top of page
perceptive_background_267k.jpg

The Hidden Risk in Virtualization: Why Hypervisors are a Ransomware Magnet

Published:

16 december 2025 om 15:01:11

Alert date:

16 december 2025 om 16:01:34

Source:

bleepingcomputer.com

Click to open the original link from this advisory

Cloud & Virtualization, Ransomware & Malware

Ransomware groups are increasingly targeting hypervisors to maximize attack impact by encrypting multiple virtual machines simultaneously through a single breach. Attackers exploit visibility gaps at the hypervisor layer to compromise entire virtualization infrastructures. The targeting strategy allows threat actors to cause widespread damage across organizations' virtual environments. Security researchers from Huntress provide insights based on real-world incident data showing how these attacks unfold. The article outlines defensive measures organizations can implement to harden their virtualization infrastructure against ransomware attacks.

Technical details

Hypervisor ransomware attacks have surged from 3% to 25% in 2025. Attackers target Type 1 and Type 2 hypervisors to bypass endpoint security controls. They leverage built-in tools like openssl to encrypt VM volumes, misuse Hyper-V management utilities to modify VM settings and disable security features. CVE-2024-37085 allows attackers with AD permissions to bypass authentication and gain full ESXi administrative control by exploiting the 'ESX Admins' AD group. Attackers often exploit Service Location Protocol (SLP/port 427) and other exposed services for initial access.

Mitigation steps:

Use local ESXi accounts instead of domain accounts; Enforce MFA for all management interfaces; Use strong passwords in secure vaults; Segregate hypervisor management networks; Deploy jump boxes/bastion servers; Apply principle of least privilege; Restrict management access to dedicated admin devices; Enable VMkernel.Boot.execInstalledOnly = TRUE; Disable unnecessary services like SSH; Maintain hypervisor patch inventory; Prioritize security patches; Disable SLP/port 427; Avoid direct internet exposure; Implement 3-2-1 backup strategy; Use immutable backup repositories; Separate backup systems from AD; Test backups regularly; Practice recovery drills; Forward ESXi logs to SIEM; Monitor for configuration drift; Log management network traffic; Use zero-trust approach; Monitor critical log files; Establish shared responsibility with SOC providers

Affected products:

VMware ESXi
Microsoft Hyper-V
vCenter
Type 1 hypervisors
Type 2 hypervisors

Related links:

https://nvd.nist.gov/vuln/detail/cve-2024-37085
https://www.microsoft.com/en-us/security/blog/2024/07/29/ransomware-operators-exploit-esxi-hypervisor-vulnerability-for-mass-encryption/
https://knowledge.broadcom.com/external/article?legacyId=76372
https://knowledge.broadcom.com/external/article/306962
https://www.sygnia.co/blog/esxi-ransomware-ssh-tunneling-defense-strategies/
https://mikecybersec.notion.site/ESXi-IR-Guide-0ffbcec7272244d6b10dba4f4d16a7c8#1ec81b1bcfab8048bfade64d81a0916f

Related CVE's:

Related threat actors:

IOC's:

/var/log/auth.log, /var/log/hostd.log, /var/log/shell.log, /var/log/vobd.log, Service Location Protocol (SLP) port 427, VMkernel.Boot.execInstalledOnly setting changes, VIB acceptance level changes, SSH service enablement, Lockdown mode disabling, New admin account creation, Datastore unmounts

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Deze website toont informatie afkomstig van externe bronnen; Perceptive aanvaardt geen verantwoordelijkheid voor de juistheid, volledigheid of actualiteit van deze informatie.

bottom of page