VMware's ESXi hypervisor's extensive use and its lack of support for third-party malware detection capabilities have made it an attractive target for ransomware operators. One such example is 'MichaelKors,' a new ransomware-as-a-service (RaaS) program discovered by researchers at CrowdStrike targeting ESXi/Linux systems. MichaelKors is among several paid services, including Alpha Spider, Bitwise Spider, and Sprite Spider, that provide attackers with malicious binaries for locking up ESXi systems.
SentinelOne reported a similar trend involving ransomware variants based on leaked Babuk ransomware source code from 2021. Between the second half of 2022 and early 2023, SentinelOne observed at least 10 ransomware families based on Babuk source code targeting the ESXi hypervisor. Small groups and large ransomware operators like Conti and REvil were among those using Babuk ESXi variants. Attackers often took advantage of ESXi's native tools and commands to kill guest machines and encrypt hypervisor files. Other vendors have reported multiple major ransomware groups, such as the operators of Royal ransomware, Luna, and Black Basta, pivoting from Windows to ESXi/Linux over the past year.
There are a couple of factors driving attacker interest in hypervisors and VMware's ESXi technology. One reason is that many organizations use ESXi to manage their virtual infrastructure, hosting hundreds of VMs running business-critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, allowing them to scale up their attacks considerably. In a ransomware scenario, an attacker can encrypt multiple virtual machines, increasing their likelihood of collecting a ransom from victims. This tactic, known as 'hypervisor jackpotting,' is used in big game hunting campaigns targeting large and high-profile enterprise organizations. According to a CrowdStrike spokeswoman, "In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor." She added, "By deploying ransomware on ESXi hosts, adversaries quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand."
Another reason attackers are increasingly targeting ESXi environments is their awareness that the hypervisor does not support native malware detection capabilities. CrowdStrike explains that ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents. In a recent blog post, CrowdStrike stated, "ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required." This fact, along with ESXi's popularity, has made the hypervisor a highly attractive target for modern adversaries.
Recorded Future noted a threefold increase in ransomware targeting ESXi servers between 2021 and 2022 (from 434 to 1,188) and pointed out the immaturity of antivirus and malware detection technologies for ESXi, as well as the difficulty in implementing them, as factors lowering the barrier for threat actors. They said, "Defensive practices are difficult to implement due to the complex nature of hypervisors." ESXi vulnerabilities, such as CVE-2020-3992 and CVE-2021-21974, are another issue. A global ransomware attack on ESXi servers earlier this year exploited these two vulnerabilities to drop a novel ransomware strain called ESXiArgs. The CrowdStrike spokeswoman commented, "Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse." She also noted that "CrowdStrike Intelligence has observed hypervisor jackpotting becoming a dominant trend." The larger issue is that there is currently no solution to help with the threat. Threat actors continue to target VMware, knowing that the ESXi environment is vulnerable and without remedy at the moment. The CrowdStrike spokeswoman concluded, "More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment" for ransomware attackers.