ESXiArgs Ransomware: Guide to VM Recovery

I know many folks have heard of ESXiArgs as it makes the rounds for those that run VMware vSphere. This guide from the Cybersecurity and Infrastructure Security Agency should help those that caught between a rock and a hard place. This paper is a good read as well for those who want to understand the challenges it can cause.

Cybersecurity Advisory from the Cybersecurity and Infrastructure Security Agency

ESXiArgs ransomware encrypts certain configuration files on ESXi servers, potentially rendering VMs unusable. Specifically, the ransomware encrypts configuration files associated with the VMs; it does not encrypt flat files. As a result, it is possible, in some cases, for victims to reconstruct the encrypted configuration files based on the unencrypted flat file. The recovery script documented below automates the process of recreating configuration files. The full list of file extensions encrypted by the malware is: vmdk, vmx, vmxf, vmsd, vmsn, vswp, vmss, nvram, vmem.