ESXiArgs Ransomware Recovery

Have you been affected by the recent wave of ESXiArgs ransomware attacks? If so, it may be an emergency, but don’t panic. We are here to provide you with the necessary support for recovery and removal. Go through our detailed ransomware recovery process or get a FREE quote now.

Don’t wait before it causes more damage to your network.

How do I know if ESXiArgs Ransomware has infected my system?

ESXiArgs Ransomware are Trojans that encrypts VMware ESXi server systems. Upon notice of an attack, you are then given instructions of paying a specific amount in ransom to decrypt your files.

First identified on 4th February 2023, the gang behind this virus is currently unknown as this is a completely new type of ransomware. The initial attack was had a weakness that was identified relatively quickly and solutions provided online.

On February 8th 2023 it was reported that the ransomware group had made adjustments to their code and that new attackers were not encrypting more files and rendering previous decryption method ineffective.

  • Here is how ESXiArgs ransomware infects your computer or network:
  • A ransomnote stating about the encryption of your data and paying a ransom.
  • Filename extensions will be changed to .args
  • You receive a How to Restore Your Files.html or ransom.html file with the message on how to pay the ransom and recover your files
  • Your CPU utilization peaks at 100%
  • Your hard drives continue processing data in the background, making your system extremely sluggish.
  • You are barely able to open any application including your antivirus software, which gets deactivated.

What should I do when my data has been encrypted by ESXiArgs Ransomware?

  1. Disconnect your systems right away and isolate any associated backup hard drives from the network to prevent the spread of the ransomware encryption. For more information, visit Ransomware Information site.
  2. Do not attempt to contact ransomware attackers to recover your files, it will only complicate the situation.
  3. Call in experts immediately to assess the damage and review possible recovery options and avoid costly consequential failures.

Keep calm! Contact us, we can help you!

Ransomware Recovery Ransomware Decryption


Due to how new the ESXiArgs Ransomware is, there is currently very limited data on the ransom demands by the attackers. The cyber criminals use a TOX chat ID to communicate with victims.

The current average ESXIArgs ransom amount is somewhere around $22,000. But it isn’t limited to the ransom demand.

Victims are faced with unexpected costs in buying and transferring bitcoins, mostly the 10% exchange fees applying to the quick buy methods of Paypal and/or Credit Cards. Along with potential threats to have their personal and business information leaked or sold on the internet if demands are not met.

This information is currently extremely difficult to estimate due to the lack of data as this is an very new ransomware type. However we would estimate this to be in line with other similar ransomware.
Depending on your company size and how often you use IT-systems in your daily business, this is the most expensive part of this incident. Additional to the unavailability of your IT-systems, this is damaging your company reputation.

You need to get your systems back up and hit the ground running as soon as possible. We’ll ensure minimum downtime once you let experts like BeforeCrypt to manage your situation and recover data.

There is a high chance to get a working ESXiArgs decryptor after paying the attackers. This is because they use an automated process to accept payments and deliver the decryption tool. But there’s never a guarantee to get a working decryption key at all.

Unpatched ESXi hypervisors. ESXiArgs ransomware is currently targetting unpatched systems with the below versions:

ESXi versions 7.x prior to ESXi70U1c-17325551
ESXi versions 6.7.x prior to ESXi670-202102401-SG
ESXi versions 6.5.x prior to ESXi650-202102101-SG

NameESXiArgs Ransomware
Danger levelVery High. Advanced Ransomware which makes system changes and encrypts files
Release dateFebruary 04, 2023
OS affectedVMware ESXi
Appended file extensions.args extension
Ransom note"How to Restore Your Files.html" and "ransom.html"
Contact email addressPayment is accepted through TOX Chat ID

ESXiArgs Ransomware Note #1: Text file

How to Restore Your Files

Security Alert!!!
We hacked your company successfully
All files have been stolen and encrypted by us
If you want to restore files or avoid file leaks, please send ******* bitcoins to the wallet ***********************************
If money is received, encryption key will be available on TOX_ID: *****************************************************************************

Send money within 3 days, otherwise we will expose some data and raise the price
Don’t try to decrypt important files, it may damage your files
Don’t trust who can decrypt, they are liars, no one can decrypt without key file
If you don’t send bitcoins, we will notify your customers of the data breach by email and text message
And sell your data to your opponents or criminals, data may be made release

SSH is turned on
Firewall is disabled

Almost always, there is a * .html file in every folder that has been encrypted. The text file usually has the name “How to Restore Your Files.html” or “ransom.html” and contains all the necessary information to contact the ESXiArgs Ransomware attackers to get your data back. It’s usually safe to open this file, just be sure the full file extension is *.html.

This is an average ESXiArgs ransomware note. Depending on the version, it may differ visually.

Need fast help with ESXiArgs ransomware recovery? Contact us now and get instant help from ransomware experts

Ransomware Recovery Data