Joint Cybersecurity Advisory – ESXiArgs Ransomware Virtual Machine Recovery Guidance

The Cybersecurity and Infrastructure Security Agency (CISA) and the FBI published a joint Cybersecurity Advisory (CSA) in response to the ongoing ransomware campaign known as “ESXiArgs.” This CSA provides guidance for network defenders on how to use the recovery script that CISA released as well as recommended mitigations. Members are encouraged to review the advisory, but be advised that recovery script as reported in WaterISAC’s update today, is believed the script may not likely fully restore encrypted files. CISA is tracking this development and will update all relevant resources as more information becomes available. That said, the joint advisory, AA23-039A includes more comprehensive guidance to assist organizations using impacted VMware ESXi servers to protect vulnerable systems and other actions to perform should they detect a compromise.

The advisory also provides more general recommendations all organizations should apply to prepare for, mitigate/prevent, and respond to ransomware incidents. See StopRansomware.gov for additional guidance on ransomware protection, detection, and response. To report suspicious or criminal activity related to information found in advisory, contact your local FBI field office, or the FBI’s 24/7 Cyber Watch (CyWatch) at (855) 292-3937, or by e-mail at Cy*****@*bi.gov. If you have any further questions, or to request incident response resources or technical assistance related to these threats, contact CISA at CI*************@******hs.gov. Access the full advisory at CISA.