ESXiArgs Refurbished with new tactics after CISA releases Decryptor Tool

The U.S. CISA last week has released a decryptor for affected victims to recover from ESXiArgs ransomware attacks, but the threat actors have come back with an updated version that encrypts more data.

The emergence of the new variant was reported and had several changes, one in files larger than 128MB will have 50% of their data encrypted, making the recovery process more challenging. Another one is the removal of the Bitcoin address from the ransom note, with the attackers now urging victims to contact them on Tox to obtain the wallet information.

The threat actors realized that their payments are tracked, and they may have even known before they released the ransomware that the encryption process in the original variant was relatively easy to circumvent.

As per the crowdsourced platform, Ransomwhere reveals that as many as 1,252 servers have been infected by the new version of ESXiArgs as of February 9, 2023, of which 1,168 are reinfections. Over 3,800 unique hosts have been compromised. Most of the infections are in France, the U.S., Germany, Canada, the U.K., the Netherlands, Finland, Turkey, Poland, and Taiwan.

ESXiArgs is based on the Babuk locker, which had its source code leaked in September 2021. But it didn’t have an official data leak site, indicating that it’s not running on a ransomware-as-a-service model.

VMware has said that it has no evidence to suggest that a zero-day vulnerability in its software is being used to propagate the ransomware.

This shows that the threat actors behind the activity may be leveraging several known vulnerabilities in ESXi to their advantage, making it imperative that users move quickly to update to the latest version. The attacks have yet to be attributed to a known threat actor or group.