A few days ago, we reported that the U.S. Cybersecurity and Infrastructure Security Agency (CISA) released a script that can help users affected by the ESXiArgs ransomware attack. The cybercriminals behind the attack have seemingly already countered this move, as they have reportedly developed a new variant that can no longer be decrypted with the CISA's script.
According to a report by Malwarebytes, the old variant of the ransomware did not encrypt large sections of data. The new version, however, also encrypts large data chunks. And because CISA's decryption tool uses the large and mostly unencrypted flat files, VM recovery becomes next to impossible.
The new variant of the ESXiArgs ransomware also comes with a new ransom note which no longer mentions a Bitcoin address. Instead, the note urges victims to contact the threat actor on Tox, an encrypted messaging service. This is likely because the threat actors don't want payments to be tracked through the blockchain, which can reveal their identity.
According to CISA and the FBI, about 3,800 servers have fallen victim to the EXSiArgs ransomware globally. However, researchers at cybersecurity company Arctic Wolf predict that it could be higher. For now, Malwarebytes advises ESXi users to keep their systems updated or make their ESXi VMs inaccessible from the internet.