Cybernexum Logo

Securing VMware vSphere: Hypervisor Ransomware Threats and Best Practices

By Cybernexum Intel
VMwarevSphereESXiransomwarevirtualization securityhypervisor

VMware vSphere is the industry-leading virtualization platform, comprising a suite of components for creating and managing virtual infrastructure. At its core, ESXi is a Type-1 “bare-metal” hypervisor installed directly on server hardware. A collection of ESXi hosts is centrally managed by vCenter Server, which offers advanced orchestration (e.g. live VM migration, HA, and updates) from a single pane. Together, ESXi and vCenter under vSphere let organizations run multiple VMs on shared hardware, improving efficiency and scalability. Because vSphere hosts critical workloads across the enterprise, both components – the hypervisor and its management layer – must be secured as high-value infrastructure assets.

Why vSphere is a Ransomware Target

The vSphere platform has become a prime target for modern ransomware actors. Researchers note that ESXi servers “do not generally support EDR” (endpoint detection tools) by design. VMware even states that third-party antivirus agents are not required on ESXi, so host-based malware often goes unobserved. This lack of native security tooling – combined with ESXi’s ubiquity – makes the hypervisor “highly attractive” to attackers. Indeed, as early as 2022 Recorded Future reported a roughly three-fold jump in ESXi-targeting ransomware between 2021 and 2022, and Forescout similarly observed hypervisor attacks tripling in that period. CrowdStrike analysts warn that missing segmentation and monitoring on ESXi creates a “target-rich environment”. Sophos X-Ops further notes that “ESXi hosts themselves do not currently support natively run EDR”, and that this gap in protection “has not gone unnoticed by attackers” – many recent ransomware campaigns exploit exactly this weakness.

Multiple ransomware gangs have now weaponized vSphere for maximum impact. In a September 2023 attack on MGM Resorts, Scattered Spider (a social-engineering-focused group) worked with the BlackCat/ALPHV gang to encrypt over 100 ESXi hypervisors in the corporate network. In that case a crafted IT-helpdesk call gave the attackers domain admin rights, after which they deployed ransomware at the virtualization layer. More recently in April 2025, the UK retailer Marks & Spencer suffered a Scattered Spider/DragonForce breach; threat reports confirm the DragonForce encryptor was pushed to M&S’s ESXi hosts on April 24, taking down online ordering and in-store systems. Days later Co-op Group similarly cut off its own VPN and isolated systems when a likely related intrusion was detected. These incidents show that by compromising vCenter/ESXi, attackers can quickly halt critical services. (Notably, these cases involved hypervisor-targeting payloads: DragonForce and BlackCat were used directly against VMware ESXi hosts, a major escalation from traditional endpoint ransomware.)

Typical vSphere Attack Chain

Figure: Common ransomware attack chain targeting vSphere hypervisors (Mandiant visualization). Once inside, attackers can install malicious vSphere Installation Bundles (VIBs) to bridge the virtualization layer. Modern hypervisor-targeted attacks often follow a kill-chain like this: after gaining initial access (often via stolen AD credentials or a compromised management VM), attackers breach the ESXi host and deploy malicious code inside the virtualization layer. For example, Mandiant documented attackers uploading trojanized VIB packages into ESXi, installing backdoors (“VIRTUALPITA/PIE”) that maintain persistent admin access to the hypervisor. These backdoors let the attacker send commands from a guest VM to the hypervisor and back, transfer files, or even jump between VMs on the same host. In effect, the hypervisor itself becomes an attacker-controlled conduit. The illustration above (adapted from Mandiant) highlights how a compromised ESXi host can silently relay commands and data across all VMs without detection by host agents. In practice, once the hypervisor is compromised, an attacker can swiftly encrypt or exfiltrate the entire virtual environment while evading most endpoint defenses.

Security Challenges in vSphere Environments

In general, vSphere environments suffer from visibility and segmentation gaps. By default ESXi has a minimal OS footprint (about 150MB) and lacks support for third-party AV/EDR tools. Even if auditing is enabled, many ESXi logs must be manually forwarded to external logging servers – a step often overlooked in smaller sites. Sophos emphasizes that without native EDR, defenders often “do[ ] not have a SIEM, nor the staffing to properly monitor and react to ESXi logs and alerts.” This “gap in protection has not gone unnoticed” – attackers have repeatedly exploited unmonitored hosts. Network-wise, vCenter and ESXi management interfaces are frequently exposed to internal networks without strict segmentation. As CrowdStrike notes, there is often a “lack of adequate network segmentation of ESXi interfaces”, so once attackers are in a corporate subnet they can reach the virtualization layer with little resistance. Even encryption keys and logs stored on shared datastores or vSphere components may be accessible. In short, hypervisors can be an island of limited visibility: no agent, infrequent checks, and broad trust. The photo above evokes this challenge – a defender in a data center may have little clue if a hostile implant is lurking on the other side of the glass.

