A new variant of ESXiArgs ransomware has infected more than 1,250 VMware servers, according to data compiled by Ransomwhere, an open-source ransomware payment tracker.
The original strain hit at least 3,800 targets and compromised at least 2,250 machines since the spree started spreading on Feb. 3.
The slightly tweaked version of the malware encrypts data more effectively and prevents data recovery, according to Brett Callow, threat analyst at Emsisoft.
The Cybersecurity and Infrastructure Security Agency and FBI published a joint advisory on Wednesday with guidance and a recovery script in response to the ongoing ransomware. On Thursday, the agencies said they were tracking new variants.
“We are aware of a new ESXiArgs ransomware variant that encrypts more data. We will update the advisory as new information becomes available,” CISA Director Jen Easterly said Thursday on Twitter.
A slight code change in ESXiArgs initiates a different encryption routine that renders the recovery script ineffective, Callow confirmed via email.
The new strain has reinfected more than 1,150 servers and represents more than 4 in 5 live infections, according to Censys and Shodan data compiled by Ransomwhere.
VMware hasn’t updated its guidance on the ransomware attacks since Monday, but a spokesperson confirmed there is still no evidence an unknown or zero-day vulnerability is being used to propagate the ransomware in the ESXiArgs attacks.