Ransomware crews keep returning to VMware ESXi for the same reason: one compromised hypervisor encrypts every VM at once. Here's the pattern and the defenses.
Ransomware attacks targeting VMware ESXi infrastructure have exhibited a predictable yet alarming pattern, highlighting the vulnerabilities and misconfigurations inherent in virtualization platforms. Despite the variety of ransomware deployed — Akira, Black Basta, BlackCat, Royal — the sequence remains consistent, making ESXi a lucrative target for cybercriminals.
The Repeated Attack Pattern
1. Initial access via phishing, exposed RDP, or an edge appliance CVE. 2. Privilege escalation in the Windows estate, harvest of vCenter credentials. 3. Authentication to vCenter or direct SSH to ESXi hosts. 4. Disable or evict EDR (where any was present on the hypervisor). 5. Stop all running VMs, encrypt .vmdk files, drop ransom note.
Encrypting at the hypervisor layer means every VM is encrypted in one shot — and EDR running inside the guests never sees it.
Defenses That Work
- Patch ESXi and vCenter on a defined cadence; subscribe to VMware advisories.
- MFA on vCenter and on any account that can SSH to ESXi.
- Disable SSH on ESXi by default; enable on demand only.
- Network-isolate the management plane from user networks.
- Backups stored immutably and offline; verify hypervisor-level restore quarterly.
- Detect mass VM shutdown and unusual SSH sessions to ESXi as high-priority alerts.
The blast radius of an ESXi ransomware event is whatever fraction of your business runs on virtualization. For most organizations, that is everything.
