Ransomware Expands to VMware ESXi: Hypervisors Become a New High-Impact Target

Ransomware groups are increasingly targeting VMware ESXi hypervisors, turning them into high-impact entry points that allow mass VM encryption. Huntress reports a rise from 3% to 25% of ransomware incidents in 2025 driven by the Akira group. Organisations must harden access, segment management networks, apply strict runtime controls, patch ESXi, secure backups, and monitor hypervisor activity to reduce risk.

Ransomware groups are widening their operations by shifting attacks towards VMware ESXi and other hypervisors, a development that significantly amplifies the impact of a single intrusion. Hypervisors form the core of virtualised infrastructure. 

When compromised, they enable attackers to affect entire fleets of virtual machines from one control point. Security teams are now observing a pronounced increase in adversaries exploiting this layer, often bypassing traditional endpoint tools that have limited visibility into hypervisor environments.

Huntress, operating across SOC and threat-hunting environments, reports a sharp rise in hypervisor-related ransomware. In 2025, its case data shows hypervisors account for only 3% of malicious encryption events in the first half of the year, rising to 25% in the second half, largely driven by the Akira ransomware group. This trend highlights the need for hypervisor hardening with the same discipline applied to endpoints and servers.

A new theatre in ransomware campaigns

Adversaries are increasingly targeting the hypervisor layer to avoid strengthened endpoint and network controls. A Type 1 hypervisor runs directly on server hardware, while a Type 2 hypervisor is hosted on a standard operating system. Both models introduce specific risks when security segmentation fails or when monitoring is limited.

Attackers are applying tactics previously used against VPN appliances. As hypervisor host operating systems often operate with restricted access, organisations cannot easily deploy tools such as EDR. This creates blind spots where attackers can move without detection. 

Huntress reports multiple incidents in which operators run ransomware directly through the hypervisor, bypassing guest OS protections entirely. In some cases, adversaries use built-in utilities such as openssl to encrypt virtual machine volumes, avoiding the need to upload custom binaries.

Once inside a network, attackers commonly pivot to hypervisors through compromised credentials, particularly where management networks are not segmented. They also misuse Hyper-V management tools to alter VM settings, disable defences, interfere with virtual switches, and prepare environments for large-scale ransomware deployment.

This shift signals a broader pattern: attackers increasingly target the infrastructure layer that manages all hosts, amplifying the scale and speed of an intrusion.

Strengthening access controls and separating the management plane

Unrestricted or poorly controlled access to hypervisors remains one of the highest-impact weaknesses. Hypervisors managed with domain-joined accounts significantly increase lateral movement risk. If adversaries obtain administrative credentials, they can deploy ransomware that affects every virtual machine.

Key recommended practices include:

• Use local ESXi accounts rather than general-purpose domain administrators. Dedicated, tightly scoped accounts limit exposure if domain credentials are compromised.
• Enforce MFA across all hypervisor access points. This blocks attackers even if they obtain a username and password.
• Store strong credentials in a secure password vault, not in shared documentation or uncontrolled systems.
• Segregate the management network using dedicated VLANs or isolated segments. This restricts which endpoints can attempt connections.
• Deploy a jump box or bastion host as a controlled access gateway, ensuring all administrative activity is logged and auditable.
• Apply least-privilege access for administrators and service accounts, preventing broad actions with a single credential.
• Restrict management access to authorised administrative devices with fixed IPs, reducing the attack surface.

Hardening the hypervisor runtime environment

Once an attacker reaches the hypervisor host, they can run code that bypasses traditional controls inside virtual machines. Organisations must ensure only trusted, signed components execute at the hypervisor level.

Huntress highlights the following protective measures:

• Enable VMkernel.Boot.execInstalledOnly = TRUE to allow only signed VIB-installed binaries to run.
• Disable unused services such as SSH and ESXi Shell and keep lockdown mode enabled whenever possible.
• These measures restrict execution paths that adversaries often exploit during ransomware deployment.

Patching and reducing attack surface exposure

Although segmentation failures are frequently the root cause of compromise, unpatched vulnerabilities remain a major enabling factor. Attackers are actively scanning for ESXi hosts with exposed or outdated services.

One example is CVE-2024-37085, a vulnerability that allows adversaries with sufficient Active Directory permissions to bypass authentication and obtain full ESXi administrative control. When exploited, attackers can encrypt all virtual machines in seconds. The issue stems from the automatic granting of elevated privileges to the ESX Admins AD group, which adversaries can recreate.

Other exposed services, including Service Location Protocol (SLP/port 427), have been used in ransomware campaigns such as ESXArgs.

Recommended actions include:

• Maintain an inventory of all ESXi hosts and vCenter components with clear visibility of patch levels.
• Prioritise vendor security updates, especially those related to hypervisor control functions.
• Disable or restrict unnecessary network services and ensure none are exposed to the internet.
• Remove direct internet access for hypervisor management, using VPNs or bastion hosts for administrative entry.

Backup, immutable storage, and recovery readiness

Due to the high-impact nature of hypervisor compromise, recovery capability is essential. Ransomware groups commonly encrypt VMDKs and other core host files; organisations lacking complete and isolated backups may face prolonged outages or ransom demands.

Key recommendations:

• Adopt the 3-2-1 backup rule with a copy offsite or off-network.
• Use immutable repositories or snapshots so data cannot be altered after creation.

Avoid connecting backup systems to Active Directory; instead, use non-domain-joined local accounts to prevent credential-based spread.

Ensure backups include full VM images and hypervisor state to support rapid recovery.

Conduct regular restoration tests, ensuring that operating systems boot correctly and credentials function as expected.

Run full recovery drills annually, checking:

• offsite failover processes
• networking and firewall readiness
• access for monitoring tools such as EDR, RMM, or VPN clients.

Monitoring the hypervisor layer and enforcing detection-in-depth

Because traditional endpoint tools lack visibility inside hypervisors, detection strategies must adapt. Attackers frequently perform precursor actions such as enabling SSH, modifying VIB acceptance levels, disabling lockdown mode, or creating new administrative accounts.

To address these gaps, organisations should:

• Forward ESXi logs to a SIEM and create alerts for suspicious activities such as root logins or service changes.
• Monitor for configuration drift including disabled lockdown mode or unexpected management services.
• Review management-network traffic for unauthorised source IPs, lateral movement, or unusual datastore activity.
• Apply a zero-trust approach, assuming credentials may already be exposed.

Track key ESXi log files, including:

• /var/log/auth.log (authentication events)
• /var/log/hostd.log (host agent activity)
• /var/log/shell.log (shell commands)
• /var/log/vobd.log (observer daemon)

Huntress also notes the importance of a shared responsibility model when working with external SOC or MDR providers. External partners detect broad malicious activity, while internal teams provide the operational context required to distinguish maintenance tasks from abnormal behaviour. This model requires strict adherence to change-control processes so that all legitimate administrative actions are communicated to security teams.

A critical moment for hypervisor security

The rise of hypervisor-level ransomware demonstrates how attackers adapt as defenders secure traditional endpoints. With hypervisors acting as central control points for virtual environments, any compromise carries wide operational impact. The rapid increase from 3% to 25% in hypervisor-related ransomware cases underscores the need for immediate action.

Organisations that implement strong access controls, runtime hardening, network segmentation, comprehensive monitoring, and robust backup strategies significantly reduce the likelihood and impact of an ESXi-level breach. The shift in attacker focus makes hypervisor security a core priority for 2025 and beyond.