Close Menu
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) Instagram Threads
Ransomnews
  • Home
  • News
  • Security
  • Privacy
  • Cybercrime
    • Threat Groups
    • Ransomware
    • Explainers
    • Stealer Logs
  • AI
  • OSINT
  • Tools
    • Ransomtracker
    • Stealercheck
    • FortiBleed Checker
  • Reviews
    • Best antivirus software for 2026: independent picks from Ransomnews
    • Best ransomware-resistant backup for 2026: cloud, hybrid, and immutable picks reviewed
    • Best ransomware protection for business 2026: Alerts.bar, ESET PROTECT and 6 alternatives reviewed
  • About Us
Facebook X (Twitter) LinkedIn
Ransomnews
Ransomware

ESXi ransomware in 2026: one host, the whole datacenter

Ransomnews Research TeamBy Ransomnews Research TeamJune 24, 2026Updated:June 24, 2026No Comments7 Mins Read162 Views
Share Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
ESXi ransomware synthwave cover, one hypervisor one datacenter, ransomnews.com
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

ESXi ransomware is malware that encrypts virtual machines directly on a VMware ESXi hypervisor, taking down every guest server on that host in a single stroke. It has become one of the defining ransomware shifts of the mid-2020s because the hypervisor is the rare high-value target that runs almost no security tooling. Groups including Akira, Qilin, and Black Basta now ship dedicated Linux and ESXi encryptors, and the US Cybersecurity and Infrastructure Security Agency has flagged the trend as an imminent threat to critical infrastructure.

What is ESXi ransomware?

VMware ESXi is a bare-metal hypervisor: it runs directly on a physical server and hosts dozens of virtual machines, each one a separate guest operating system. ESXi ransomware is built specifically to attack that layer. Instead of encrypting one Windows machine at a time, the encryptor runs on the hypervisor, shuts down or kills the running VMs, deletes their snapshots, and encrypts the virtual-disk files (the .vmdk, .vmx, and related files) that every guest depends on. Encrypt the host once and the whole virtual datacenter goes dark at the same moment.

Why the hypervisor is the perfect target

Three properties make ESXi the highest-leverage target in a modern network.

First, it is agentless. Endpoint detection and response is built for Windows and, increasingly, Linux endpoints. It is not built to run on an ESXi host, and VMware has historically discouraged third-party agents on the hypervisor. That leaves the most consolidated asset in the building as a blind spot, which is exactly where an attacker wants to detonate.

Second, the blast radius is enormous. One host can run dozens of production servers. Encrypting the hypervisor takes down domain controllers, databases, file servers, and applications in one action, which is why dwell-to-impact times on these attacks are so short.

Third, the encryptor destroys recovery on the way through. Modern ESXi-focused families, including the Qilin variant, delete VM snapshots before encrypting, removing the fastest local recovery path and pushing the victim toward the ransom. That snapshot deletion is the tell that an operator came specifically for the hypervisor.

How attackers reach the hypervisor

The entry rarely starts at ESXi itself. Operators land elsewhere, escalate, and pivot to the hypervisor using valid credentials or a management-plane flaw. The most consequential vulnerability of this wave is CVE-2024-37085, an authentication-bypass in ESXi’s Active Directory integration: an attacker who can create or rename an AD group called ESX Admins is automatically granted full administrative rights on the host. Microsoft observed Akira, Black Basta, and other operators exploiting it to seize hypervisors outright. Because so much of the kill chain runs through Active Directory, hardening that layer matters as much as patching ESXi itself. See our guide to Active Directory hardening.

Initial access feeding these intrusions has come through edge devices and backup systems: SonicWall, Cisco ASA, and Veeam Backup & Replication flaws have all been chained into hypervisor attacks. Once inside, the operators follow the same path documented in our ransomware incident-response runbook: harvest credentials, move laterally, find the vCenter or ESXi management interface, and deploy.

Who is doing it

// ESXi RANSOMWARE · KEY FIGURES $244M Akira proceeds by Sept 2025 (CISA AA24-109A) 2x ESXi-impacting IR cases tripled-window rise (Microsoft IR) CVE- 2024-37085 ESXi auth bypass via AD Active families: Akira, Qilin, Black Basta · expanding to Hyper-V and Nutanix AHV

Akira is the standout. The FBI and CISA put its proceeds above 244 million dollars by late September 2025, and in a June 2025 incident Akira encrypted Nutanix AHV virtual-disk files for the first time, a sign the playbook is generalising beyond VMware to any hypervisor worth hitting. Qilin ships one of the most customisable Linux and ESXi encryptors seen to date, purpose-built to encrypt virtual machines and delete their snapshots. Black Basta was among the earliest to weaponise CVE-2024-37085. The broader catalogue lives on our threat-groups index.

