The US Cybersecurity and Infrastructure Security Agency (CISA) has released a script to recover VMware ESXi servers encrypted by recent widespread ESXiArgs ransomware attacks.

Starting last Friday, exposed VMware ESXi servers were targeted in a widespread ESXiArgs ransomware attack.

Since then, attacks have encrypted 2,800 servers according to a list of bitcoin addresses collected by CISA Technical Advisor Jack Cable.

While many devices were encrypted, the campaign was largely unsuccessful as the threat actors failed to encrypt flat files, where virtual disk data is stored.

This error allowed Enes Sonmez and Ahmet Aykac from the technical team of YoreGroup to design a method to rebuild virtual machines from unencrypted flat files.

This method has helped many people recover their servers, but the process has been complicated for some, with many people asking for help in our ESXiArgs Support Topic.

Script released to automate recovery

To help users recover their servers, CISA has released a ESXiArgs recovery script on GitHub to automate the fetch process.

“CISA is aware that some organizations have reported success in recovering files without paying a ransom. CISA has compiled this tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac,” explains CISA.

“This tool works by reconstructing virtual machine metadata from virtual disks that have not been encrypted by the malware.”

While the GitHub project page has the steps you need to recover virtual machines, in summary, the script will clean the encrypted files of a virtual machine, then attempt to rebuild the virtual machine’s .vmdk file using the unencrypted flat file.

When you are done, if successful, you can re-register the virtual machine in VMware ESXi to access the virtual machine again.

CISA urges administrators to review the script before using it to understand how it works and avoid possible complications. While the script shouldn’t cause any problems, BleepingComputer strongly advises creating backups before attempting recovery.

“While CISA strives to ensure that scripts like this are safe and effective, this script comes without warranty, either expressed or implied.” warns CISA.

“Do not use this script without understanding how it may affect your system. CISA assumes no responsibility for damage caused by this script.”