ESXiArgs Ransomware Updates to Thwart Recovery Efforts

Category: Ransomware News | Industry: Global | Level: Strategic | Source: BleepingComputer

The deadly ESXiArgs ransomware campaign active since at least February 3rd, 2023 has received an update likely in response to open-source tools released to reverse damages. A modified encryption routine is reported by BleepingComputer, with notable changes in how the encryptor handles the encryption of large files. Analysis of the 'encrypt.sh' script, reveals the encryption routine is determined based on file size particularly if the file is larger or smaller than 128MB. For larger files, a 'step_size' is computed to alternate between encryption in 1MB chunks and skipping chunks likely to save on encryption speed. However, for files that are large enough a significant portion can remain unencrypted.

BleepingComputer provided an example to help demonstrate this issue, "a 4.5 GB file, would generate a size_step of '45,' causing the encryptor to alternate between encrypting 1 MB of the file and skipping 45 MB of the file. So, as you can see, quite a bit of data remains unencrypted by the time it's finished encrypting a file. For even larger files, like a 450GB file, the amount of skipped data rises dramatically, with the size_step becoming '4607,' now alternating between encrypting 1MB and skipping 4.49 GB of data." The new wave of ESXiArgs ransomware rectifies the flaw by encrypting 50% of data in files over 1MB to thwart recovery efforts. Another area of concern is the exploitation method used since initial reports suspected vulnerabilities associated with the OpenSLP service such as heap-overflow vulnerability, CVE-2021-21974. However new reports conflict with that assessment, as "some victims have stated that SLP was disabled on their devices and were still breached and encrypted." Ransom notes left by ESXiArgs no longer contain a bitcoin wallet address, likely to stop researchers from tracking their activities.

‍