Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware

CrowdStrike has observed a significant rise in eCrime actors targeting VMware ESXi hypervisors with ransomware, a trend that aims to maximize encryption impact across victim environments. Various adversaries, including PINCHY SPIDER, VIKING SPIDER, and others, have developed and deployed specific ESXi ransomware variants, sometimes seeking partnerships with other operators or access brokers. These adversaries often use common tactics such as gaining access through SSH, terminating virtual machine processes, and encrypting data within the VM datastore path. CrowdStrike emphasizes the importance of reviewing ESXi security measures and implementing recommended defensive controls to protect critical assets from such sophisticated cyber threats.