Attackers targeting unpatched VMware ESXi hypervisors to forcibly encrypt virtual machines have reportedly modified their ransomware to make it more difficult for victims to use free recovery tools to decrypt files.
The attack campaign has already used ransomware, dubbed ESXiArgs by VMware, to forcibly encrypt more than 2,800 hosts and an unknown number of virtual machines running across those hosts.
Security experts have detailed a number of defenses they recommend all ESXi users put in place, including immediately isolating servers that haven’t been patched against the OpenSLP heap overflow vulnerability – CVE-2021-21974 – being exploited and blocking IP addresses from which attackers’ scans have been originating.
But with a new wave of attacks first seen Wednesday, attackers wielding ESXiArgs appear to have modified the ransomware to complicate easy recovery by victims. The change was first reported by Bleeping Computer, which is offering dedicated support for victims via its forums.
Based on an assessment shared by ransomware hunter Michael Gillespie – @demonslay335, founder of the free ID Ransomware identification service, Bleeping Computer reports that rather than the ransomware encrypting very small parts of large files, as it did before – thus facilitating their recovery – “all files over 128 MB will now have 50% of their data encrypted, making them likely unrecoverable.”