New ESXiArgs encryption routine outmaneuvers recovery methods

In what seems to be a typical arms race where one side responds to counter the progress the other side has made, the ransomware group behind the massive attack on ESXi Virtual Machines (VMs) has come up with a new variant that can no longer be decrypted with the recovery script released by the Cybersecurity & Infrastructure Security Agency (CISA).

New encryption routine

Victims have reported a new variant of the encryptor that no longer leaves large chunks of data unencrypted. This makes recovery next to impossible. The recovery script released by CISA for organizations that have fallen victim to ESXiArgs ransomware reportedly no longer works for this new variant. CISA compiled the ESXiArgs-Recover tool based on publicly available resources, including a tutorial by Enes Sonmez and Ahmet Aykac. The decryption tool uses the large and therefore mostly non-encrypted flat files, where the virtual machine’s disk data is stored, to recover the VMs.

Where the old encryption routine skipped large chunks of data based on the size of the file, the new encryption routine only skips small (1MB) pieces and then encrypts the next 1MB. This ensures that all files larger than 128 MB are encrypted for 50%. Files under 128MB are fully encrypted which was also the case in the old variant.

Ransom note

Victims can tell the variants apart by looking at the ransom note. The new variant no longer mentions the Bitcoin address in the ransom note, but tells victims to contact the threat actor on TOX, an encrypted messaging service. It is likely that this change was triggered by the fear of tracking payments through the blockchain which might eventually lead to the threat actor.

Attack vector

As we mentioned in our initial report about this attack wave:

“While all clues point to CVE-2021-21974 there are several critical vulnerabilities in VMware ESXi like CVE-2022-31696CVE-2022-31697CVE-2022-31698, and CVE-2022-31699, that can potentially lead to remote code execution (RCE) on affected systems.”

Some victims have stated that they had SLP disabled, which was a workaround suggested by VMware for the two year old vulnerability that is the prime, but not the only, suspect in this case.


According to CISA and the FBI, some 3800 servers have fallen victim to EXSiArgs globally.

So, either update ESXi, or probably even better, make your ESXi VMs inaccessible from the internet.

Many aspects of this attack remain unclear and when new details become known we will keep you posted.

We don’t just report on threats—we remove them

Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.