The FBI and the Cybersecurity and Infrastructure Security Agency (CISA) have released a recovery script for organizations affected by a ransomware attack targeting VMWare ESXi servers worldwide. The attacks first made public on February 3rd by the French Computer Emergency Response Team (CERT-FR), are aimed at VMware’s ESXi bare metal hypervisor and target instances running older versions of the software or those that have not been patched to current standards. The ransomware encrypts configuration files on vulnerable virtual machines, making them potentially unusable. CISA and the FBI have released a recovery script that doesn’t delete the affected configuration files, but attempts to create new ones. However, a new version of the ransomware has been reported that makes earlier recovery procedures ineffective. CISA and the FBI recommend that affected organizations follow certain security procedures, including patching the machines to the latest standard and shutting down the Service Location Protocol service.