Ransomware Trends and Data

Figure: Example dashboards and charts of ransomware trends. Analysis shows a clear surge in attacks on ESXi hosts in recent years. The numbers tell a stark story. As noted, Recorded Future’s Insikt Group saw roughly a 3× year-on-year increase in ESXi ransomware in 2022, and Forescout reports similar “tripling” of ESXi-targeted incidents from 2021 to 2022. The global ESXiArgs campaign (early 2023) alone hit on the order of 3,500–3,800 servers within weeks. The chart above (and others like it) illustrates these rapid increases: ransomware operators have shifted a significant portion of their campaigns toward virtualization platforms. This trend parallels the broader move from pure data encryption to “big-game hunting”: encrypting hundreds of VMs at once can halt an entire data center and coerce a much larger ransom. The data underscores that attacks on vSphere are no longer rare anomalies but a growing standard tactic for modern ransomware groups.

Security Recommendations for vSphere

To defend vSphere against these threats, organizations should apply rigorous hardening and monitoring:

  • Patch and update promptly. Ensure all ESXi hosts and vCenter servers run supported versions and are fully patched. The ESXiArgs cases made clear that out-of-date hypervisors (even years-old patches) were actively exploited. Subscribe to VMware security advisories and apply critical fixes rapidly to prevent known-vuln exploits.
  • Harden ESXi configuration. Use VMware’s lockdown mode and disable unused services (e.g. SSH, shell access) when not needed. For example, Sophos recommends enabling normal lockdown mode on each host to prevent direct root login. Require strong password policies and account lockouts on vCenter (and ESXi) so that brute-force or leaked creds can’t be reused. Where possible, enable Secure Boot on ESXi so that only signed modules load on boot.
  • Isolate and segment hypervisor management. Keep vCenter and ESXi management networks on dedicated VLANs or air-gapped switches. Do not mix production VM traffic with management interfaces. Use firewalls and VPN/jump hosts to restrict who can reach vCenter/ESXi consoles. PCI DSS guidance explicitly requires that virtualization hosts be segmented as strictly as physical hosts (out-of-scope workloads must not touch in-scope workloads). In practice, this means placing ESXi hosts in a secure management zone accessible only by the virtualization admins.
  • Deploy EDR on management/VMs and specialize for virtual. Since ESXi itself won’t run agents, focus on securing the adjacent layers. Install endpoint agents (AV/EDR) on all guest VMs and on the vCenter server host/VM. Use tools that can monitor vSphere events (e.g. VMware’s syslog, audit logs, or APIs). Some vendors now offer solutions or SIEM rules specifically for ESXi monitoring. For example, CrowdStrike’s platform can ingest certain hypervisor events, and VMware Carbon Black can protect VMs at the hypervisor level. In short, assume the hypervisor is unprotected and rely on network and management-layer monitoring to catch anomalies.
  • Restrict and monitor administrator access. Only a few trusted admins should have rights to vCenter/ESXi – enforce MFA and use unique service accounts (not domain user accounts). Avoid using domain-joined ESXi hosts if possible (Sophos even suggests considering keeping them out of the AD domain to limit exposure). Audit all privileged actions; send ESXi auth.log and shell.log to a central SIEM so unauthorized logins or VIB installs generate alerts.
  • Backup and disaster readiness. Maintain offline/backups of critical VMs and ESXi configurations. Regularly test snapshot restores. Because some ransomware (like DragonForce) will attempt to delete backups, store copies on disconnected media. Have documented recovery plans to quickly rebuild hosts from scratch if needed.

These steps – updating, segmentation, lockdown, monitoring – are the core of VMware’s own hardening guides and industry best practices. As Sophos emphasizes, many of these are non-technical policy changes (patch cadence, access controls, review logs) that pay huge security dividends. Regular cybersecurity maturity assessments can help validate that these controls are correctly implemented and adapted over time.

Compliance Implications

Misconfiguring virtualization can also violate security standards. For PCI DSS, virtualized components count in scope the same as physical: the PCI Virtualization Guidelines specify that “out-of-scope workloads or components cannot be used to access an in-scope component” and that segmentation must apply to the hypervisor and host level. In other words, failing to isolate ESXi and vCenter from sensitive networks would break PCI network segmentation requirements. Likewise, ISO/IEC 27001 expects organizations to include hypervisors in their asset inventory and apply relevant controls (e.g. Annex A.9 access controls and A.12 operational controls) to them. A penetration into vSphere due to weak segmentation, outdated software, or poor logging could thus lead to major compliance failures.

In contrast, proactively hardening vSphere helps satisfy multiple compliance goals: it reduces breach risk (A.5), enforces access restrictions (A.9), and ensures secure system configurations (A.12). Demonstrating that virtual hosts are patched, logged, and under controlled management will earn brownie points in any audit or maturity assessment. Conversely, any ransomware hit on virtual infrastructure – like those at MGM or M&S – will trigger intensive compliance fallout (breach reporting, regulatory fines, audit failures).

Conclusion: The Case for Proactive Hardening

Virtualization underpins most modern data centers, so its security is non-negotiable. Ransomware actors know this and will keep hunting hypervisors for easy wins. By understanding the attack chains (Figure above) and recognizing the specific gaps in ESXi/vCenter security, organizations can proactively lock down vSphere before disaster strikes. Hardening ESXi, segmenting vCenter, and monitoring for anomalies are investments that pay off by blocking today’s threats and preparing for tomorrow’s. In practice, conducting regular security maturity assessments – specifically including virtualization controls – ensures that no critical holes go unnoticed. The recent spate of DragonForce and BlackCat hits show the cost of neglect; the right vigilance, tools, and processes can make those headlines your wins instead of your crisis.

Sources: VMware and industry advisories, threat intelligence reports, and news on recent incidents.