New ESXiArgs ransomware variant can evade CISA's recovery script

A laptop with a padlock on the screen

A few days ago, we reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script that can help users affected by the ESXiArgs ransomware attack. The cybercriminals behind the attack have seemingly already countered this move, as they have reportedly developed a new variant that can no longer be decrypted with the CISA's script.

According to a report by Malwarebytes, the old variant of the ransomware did not encrypt large sections of data. The new version, however, also encrypts large data chunks. And because CISA's decryption tool uses the large and mostly unencrypted flat files, VM recovery becomes next to impossible.

The new variant of the ESXiArgs ransomware also comes with a new ransom note which no longer mentions a Bitcoin address. Instead, the note urges victims to contact the threat actor on Tox, an encrypted messaging service. This is likely because the threat actors don't want payments to be tracked through the blockchain, which can reveal their identity.

According to CISA and the FBI, about 3,800 servers have fallen victim to the EXSiArgs ransomware globally. However, researchers at cybersecurity company Arctic Wolf predict that it could be higher. For now, Malwarebytes advises ESXi users to keep their systems updated or make their ESXi VMs inaccessible from the internet.

Report a problem with article
A bug Windows 11 Patch Tuesday
Next Article

Microsoft confirms botched WSUS upgrade led to failing Windows 11 Patch Tuesday updates

MediaTek 5G
Previous Article

The MediaTek Dimensity 7000 processor series starts with the new Dimensity 7200 chip

Join the conversation!

Login or Sign Up to read and post a comment.

8 Comments - Add comment