The popularity of VMware’s ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators. Recently, researchers at CrowdStrike found attackers using “MichaelKors,” a new ransomware-as-a-service (RaaS) program to target ESXi/Linux systems. MichaelKors is one of several paid services CrowdStrike is tracking that currently provide attackers with malicious binaries for locking up ESXi systems.
This trend of targeting ESXi/Linux systems with ransomware is not new. Earlier this month, SentinelOne reported a similar trend involving ransomware variants based on leaked source code of the Babuk ransomware strain from 2021. Between the second half of 2022 and so far in 2023, SentinelOne has observed at least 10 ransomware families based on Babuk source code targeting the ESXi hypervisor. Among those using the Babuk ESXi variants were small groups and large ransomware operators such as Conti and REvil. SentinelOne found the attackers often taking advantage of ESXi’s native tools and commands to kill guest machines and encrypt hypervisor files.
Other vendors have reported seeing multiple other major ransomware groups, including the operators of Royal ransomware, Luna, and Black Basta, all pivoting from Windows to ESXi/Linux over the past year.
The fact that many organizations use ESXi to manage their virtual infrastructure drives attacker interest in hypervisors and VMware’s ESXi technology in particular. VMware environments often host hundreds of VMs running business critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, thereby giving them an opportunity to considerably scale up their attacks. In a ransomware scenario, an attacker can encrypt multiple virtual machines and increase their likelihood of collecting a ransom from victims.
Such “hypervisor jackpotting” is a tactic that attackers use in so-called big game hunting campaigns targeting large and high-profile enterprise organizations. “In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor,” a CrowdStrike spokeswoman says.
The second reason attackers are increasingly targeting ESXi environments is because they know the hypervisor doesn’t support any native malware detection capabilities, according to CrowdStrike. As a hypervisor, ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware itself has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents either. “ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required,” CrowdStrike said in its blog post this week. This fact, combined with the popularity of ESXi has made the hypervisor a highly attractive target for modern adversaries, the security vendor said.
Recorded Future notes the immaturity of antivirus and malware detection technologies for ESXi – and the difficulty in implementing them – as lowering the barrier for threat actors. “Defensive practices are difficult to implement due to the complex nature of hypervisors,” Recorded Future said.
ESXi vulnerabilities are another problem. A global ransomware attack on ESXi servers earlier this year exploited two vulnerabilities in the hypervisor to drop a novel ransomware strain called ESXiArgs. “Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse,” the CrowdStrike spokeswoman says. “CrowdStrike Intelligence has also observed hypervisor jackpotting becoming a dominant trend.”
The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable. “More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment” for ransomware attackers, says the CrowdStrike spokeswoman.
As the trend of ESXi ransomware continues to grow, organizations that use the hypervisor should take extra precautions to prevent an attack. This includes ensuring that all security patches are up to date, using strong passwords, and regularly backing up data. It is also vital to invest in a comprehensive malware detection solution and work with a trusted security provider to ensure that all bases are covered.