The rise of ransomware has reshaped the cybersecurity landscape, and a disturbing new trend is emerging: the targeting of VMware ESXi environments. As the core of countless organizations’ IT infrastructures, VMware ESXi has become a prime target for cybercriminals seeking maximum disruption with minimal effort. This is no coincidence—hypervisors like ESXi are critical to hosting and managing virtual machines (VMs), making them capable of amplifying operational chaos across entire enterprises.
The rise of ransomware evolving their tactics to exploit ESXi vulnerabilities, bypass traditional defenses, and compromise virtualized environments is a present and growing crisis that demands urgent attention. Cybercriminals are evolving faster than traditional defenses can adapt, and every moment spent without specialized hypervisor protection increases the risk of catastrophic attacks. Dedicated hypervisor security is not a luxury, it’s an obligation to the integrity of a business. More importantly, waiting to act on protecting hypervisors is a risk that no organization can afford.
Timeline of ESXi Ransomware Families
The targeting of ESXi environments began to emerge in 2021 with the introduction of ransomware families like Babuk and LockBit, which leveraged ESXi-specific encryptors to disrupt virtualized environments. Babuk’s encryptor, capable of scanning directories for files critical to VMs, marked a turning point in ransomware evolution. Its leaked source code quickly became a blueprint for other threat actors.
By late 2021 and early 2022, other ransomware groups such as BlackCat (or APLHV), Black Basta, HelloKitty, BlackMatter, DarkSide, REvil, and AvosLocker began developing their own ESXi-specific variants. These groups improved upon Babuk’s approach, driving incidents involving ESXi ransomware to triple between 2021 and 2022.
In 2023, the trend intensified. The Scattered Spider ransomware group demonstrated the devastating potential of hypervisor-targeting ransomware during the MGM Resorts attack, encrypting over 100 ESXi hypervisors and paralyzing operations—a disruption that cost the casino giant $100 million. Later that month, the DarkAngels group, frequently using Babuk’s source code, targeted Johnson Controls’ ESXi environment. By 2024, they set a record with a $75 million ransom payment.
Existing ransomware groups evolved their tactics and even newer groups emerged in 2024: Play, Cicada, RansomHub, Eldorado, and SEXi are among the ESXi ransomware families that appeared during this period. The high-value payoff of attacking virtualized environments has prompted a surge in sophisticated attacks over the years, and the convergence of new threat actors and the evolution of existing ones have continued to make ESXi ransomware a pressing concern for organizations worldwide. Hypervisor ransomware groups are adapting at an alarming pace, and not nearly enough organizations have hypervisor protections in place to appropriately respond when an attack strikes.
Anatomy of an ESXi Ransomware Attack
This growing focus on ESXi is not merely opportunistic but follows a calculated pattern. Ransomware groups have refined their methods, employing a consistent sequence of tactics to exploit hypervisor vulnerabilities and maximize their impact.
Once inside, attackers escalate privileges to gain administrative control and maintain persistence. A notable example of this is the 2024 “ESX Admins” attack (CVE-2024-37085), where attackers manipulated Active Directory to create a rogue “ESX Admins” group, granting themselves full administrative rights over domain-joined ESXi hypervisors. Centralized control points, such as Active Directory or the vCenter Server, represent key vulnerabilities attackers exploit to expand their reach. The vCenter Server, VMware’s administrative hub, manages critical operations such as resource allocation and policy enforcement via the privileged “vpxuser” account. While vital for orchestrating ESXi environments, this account also poses a significant risk if compromised.
Attackers targeting vCenter can decrypt its encrypted password database using a locally stored key, granting them root-level access to every connected ESXi host. This enables attackers to reconfigure systems, deploy ransomware, and disable an entire virtualized environment from a single point. By exploiting these centralized nodes, attackers amplify their impact, spreading ransomware across an organization’s IT infrastructure with devastating speed.
With administrative control established, attackers encrypt critical directories, rendering VMs inoperable. These attacks are often paired with deliberate strikes on backup systems, ensuring recovery efforts are hindered or impossible. Using their control over vCenter, attackers centralize destructive actions, eliminating backups and fail-safes. To increase pressure, attackers exfiltrate sensitive data and employ double-extortion tactics, threatening to release stolen data if the ransom is not paid.
The consequences ripple beyond the virtualized environment as ransomware often propagates laterally, compromising non-virtualized systems. This escalation compounds the impact, leaving organizations struggling to contain the damage and restore operations.
The Solution
The rise of hypervisor-targeting ransomware has exposed a critical gap in cybersecurity: traditional tools often fall short in addressing the unique vulnerabilities of hypervisors like VMware ESXi. To combat these threats, organizations need a solution designed specifically for hypervisor protection. Key features of an effective defense include strict access controls, such as multi-factor authentication (MFA) for SSH and application allowlisting, to prevent unauthorized access and reduce exposure to attacks.
Tamper-resistant configurations are equally important to guard against privilege escalation, ensuring that attackers cannot alter critical settings or deploy malicious payloads. Real-time detection and response capabilities, powered by AI behavioral analysis, allow organizations to monitor hypervisor activity and stop ransomware before it can encrypt data. In the event of an attack, automated rollback capabilities are crucial for restoring files quickly and minimizing downtime.
Network segmentation and robust monitoring further enhance protection, preventing ransomware from spreading laterally across an organization’s IT infrastructure. Vali Cyber’s ZeroLock® incorporates all these essential features, delivering the only comprehensive solution for hypervisor ransomware protection and enabling organizations to safeguard their virtualized environments effectively. Without immediate investment in specialized protection, organizations risk falling prey to attackers who are growing bolder and more innovative by the day.
Final Thoughts
The onslaught of ransomware targeting VMware ESXi represents a critical juncture in the battle against cybercrime. A hypervisor breach is more than an attack on technology, it’s an assault on the foundation of a business. Virtualized environments power the applications, databases, and customer services that organizations rely on daily. When these systems collapse, the fallout is measured in financial losses, the erosion of trust, and tarnished reputation.
The hypervisor ransomware threat is imminent, and the time to act is now—hesitation isn’t just risky, it’s an open invitation for disaster. For organizations utilizing virtual infrastructure, the question is no longer if hypervisor ransomware will strike, but when.
Is your organization prepared?