In 2024, one ransomware group surged to the forefront: RansomHub. Rapidly dominating the ransomware-as-a-service (RaaS) landscape, this formidable cybercriminal network successfully breached over 600 organizations worldwide, targeting sectors from healthcare and finance to critical infrastructure.
RansomHub: 2024’s Most Active Ransomware Group
Their meteoric rise wasn’t accidental, RansomHub capitalized on a perfect storm of factors that allowed them to outpace even the most notorious ransomware gangs. They first appeared in February of 2024 and quickly achieved scale and notoriety by:
- Attracting seasoned affiliates from notorious groups like BlackCat/ALPHV and Knight (Cyclops).
- Leveraging publicly available exploits, including vulnerabilities like Zerologon (CVE-2020-1472), Citrix ADC, and Fortinet SSL-VPN, to breach defenses effortlessly.
- Employing sophisticated double-extortion tactics (encrypting systems while exfiltrating sensitive data), maximizing pressure on victims.
- “Big game hunting,” hitting over 200 victims in their first 7 months across critical sectors—Patelco, RiteAid, and Change Healthcare among the names.
But RansomHub didn’t stop at traditional endpoints. In 2024, they pivoted to something even more disruptive: virtual infrastructure. Their custom-built ESXi variant included several impactful capabilities:
- Written in C++ to distinguish it from their Go-based Windows/Linux variants
- Issued native ESXi commands (vim-cmd, esxcli) to forcibly shut down virtual machines and delete snapshots
- Disabled logging and key services to avoid detection and hinder recovery
RansomHub’s pivot to ESXi was part of a broader trend dating back to 2021, as ransomware groups increasingly targeted hypervisors like VMware ESXi to take down entire environments with a single strike. Yet even as a newcomer, RansomHub became 2024’s most active and impactful ransomware group.
RansomHub Disappears, DragonForce Rises: What This Means for ESXi Security
Then, in the spring of 2025, everything changed. On April 1, RansomHub’s infrastructure vanished without explanation. Domains went dark. No new payloads were observed.
But the silence didn’t last long. Weeks later, another ransomware group, DragonForce, claimed control. Known for its aggressive tactics and interest in ESXi attacks, DragonForce’s rise suggests that the infrastructure and talent behind RansomHub didn’t disappear… they simply reorganized.
DragonForce has reportedly been involved in several ESXi-specific incidents, including the high-profile Marks & Spencer ESXi attack. The group appears to be ushering in a new era of RaaS operations built on inherited infrastructure, cross-group recruitment, and decentralized branding.
Get Threat Intel and Security Updates Delivered to Your Inbox.
How to Protect ESXi Hosts from Ransomware Threats
So what should defenders take away from all this? Groups like RansomHub and DragonForce signal a dangerous evolution in the RaaS model—one that is harder to attribute, faster to adapt, and built for impact.
At this stage, basic hardening isn’t enough. While patching and segmentation are still essential, today’s ransomware groups are specifically building tools for virtual infrastructure—often bypassing endpoint defenses entirely. Endpoint tools won’t catch it, and traditional defenses can’t see it.
That’s why protection has to move deeper into the stack.
ZeroLock® was built for this.
Here’s how organizations can defend against this class of hypervisor-level ransomware:
Stop malicious shutdowns and encryption at the hypervisor.
ZeroLock monitors and blocks unauthorized ESXi commands like vim-cmd and esxcli, preventing threat actors from bringing down workloads or deleting snapshots mid-attack.
Block ransomware before it touches virtual infrastructure.
With AI-detection trained on hypervisor-layer activity, ZeroLock catches and kills malicious processes in real time—before payloads can execute.
Prevent persistence and lateral movement across virtual networks.
ZeroLock enforces virtual segmentation and access control policies directly at the hypervisor, isolating compromised systems and stopping spread before it begins.
Ensure fast, reliable recovery.
ZeroLock includes automated file rollback, enabling instant restoration of virtual machines from known-good states, even if attackers try to encrypt or corrupt your backups.
Detect attacker behavior without relying on guest OS visibility.
With its unique position below the operating system, ZeroLock captures activity that other tools miss—like early-stage privilege escalation, TTP chaining, and snapshot tampering.
These aren’t “nice to haves”—they’re the frontline. Hypervisor-level ransomware isn’t hypothetical anymore, so protecting this layer is no longer optional.
Bottom Line: The RansomHub Legacy Lives On
RansomHub may be gone, but their tactics—and the affiliates who built them—are alive and well. Their focus on ESXi was strategic, and groups like DragonForce are picking up where they left off.
As ransomware operations become more decentralized and ephemeral, defenders must be equally agile. That means understanding how modern ransomware groups evolve, anticipating where they’ll strike next, and securing virtualized infrastructure before they become the next breach headline.