America’s Cyber and Infrastructure Security Agency (CISA) is helping out organisations hit by the ransomware known as ESXiArgs.
Since the ransomware attacks were first observed in Italy over the weekend, the campaign has spread to other European countries and to North America.
The attackers are targeting a bug in VMware’s ESXi that has had a patch available since February 2021.
CISA has published a script which it said will allow organisations to attempt to recover virtual machines affected by the ransomware attacks.
The script, published at Github, is based on work by Enes Sonmez and Ahmet Aykac of YoreGroup Tech Team, CISA said.
“This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware”, the agency said.
“Any organisation seeking to use CISA’s ESXiArgs recovery script should carefully review the script to determine if it is appropriate for their environment before deploying it.
“This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.”
