In 2024, ransomware attacks targeting VMware ESXi servers reached alarming levels, with the average ransom demand skyrocketing to $5 million. With approximately 8,000 ESXi hosts exposed directly to the internet (according to Shodan), the operational and business impact of these attacks is profound.
Most of the Ransomware strands that are attacking ESXi servers nowadays, are variants of the infamous Babuk ransomware, adapted to avoid detection of security tools. Moreover, accessibility is becoming more widespread, as attackers monetize their entry points by selling Initial Access to other threat actors, including ransomware groups. As organizations are dealing with compounded threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cyber-crime networks, and more, there is ever-growing urgency for enhanced security measures and vigilance.
Understanding how an attacker can gain control of the ESXi host begins with understanding the architecture of virtualized environments and their components. This will help identify potential vulnerabilities and points of entry.
Building on this, attackers targeting ESXi servers might look for the central node that manages multiple ESXi hosts. This will allow them to maximize their impact.
This brings us to the vCenter, which is the central administration for VMware infrastructure and is designed to manage several ESXi hosts. The vCenter server orchestrates ESXi host management with the default “vpxuser” account. Holding root permissions, the “vpxuser” account is responsible for administrative actions on the virtual machines residing on the ESXi hosts. For example, transferring VMs between hosts and modifying configurations of active VMs.
Encrypted passwords for each connected ESXi host are stored in a table within the vCenter server. A secret key stored on the vCenter server facilitates password decryption, and, consequently, total control over each and every one of the ESXi hosts. Once decrypted, the “vpxuser” account can be used for root permissions operations, including altering configurations, changing passwords of other accounts, SSH login, and executing ransomware.
Ransomware campaigns are intended to make recovery exceedingly difficult, coercing the organization toward paying the ransom. With ESXi attacks, this is achieved by targeting four file types that are essential for operational continuity:
Since the files involved in ransomware attacks on ESXi servers are large, attackers typically employ a hybrid encryption approach. They combine the rapidity of symmetric encryption with the security of asymmetric encryption.
Therefore, in ransomware, asymmetric encryption is primarily used for securing the keys used in symmetric encryption, rather than the data itself. This ensures that the encrypted symmetric keys can only be decrypted by someone possessing the corresponding private key, i.e the attacker. Doing so prevents easy decryption, adding an extra layer of security for the attacker.
Once we’ve acknowledged that vCenter security is at risk, the next step is to strengthen defenses by putting obstacles in the path of potential attackers. Here are some strategies:
Protecting your vCenter from ESXi ransomware attacks is vital. The risks tied to a compromised vCenter can affect your entire organization, impacting everyone who relies on critical data.
Regular testing and assessments can help identify and address security gaps before they become serious issues. Work with security experts who can help you implement a Continuous Threat Exposure Management (CTEM) strategy tailored to your organization.
