Ransomware solution for VMware ESX

Updated February 8, 2023.

CISA has released a data recovery script dubbed “ESXiArgs-Recover” in order to help users who have been affected by the massive worldwide ESXiArgs ransomware server attacks on VMWare’s vSphere: GitHub.

Hacker group used a method that we encountered for the first time. A super-intelligence who thinks they can only get paid by encrypting the config files instead of encrypting the VMDK disks where the data is kept. There is currently an encryption campaign targeting ESXi servers, which allows access to data on host systems (Service Location Protocol vulnerabilities). Many people reported that they were able to solve their problems with this method below.


As technology continues to evolve, so do the security risks associated with it. Recently, several critical vulnerabilities have been discovered in VMware ESXi, which is a popular virtualization platform widely used in enterprise environments. The vulnerabilities (SLP), designated as CVE-2022-31696, CVE-2022-31697, CVE-2022-31698, and CVE-2022-31699, can potentially lead to remote code execution (RCE) on affected systems.

They only encrypted the config files on the system and prevented the system from seeing the disks.

Here is the solution:

    1- Delete the encrypted config files.
    2- create an empty virtual machine.
    3- Open the config file on the new machine and put it in the directory of your encrypted machines.
    4- Replace the information in the config file with the encrypted machine names.
    5- Go to the VMware screen and “Register VM” and continue on your way.

Many people reported that they were able to solve their problems with this method, and we were pleased with it. However, it is also reflected in the latest reports that this virus has different variants.

ESXiArgs Ransomware group:

The ransomware deployed in the attack is now tracked as ESXiArgs ransomware and it encrypts files with the .vmxf, .vmx, .vmsd, and .nvram extensions. ESXiArgs ransomware group has infected hundreds of ESXi hosts across the globe with a CVE-2021-21974 spray-and-pray.

Nevada Ransomware has released an upgraded locker:

Resecurity has identified a new version of Nevada Ransomware which recently emerged on the Dark Web right before the start of 2023. The actors behind this new project have an affiliate platform first introduced on the RAMP underground community, which is known for initial access brokers (IABs) and other cybercriminal actors and ransomware groups.


Important Vulnerability in VMware ESXi: Blog Post
The core function of a SOC: Blog Post
Play ransomware infection routine: Blog Post
Identify a piece of malware with Yara: Blog Post
New Veeam v12 Platform Overview: Blog Post
OpenSSL patch (v3.0.7) for Vulnerability 2022: Blog Post
Building a SOC: Blog Post
List of vendors and software affected by the OpenSSL vulnerability: Blog Post
Critical OpenSSL Vulnerability version 3.0: Blog Post
Veeam v12 Linux Without SSH And SUDO: Blog PostHardened Repository in Veeam v12: Blog Post
Wasabi Object Storage Usage with Veeam B&R v12: Blog Post
VeeaMover in v12: Blog Post
Ransomware & Cybersecurity with Veeam v12: Blog Post
Why backup directly to Object Storage? Blog Post
Veeam B&R v12 New Features Overview: Blog Post
[REPLAY] Webinar Veeam v12 and Wasabi: Replay
Protect your data with Veeam and Wasabi: Blog post
Wasabi – Object Lock feature spotlight: Blog post
Veeam and the S3-compatible object storage solutions: Blog Post
[PODCAST] VeeamUser Group France #1: Record
Conti initiates their attacks on Backup: Blog Post
Backup with Trusted Repository Storage: Blog Post.
Protect your Backup against Ransomware: Blog Post

Please follow and like us:

Enjoy this blog? Please spread the word :)