September 30, 2023

The U.S. CISA has released a script to recover VMware ESXi servers infected with ESXiArgs ransomware.

The victims of the recent wave of ESXiArgs ransomware attacks, can use the script to recover encrypted VMware ESXi servers.

CERT-FR reported that threat actors behind these ransomware attackers are actively exploiting the vulnerability CVE-2021-21974.


Only few thousands of systems were encrypted worldwide. In most cases the attacks failed because the ESXiArgs ransomware did not encrypt virtual disk files.

CISA is aware that few organizations have reported success in recovering files without paying ransoms. CISA compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. This tool works by reconstructing virtual machine metadata from virtual disks that were not encrypted by the malware.

This script does not seek to delete the encrypted config files, but instead seeks to create new config files that enable access to the VMs.


While CISA works to ensure that scripts like this one are safe and effective, this script is delivered without warranty, either implicit or explicit. Do not use this script without understanding how it may affect your system. CISA does not assume liability for damage caused by this script.

Script location :

Leave a Reply

%d bloggers like this: