January 27, 2023 HAWKEYE

Protecting VMWare ESXi Hypervisors from Ransomware

One of the top platforms in the virtualization sector is VMware. Organizations can more effectively use the computing power of their systems with the aid of virtualization software. VMware ESXi setups may be set up and managed in a fairly easy and uncomplicated manner.


VMware ESXi infrastructures can provide high performance, availability, and continuity of business services when they are running on the right hardware and set up correctly.

In 2021, around 40% of businesses reported having been the target of ransomware attacks. Since VMware is the most widely used virtualization product, ESXi hosts are unavoidably attractive targets for hackers. For businesses that depend on VMware environments to guarantee the availability of services, the full protection of VMware ESXi hosts is a crucial requirement. Ransomware is getting more complex every day, and hackers are coming up with new ways to sneak it into corporate systems.

The key point is that a VMware ESXi host is a single point of access to the whole collection of virtual machines that it supports. In the event that hackers take control of the host, this creates a single point of failure. Hackers are aware of this. Hackers may have to put up more effort to gain access to the host, but once they do, they will have full access to the host’s infrastructure, freeing them from the need to compromise each VM’s security independently. In this blog post, we’ll discuss some of the most common ransomware variants that can target VMWare ESXi environments and the steps organizations can take to protect themselves.

Few Ransomware Variants Targeting ESXi:

  • Hello Kitty Ransomware:
    One of the first multiplatform ransomware outbreaks to start focusing on ESXi was this one.
  • RansomExx:
    “RansomExx” is one of the most prevalent ransomware variants that target VMWare ESXi. This particular variety of ransomware is infamous for encrypting the data on virtual machines and demanding money to unlock it. Typically, phishing emails with malicious attachments or links are used to spread RansomExx.
  • GwisinLocker Ransomware:
    This intriguing ransomware virus, which targets South Korean businesses, has Windows, Linux, and obviously ESXi variants.
  • Megacortex Ransomware:
    “MegaCortex” is another variant that has impacted VMWare ESXi systems. This kind of ransomware is particularly harmful because it is known to encrypt both the hypervisors’ internal data and the data on VMs. The most common methods of spreading MegaCortex include phishing emails and brute-force RDP attacks.
  • REvil Ransomware:
    Another prevalent variation is “Sodinokibi,” commonly known as “REvil,” which uses a variety of methods to spread, including exploiting web server vulnerabilities and Remote Desktop Protocol (RDP) for lateral movement.
  • Black Basta Ransomware:
    Black Basta is a brand-new ransomware group that became one to watch in 2022 quite rapidly. Additionally, they are a ransomware group that targets victims by employing the widely used “double extortion” technique. Also, new Black Basta ransomware has been spotted that specifically targets VMware ESXi servers.

Protecting VMWare ESXi Hypervisors

  • The most crucial measure businesses can take to safeguard themselves against ransomware attacks on VMware ESXi environments is to develop a strong backup and disaster recovery plan. Your ability to swiftly roll back your virtual machines and hypervisors to a previous state in the event of a ransomware attack depends on how frequently you back them up. It’s crucial to routinely test your backups to make sure they can be successfully restored.
  • Next, make sure that your ESXi hypervisors and virtual machines are updated with the most recent security fixes. This can offer further protection against ransomware attacks and assist in addressing identified flaws.
  • To safeguard your virtual machines from ransomware, you should also think about adopting endpoint protection software. This kind of software is intended to find malware and stop it from running on a virtual machine. Additionally, it’s critical to employ firewalls to stop any potential ransomware-related incoming and outgoing network traffic.
  • Putting the least privilege principle into practice can also help shield your virtual machines (VMs) from ransomware attacks. Giving users the least amount of access essential to do their jobs is what this entails. As a result, it will be harder for an attacker to spread ransomware throughout your system and prevent unauthorized access to VMs.
  • Another excellent strategy for safeguarding your virtual machines against ransomware is network segmentation. It can help to contain the spread of an attack by separating certain components of your network.
  • You must train your staff in ransomware protection in order to safeguard VMware ESXi hosts. When performing their duties, employees of your firm need to be aware of potential dangers, the negative outcomes such threats may cause, and how to foresee and avoid those outcomes.
  • Last but not least, routine security audits can assist in locating any potential flaws in your ESXi hypervisors. You may take action to address vulnerabilities and lower your chance of a successful ransomware attack by quickly identifying them.


Securing VMWare ESXi environments from ransomware necessitates a multi-layered strategy that includes frequent backups, software upgrades, endpoint security software, firewalls, and least privilege access rules, as well as security assessments. Organizations may assist protect the availability and integrity of their VMs even in the face of a ransomware attack by being aware of the major ransomware variants that can target VMWare ESXi settings and putting best practices into place.

, , , ,


We welcome you to contact us for more information
about HAWKEYE - SOC As A Service.