In 2024, ransomware attacks targeting VMware ESXi servers reached alarming levels, and the average ransom demand skyrocketed to $5 million. With approximately 8,000 ESXi hosts exposed to direct Internet access (according to Shodan), the operational and business impact of these attacks is profound.
Most of the ransomware currently attacking ESXi servers are variants of the infamous Babuk ransomware, designed to evade detection by security tools. Moreover, availability is becoming more widespread as attackers monetize their entry points by selling Initial Access to other threat actors, including ransomware groups. As organizations face complex threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cybercrime networks, and more, there is an ever-increasing need to improve security measures and vigilance.
ESXi architecture
Understanding how an attacker can gain control of an ESXi host begins with understanding the architecture of virtualized environments and their components. This will help identify potential vulnerabilities and entry points.
Based on this, attackers targeting ESXi servers can search for a central node that manages multiple ESXi hosts. This will allow them to maximize their influence.
This brings us to vCenter, which is the central administration of the VMware infrastructure and is designed to manage multiple ESXi hosts. vCenter Server manages the ESXi host with the default account “vpxuser”. With root privileges, the “vpxuser” account is responsible for administrative actions on virtual machines hosted on ESXi hosts. For example, transferring virtual machines between hosts and changing configurations of active virtual machines.
Encrypted passwords for each connected ESXi host are stored in a table on vCenter Server. The secret key stored on the vCenter server makes it easy to decrypt the password and thus have full control over each of the ESXi hosts. Once decrypted, the “vpxuser” account can be used for root operations, including changing configurations, changing other account passwords, SSH logins, and running ransomware.
Encryption on ESXi
Ransomware companies aim to make recovery difficult by forcing the organization to pay the ransom. In ESXi attacks, this is achieved through four types of files that are critical to business continuity:
- VMDK files: a virtual disk file that stores the contents of a virtual machine’s hard disk. Encrypting these files renders the virtual machine completely inoperable.
- VMEM files: The swap file of each virtual machine. Encrypting or deleting VMEM files can result in significant data loss and complications when attempting to resume suspended virtual machines.
- VSWP files: swap files that store a portion of the virtual machine’s memory other than the host’s physical memory. Encrypting these swap files can crash virtual machines.
- VMSN files: Snapshots for backing up virtual machines. Focusing on these files complicates disaster recovery processes.
Because the files involved in ransomware attacks on ESXi servers are large, attackers typically use hybrid encryption. They combine the speed of symmetric encryption with the security of asymmetric encryption.
- Symmetric encryption – These methods, such as AES or Chacha20, allow you to encrypt large amounts of data quickly and efficiently. Attackers can quickly encrypt files, reducing the ability for security systems to detect and remediate.
- Asymmetric encryption – Asymmetric methods such as RSA are slower because they involve a public and private key and require complex mathematical operations.
Therefore, ransomware mainly uses asymmetric encryption to protect the keys used in symmetric encryption, not the data itself. This ensures that encrypted symmetric keys can only be decrypted by someone who possesses the corresponding private key, ie. attacker. This prevents easy decryption, adding an extra layer of security for an attacker.
4 basic risk reduction strategies
Once we’ve recognized that vCenter security is at risk, the next step is to harden our defenses by putting obstacles in the way of potential attackers. Here are some strategies:
- Regular VCSA updates: Always use the latest VMware vCenter Server Appliance (VCSA) and keep it up to date. Moving from Windows-based vCenter to VCSA can improve security as it is designed specifically for vSphere management.
- Implement MFA and remove default users: Don’t just change default passwords—set up strong multi-factor authentication (MFA) for sensitive accounts to add an extra layer of protection.
- Deployment of effective detection tools: Use detection and prevention tools directly on your vCenter. Solutions like EDR, XDR, or third-party tools can help with monitoring and alerting, making it harder for attackers to succeed. For example, setting up monitoring policies that specifically monitor for unusual access attempts to the vpxuser account or alerts about encrypted file activity in the vCenter environment.
- Network segmentation: Segment your network to control traffic flow and reduce the risk of lateral movement by attackers. Separating the vCenter management network from other segments helps contain potential breaches.
Continuous Testing: Hardening ESXi Security
Protecting your vCenter against ESXi ransomware attacks is critical. The risks associated with a compromised vCenter can affect your entire organization, affecting everyone who relies on critical data.
Regular testing and evaluation can help identify and address security gaps before they become serious problems. Work with security experts who can help you implement a Continuous Threat Exposure Management (CTEM) strategy tailored to your organization.