Ransomware actors have set their sights on VMware ESXi servers, and the threat is growing more alarming. These attacks exploit known vulnerabilities in the ESXi hypervisor, causing significant damage to virtualized infrastructure.
Here’s what you need to know:
1 – The Threat Landscape:
- In recent months, there has been a surge in ransomware targeting ESXi servers. These attacks can shut down entire data centers, affecting virtualized storage shared among workloads.
- Attackers exploit previously disclosed vulnerabilities, such as CVE-2021-21974, to gain unauthorized access to ESXi hosts.
- The impact is severe: compromised ESXi hosts can disrupt critical services, compromise data, and lead to financial losses.
2 – Ransomware Families Targeting ESXi:
- Babuk: This ransomware emerged in early 2021 and includes an ESXi encryptor. It encrypts files with extensions like .log, .vmdk, and .vmem. Babuk doesn’t shut down virtual machines before encryption, potentially causing file corruption.
- AvosLocker: Initially targeting Windows, AvosLocker now has a Linux variant that specifically targets ESXi instances. It uses Salsa20 and RSA for encryption and shuts down ESXi VMs before encrypting files.
- BlackCat (ALPHV): Written in Rust, BlackCat targets multiple platforms, including ESXi. Its widespread impact highlights the urgency of securing ESXi hosts.
3 – Protective Measures:
4 – Seek Expert Assistance:
If you suspect a compromise or need guidance, contact us for an expert analysis and help.