Protecting Against ESXi Ransomware Attacks – VMs in Danger 

Extortion is about leverage. The greater the leverage, the greater the propensity of the victim to open their coffers and pay the ransom. Initially, ransomware attacks focused on blocking access to an organization’s critical data by encrypting it. This simple yet effective model had a key weakness: a robust backup system could restore the encrypted files. This vulnerability led attackers to target victims’ backup systems in pre-emptive strikes, pushing companies to adopt new best practices for securing their backups. 

Ransomware Tactics Evolve 

And so, the chess game goes back and forth, as attacker and defender each jockey for position against one another. Ransomware organizations soon evolved their tactics by exfiltrating data before encrypting it, using the threat of public release as a secondary method of extortion should victims manage to restore their data. 

Recently, ransomware attackers have discovered yet another method to increase their leverage. They are targeting virtual server environments. Consider how reliant businesses are on virtual machines for hosting critical components like domain controllers, DNS, file storage, and applications. By compromising the virtual environment, attackers can cripple both systems and the data they contain in a single move, further intensifying the pressure on the affected organizations to comply with their demands. 

Understanding the Vulnerability of VMware Environments  

If your organization is like most today, the bulk of your servers are virtual.  There is probably a good chance those machines run on a VMware platform as more than 80% of virtualized workloads are run on VMware platforms according to the virtual Hypervisor giant. This means that ransomware attackers are going to seek out your VM environment to encrypt their data stores. If you have a VMware environment, they will aim to take out your vCenter server as well as the encompassing ESXi servers. If your VM environment is out of commission, your backup server is probably too. 

VMware Recovery is Complex 

Do you know what the root passwords of your ESX servers are? You will if your vCenter is no longer accessible, which is why ransomware gangs target it. Have you got all the IP settings and other VMware configuration settings documented? Do you have someone on staff with the skillset to restore your VMware environment from scratch if necessary? Many businesses rely on outside personnel for VMware expertise. Recovering a VMware environment involves more complexity than simply restoring file storage from backups. This complexity can significantly prolong the recovery timeline and escalate the associated costs. 

Addressing VMware Vulnerabilities 

In February 2023, the FBI issued an advisory revealing that approximately 3,800 VMware host servers worldwide had been compromised. The question then arises: how did cybercriminals manage to infiltrate so many of these servers? The answer lies in a common tactic used across servers, computers, operating systems, and IoT devices. They exploit known vulnerabilities, which is why security-driven patch prioritization is so critical. A significant portion of these attacks targeted two vulnerabilities: CVE-2021-21974 and CVE-2020-3992. Both allow for remote code execution, but CVE-2020-3992 is particularly critical as it potentially enables attackers to gain full control over the host server. 

Renowned ransomware groups are actively scanning for VMware ESXi hosts vulnerable to these exploits while some ransomware strains are specially developed for VMware environments. An instance of this is a Ransomware-as-a-Service (RaaS) variant called Nevada, which operates on a commission model that is distributed among affiliates. This underscores the fact that ransomware is a lucrative industry in the darker corners of the internet. 

How to Secure Your VMware Infrastructure 

With your virtual environment so vulnerable to active targeting by ransomware attackers, it is imperative to have a strategy to protect it against such attacks.

As CYREBRO’s DFIR team leader, Eden Naggel explains: “Organizations with on-prem virtualization services such as VMware ESXi should make sure access to the console is segregated from the network, allowing access only from specific hosts. This is done to prevent attackers from gaining easy access to the virtualization environment, which could result in the complete encryption of servers’ disks, without the need to gain a direct software foothold on them. 

And of course, I cannot stress enough how crucial it is to ensure firmware is up to date and is supported by complex passwords that are cycled often.” 

Some of the recommended steps in more detail include the following: 

  1. Updates and Patches  

Despite its simplicity, patching and updating continue to be overlooked in IT systems. Regularly patching known vulnerabilities drastically lowers the risk of attackers exploiting them as cybercriminals typically target systems with unpatched weaknesses, seeking the path of least resistance. Consistent updates not only close security gaps but also enhance your system with the latest features and improvements. Proactive patch management is essential in protecting your VMware environment against the continuously evolving methods of ransomware attackers. Of course, patch prioritization should be practiced for all.   

  1. Restrict Access to the Internet 

While insider attacks are a viable threat, the bulk of ransomware attacks are implemented from outside of the perimeter. A system that is accessible to the Internet makes it accessible to outside threat actors. Unless there’s a compelling reason otherwise, your virtual host servers should have limited Internet access that is only made available to server administrators for specific tasks like updating and patching. For virtual machines hosting web applications or other resources needed by internet users, it’s crucial to apply the principle of least privilege to ensure robust protection. This selective access approach minimizes potential entry points for cyber attackers. 

  1. Use Local Accounts, Strong Passwords and MFA 

Using Active Directory (AD) domain accounts for managing VMware host servers, while convenient, poses higher risks as these accounts are widely used and more prone to compromise. Best security practice calls for the use of local VMware accounts, which should be protected by passwords that are preferably 12 characters or more and follow strict complexity requirements. Of course, passwords alone should never be relied on. Augment password protection with multi-factor authentication (MFA), adding an additional security layer to safeguard against unauthorized access. 

  1. Complete 24/7 Monitoring 

Modern networks are complex and expansive, offering numerous hidden areas where threat actors and malware can lurk undetected. You need visibility into every facet of your business network, which is why 24/7 network monitoring is a crucial strategy in combating ransomware. It involves continuously scanning the network for suspicious activities, such as unusual data movements, possible backdoors, or repeated login attempts, which can indicate a ransomware attack in progress. With the cost of ransomware recovery so expensive, early detection is key. Continuous monitoring also helps in recognizing patterns that could signify a looming attack, allowing for preemptive action. Additionally, it ensures that security patches and updates are promptly applied, closing vulnerabilities that ransomware could exploit. This proactive surveillance creates a robust defense against the evolving tactics of ransomware attackers. Remember, even the most advanced security tools are only as effective as the monitoring system that alerts you to what’s happening within your network. 


Businesses prioritize productivity, and rightly so. Maintaining this productivity amidst numerous threats to network operations requires a robust cybersecurity strategy. This is especially pertinent to virtual server environments. Regardless of what technology stack you utilize, vulnerabilities inevitably exist and necessitate rigorous security best practices for protection. Among these practices, vigilant monitoring stands out as a critical component. It’s the most effective means to gain real-time insights into activities within your technology environment, ensuring that threats are identified and addressed promptly to safeguard operational continuity. 

Sign Up for Updates