Updated ESXiArgs ransomware encryption hampers recovery

BleepingComputer reports that organizations' VMware ESXi servers are being targeted by a second wave of ESXiArgs ransomware attacks with an updated encryption process that could facilitate greater data encryption. Attackers have modified the encryptor to remove the encrypt.sh script's "size_step" routine, with the size_step set to 1, enabling alternate encryption between 1 MB of data and skipping 1 MB of data, according to Michael Gillespie. With such a change prompting half of the data in files exceeding 128 MB to be encrypted, previously effective techniques could not be used to allow file restoration. Aside from the updated encryptor, the new ESXiArgs ransomware attacks also no longer featured bitcoin addresses in its ransom note, which may be due to the operation's effort to avert the detection of ransom payments. However, uncertainties remain as to why the new ESXiArgs ransomware samples were able to breach VMware ESXi servers that have already disabled SLP.