Thought Leadership

VMware Hypervisor Has Increasingly Become the Target of Ransomware Attacks

VMware hypervisor

(August 17, 2021) The VMware hypervisor has increasingly become the target of ransomware attacks. Cybercrime organizations have created new versions of the Defray777, Darkside, and HelloKitty ransomware strains that specifically target the VMware hypervisor, which is called ESXi. Security experts say deploying ransomware on ESXi hosts allows the hackers to affect a greater number of systems within the victim’s IT environment.

There are several commonsense measures organizations can take to minimize the risk of such an attack. The important thing to realize is that all systems within an IT environment are potentially vulnerable and should be kept up-to-date and secure.

Virtualization Basics

Virtualization is a well-established means of streamlining the IT infrastructure and improving resource utilization. Before virtualization became prevalent, organizations typically deployed separate server hardware to run each application. Server virtualization allows organizations to gain efficiencies by running multiple virtual servers on a single piece of hardware.

A hypervisor is a program that allows multiple operating systems or multiple instances of the same operating system to share the same physical machine. As far as the operating system and application are concerned, each virtual machine (VM) is a distinct server.

VMware ESXi (also known as vSphere) is a Type 1 or “bare metal” hypervisor, which means that it runs directly on the server hardware rather than on top of a conventional operating system. The vCenter administration tool allows administrators to manage multiple ESXi devices from a single console.

Ransomware on ESXi

VMware ESXi is one of the most popular hypervisors, making it a natural target for hackers looking to maximize the impact of a ransomware attack. Once attackers get inside the ESXi environment, they can quickly affect multiple systems and place increased pressure on the victim to pay the ransom. Cybersecurity firm Crowdstrike calls it “hypervisor jackpotting.”

Although ESXi is not a Linux operating system, it is possible to execute Linux code within the hypervisor’s command shell. In the second half of 2020, cybercrime groups Sprite Spider and Carbon Spider deployed Linux versions of the Defray777 and Darkside ransomware strains, respectively. The HelloKitty ransomware strain also has a Linux variant.

Sprite Spider uses stolen credentials to gain access to vCenter, then opens a backdoor into the system. Carbon Spider uses phishing campaigns to spread the malware. Both Darkside and HelloKitty search the compromised server for files related to VMs to increase efficiency. All three ransomware strains shut down VMs and encrypt data directly on the virtualization platform rather than attempting to exploit the guest operating systems.

Protecting the Hypervisor

There are some tools built into ESXi that can help reduce the risk of a successful ransomware attack. One setting prohibits the execution of any code that was not installed properly through a VMware Installation Bundle (VIB), and another prevents installed applications from being tampered with. Additionally, many modern servers contain a trusted platform module (TPM), a special chip that stores encryption keys securely to protect the system during boot up.

Of course, organizations should keep their ESXi hosts and VMware tools up-to-date and patched and use strong unique passwords for privileged accounts. Network segmentation can further reduce unauthorized access and prevent attacks from spreading. Access to the vCenter management console should be tightly controlled and never exposed directly to the public internet. Regular VM backups that are immutable and isolated from the rest of the network help ensure data can be recovered should a successful attack occur.

Ransomware is one of the most serious cybersecurity threats organizations face today. As the threat landscape is continuously evolving, IT teams should be aware that hypervisors are increasingly at risk and take proactive steps to protect them.


Mainstream Technologies delivers a full range of technology services in Arkansas and the surrounding region including managed technology services and consulting custom software development and cybersecurity services. We also offer industry-leading data center services in our Little Rock facilities. Established in 1996, Mainstream has earned a reputation for delivering quality, reliable, and professional technology services for public and private-sector customers across the United States.

  • Industry

  • Category

  • Regulation

  • Solution