach, for ransomware resources
and alerts.
ACKNOWLEDGEMENTS
CISA and FBI would like to thank VMware for their contributions to this CSA.
REFERENCES
VMware Security Response Center (vSRC) Response to 'ESXiArgs' Ransomware
Attack…(link is external)
Enes Sonmez and Ahmet Aykac, YoreGroup Tech Team: decrypt your crypted files
in…(link is external)
REVISIONS
February, 2023: Initial Version
RELATED ADVISORIES
Mar 02, 2023
Cybersecurity Advisory | AA23-061A
#STOPRANSOMWARE: ROYAL RANSOMWARE
Feb 28, 2023
Cybersecurity Advisory | AA23-059A
CISA RED TEAM SHARES KEY FINDINGS TO IMPROVE MONITORING AND HARDENING OF
NETWORKS
Feb 09, 2023
Cybersecurity Advisory | AA23-040A
#STOPRANSOMWARE: RANSOMWARE ATTACKS ON CRITICAL INFRASTRUCTURE FUND DPRK
MALICIOUS CYBER ACTIVITIES
Jan 25, 2023
Cybersecurity Advisory | AA23-025A
PROTECTING AGAINST MALICIOUS USE OF REMOTE MONITORING AND MANAGEMENT SOFTWARE
Return to top
* Topics
* Spotlight
* Resources & Tools
* News & Events
* Careers
* About
Cybersecurity & Infrastructure Security Agency
* Facebook
* Twitter
* LinkedIn
* YouTube
* Instagram
* RSS
CISA Central 888-282-0870 Central@cisa.dhs.gov(link sends email)
DHS Seal
CISA.gov
An official website of the U.S. Department of Homeland Security
* About CISA
* Accessibility
* Budget and Performance
* DHS.gov
* FOIA Requests
* No FEAR Act
* Office of Inspector General
* Privacy Policy
* The White House
* USA.gov
* Website Feedback