Ransomware operators have figured out something that defenders have known for years: if you compromise the hypervisor, you own everything running on it. Throughout 2024, VMware ESXi has become the single most targeted infrastructure component in ransomware campaigns, with multiple threat groups developing specialized tools and techniques for ESXi environments.
The trend is not new. ESXi-targeting ransomware variants have existed since at least 2021 with the emergence of Babuk's ESXi locker. But 2024 has seen a dramatic escalation in both the sophistication of attacks and the number of groups involved.
The CVE-2024-37085 Campaign
In late July 2024, Microsoft Threat Intelligence published research on CVE-2024-37085, an Active Directory authentication bypass vulnerability in VMware ESXi that multiple ransomware groups were actively exploiting.
The vulnerability is deceptively simple. ESXi, when joined to an Active Directory domain, automatically grants full administrative access to any member of a domain group named "ESX Admins." If this group does not exist, any domain user with the ability to create groups (a common privilege) can create it, add themselves, and gain full ESXi admin access.
The exploit requires no ESXi vulnerability in the traditional sense. It is a design decision that becomes a critical security flaw in environments where:
- ESXi hosts are joined to Active Directory (common in enterprise deployments).
- The "ESX Admins" group does not already exist (or was deleted and recreated).
- An attacker has already compromised a domain account with group creation privileges.
Microsoft observed Storm-0506 (deploying Black Basta ransomware), Storm-1175 (deploying Medusa), Octo Tempest (deploying Akira), and Manatee Tempest (deploying various payloads) all exploiting this vulnerability in the wild.
Anatomy of an ESXi Ransomware Attack
A typical ESXi ransomware attack in 2024 follows a predictable pattern:
Initial Access: The attacker gains a foothold in the corporate network through phishing, exposed RDP, or exploitation of perimeter devices (VPNs, firewalls). In many cases, initial access is purchased from access brokers on criminal forums.
Active Directory Compromise: The attacker escalates privileges within AD, often using well-known tools like Mimikatz, Rubeus, or Impacket to extract credentials, Kerberoast service accounts, or exploit AD misconfigurations.
ESXi Access: Using compromised AD credentials, the attacker accesses the ESXi management interface. With CVE-2024-37085, this can be as simple as creating the "ESX Admins" group and assigning themselves membership. Alternatively, attackers use compromised vCenter credentials or exploit SSH access to ESXi hosts.
VM Encryption: The attacker deploys a ransomware binary compiled for Linux/ESXi. The binary enumerates all virtual machines on the host, shuts them down (to release file locks on VMDK files), and encrypts the virtual disk files. Some variants also delete VM snapshots and disable recovery options.
Impact Amplification: Because a single ESXi host typically runs 10-50 virtual machines, encrypting one hypervisor can take down dozens of production systems simultaneously. A vCenter compromise can cascade to every ESXi host in the cluster.
Scale of the Problem
Broadcom (which acquired VMware in late 2023) and CISA have tracked a significant increase in ESXi-targeting attacks:
- Play ransomware developed a dedicated Linux/ESXi variant first observed in July 2024, indicating a shift from their previous Windows-only toolkit.
- Akira and Black Basta have had ESXi encryptors since 2023, and their usage intensified throughout 2024.
- SEXi/APT Inc. ransomware (yes, that is what they call themselves) was observed exclusively targeting ESXi environments starting in April 2024, using a modified version of the leaked Babuk ESXi encryptor.
- Qilin released an ESXi variant in June 2024 with features specifically designed for VMware environments, including automated snapshot deletion.
Mandiant reported that in H1 2024, approximately 30% of ransomware incidents they investigated involved ESXi encryption, up from roughly 15% in H1 2023.
Why ESXi Is Such an Attractive Target
Maximum impact, minimum effort: Encrypting one ESXi host can take down an organization's entire server infrastructure. Instead of deploying ransomware to hundreds of individual servers, the attacker only needs to compromise a handful of hypervisors.
Weak security posture: ESXi hosts are often treated as infrastructure rather than endpoints. Many organizations do not run EDR on ESXi, do not apply patches promptly, and do not monitor ESXi logs with the same rigor as Windows servers.
Limited recovery options: ESXi hosts often lack the backup and recovery infrastructure that exists for individual VMs. If the hypervisor is compromised, restoring from backup may require rebuilding the entire virtualization environment from scratch.
SSH access: ESXi's built-in SSH shell provides a convenient execution environment for Linux-based ransomware payloads. Many organizations leave SSH enabled for management convenience.
Mitigation Strategies
For CVE-2024-37085 specifically:
- Verify that the "ESX Admins" group exists in Active Directory and is properly secured with restricted membership.
- If ESXi hosts are joined to AD, review which groups have administrative access and remove unnecessary privileges.
- Apply VMware patches that change the default behavior to not automatically trust the "ESX Admins" group.
For ESXi security generally:
- Disable SSH unless actively needed for maintenance. Use the ESXi lockdown mode to restrict management interfaces.
- Isolate management networks: ESXi management interfaces (vSphere Client, SSH, API) should be on a dedicated management VLAN, inaccessible from general corporate networks.
- Deploy ESXi-compatible monitoring: Solutions that can monitor ESXi host logs, file integrity, and process execution provide visibility that is otherwise absent.
- Patch ESXi hosts: VMware releases regular security updates. ESXi patching is often deprioritized because of the disruption involved (migrating VMs, rebooting hosts), but the cost of an unpatched ESXi host is orders of magnitude higher.
- Back up VM configurations separately: Ensure that VM configuration files, vCenter databases, and ESXi host configurations are backed up to storage that is not accessible from the ESXi environment itself.
- Use vTPM and VM Encryption: VMware's native VM encryption, tied to an external KMS, can prevent offline encryption of VMDK files even if the hypervisor is compromised.
The Bigger Picture
The shift toward hypervisor-targeting ransomware reflects a broader trend in the threat landscape: attackers are moving up the stack. Rather than targeting individual applications or servers, they are targeting the infrastructure layers that underpin entire environments. Hypervisors today, cloud control planes tomorrow.
This trend requires a corresponding shift in defensive strategy. Infrastructure components like ESXi need the same security attention as the workloads running on them, if not more. The hypervisor is the most privileged layer in the stack, and a compromise at that level undermines every security control running within the virtual machines above it.
How Safeguard.sh Helps
Safeguard.sh provides visibility into your infrastructure software components, including hypervisors and their management tools.
- Infrastructure SBOM generation tracks VMware ESXi versions, vCenter versions, and associated components across your environment, ensuring you know exactly where vulnerable versions are deployed.
- Vulnerability correlation automatically maps published CVEs like CVE-2024-37085 to affected components in your infrastructure, providing immediate triage capability.
- Policy enforcement lets you define and enforce patching SLAs for infrastructure components, flagging ESXi hosts that fall behind on critical security updates.
- Supply chain visibility maps dependencies between your hypervisors, management platforms, and the workloads running on them, so you can assess the true blast radius of a hypervisor compromise.
When ransomware groups are specifically targeting your infrastructure layer, visibility into what you are running and where you are exposed is not optional.