A new ransomware strain is actively targeting VMware ESXi systems through a previously disclosed security flaw, according to a recent report. Attackers exploit unpatched servers running virtual machines, enabling them to encrypt large numbers of workloads swiftly. By focusing on the hypervisor rather than individual machines, criminals aim for maximum operational disruption.
Security researchers indicate that the threat actors gain root-level privileges via the ESXi service layer. Once inside, they halt running VMs to ensure effective encryption. This swift takeover has prompted experts to emphasise immediate patching of known ESXi vulnerabilities and the disabling of any unnecessary services. Organisations are also urged to maintain robust backup strategies, applying the principle of least privilege and two-factor authentication to reduce risk.

The report highlights that criminals are shifting from conventional endpoints to more strategic infrastructure targets such as hypervisors. By doing so, they can encrypt multiple virtual instances in one go, increasing pressure on victims to pay ransoms promptly.

Key Takeaways
Patch Promptly: Ensure your ESXi systems are fully updated against known vulnerabilities.
Limit Services: Disable unneeded services and protocols on hypervisors.
Strengthen Credentials: Use strict access controls and multi-factor authentication.
Backup Continuously: Frequent, secure backups are essential for minimising ransomware damage.

Monitor for Intrusions: Early detection is critical—monitor logs and network anomalies