What it costs

The clearest measure of the shift is Microsoft’s own incident-response data, which shows engagements involving ESXi hypervisors more than doubling over a three-year window. The reason is leverage: a single successful hypervisor encryption can halt an entire business, which raises the realistic ransom and lowers the attacker’s effort per victim. When recovery means rebuilding every virtual machine from off-host backups, downtime stretches into weeks, and downtime is where the real cost of ransomware lives.

How to defend ESXi

Defence is concrete, even without an agent on the host. Patch the management plane first and treat CVE-2024-37085 as urgent if you run AD-joined ESXi. Enable lockdown mode and take the ESXi and vCenter management interfaces off any network a normal user can reach, ideally onto a dedicated, MFA-gated management VLAN. Remove or tightly scope the ESX Admins AD group and monitor for its creation, which is itself an attack indicator. Disable SSH and the ESXi shell unless actively in use. Most important, keep immutable, off-host backups of your VMs, because on-host snapshots are the first thing these encryptors destroy. Test the restore, not just the backup.

What this means

ESXi ransomware is the logical endpoint of an attacker economy that rewards leverage. Why encrypt a hundred laptops when one hypervisor holds a hundred servers, runs no EDR, and deletes its own snapshots when told to? The defensive answer is not a new product but a posture: treat the hypervisor as crown-jewel infrastructure, isolate and patch its management plane, harden the Active Directory that fronts it, and keep backups somewhere the encryptor cannot reach. The groups have already industrialised this. The defence has to catch up. Track the operators on the Ransomware desk and the live victim feed on Ransomtracker.

FAQ

What is ESXi ransomware?

It is ransomware designed to run on a VMware ESXi hypervisor and encrypt the virtual-disk files of every guest virtual machine at once, rather than encrypting individual operating systems. One successful host encryption can take down a whole virtual datacenter.

Why do attackers target ESXi specifically?

The hypervisor runs almost no endpoint security, hosts many production servers on one machine, and stores the snapshots used for fast recovery. That combination gives attackers maximum impact, minimum detection, and a built-in way to destroy local recovery.

What is CVE-2024-37085?

It is an authentication-bypass vulnerability in ESXi’s Active Directory integration. An attacker who can create or rename an AD group named ESX Admins is automatically granted full administrative control of the host. Multiple ransomware groups have exploited it.

Which ransomware groups attack ESXi?

Akira, Qilin, and Black Basta are among the most active, all shipping dedicated Linux and ESXi encryptors. Akira has also begun encrypting Nutanix AHV, indicating the technique is spreading to other hypervisors.

How do I protect ESXi from ransomware?

Patch the management plane, enable lockdown mode, isolate vCenter and ESXi management behind MFA, control and monitor the ESX Admins AD group, disable unused SSH and shell access, and keep immutable off-host backups that the encryptor cannot delete.

Are on-host snapshots enough for recovery?

No. ESXi-focused encryptors routinely delete VM snapshots before encrypting, so snapshots stored on the same host offer little protection. Recovery depends on immutable backups kept off the hypervisor.

Sources and further reading

  • CVE-2024-37085 exploitation: Microsoft Security, July 2024.
  • Akira proceeds and Nutanix AHV targeting: CISA advisory AA24-109A, updated November 2025, and the FBI.
  • Qilin Linux and ESXi encryptor analysis: BleepingComputer.
  • ESXi incident-response trend: Microsoft Incident Response.
  • Related on Ransomnews: Ransomware IR runbook, Active Directory hardening, ransomware-resistant backup picks.
Share. Facebook Twitter Pinterest LinkedIn Tumblr Telegram Email Copy Link
Previous ArticleHunting C2 infrastructure: favicon, JARM, cert logs
Next Article Build a secure MCP server in 2026: a hardening guide
Ransomnews Research Team

The Ransomnews Research Team is the collective byline used for collaborative pieces, editorial briefings, and articles drawing on contributions from multiple researchers. Coverage spans ransomware operations, breach economics, threat actor profiling, OSINT methodology, and emerging risks across security, privacy, and AI.

Related Posts

MSPs: ransomware’s #1 target of 2026 [Field Report]

May 11, 2026

LockBit, 2 years after Operation Cronos: where are they now?

May 11, 2026

2026 ransomware victim toll: countries, sectors, operators

May 11, 2026

Comments are closed.

Facebook X (Twitter) LinkedIn
© 2026 Ransomnews.com

Type above and press Enter to search. Press Esc to cancel.

Cookies on Ransomnews

We use strictly-necessary cookies to run the site and may use first-party analytics to understand which articles are read. Some pages contain affiliate links — when you click one, the affiliate network sets cookies on the merchant's domain to attribute the referral. See the Cookie Policy and Affiliate Disclosure for detail.

RANSOMNEWS.COM

Tracking the criminal infrastructure of the internet.

Independent coverage of ransomware, breach economics, threat actors, privacy, AI security, and the open-source investigation toolkit.

// Topics

  • News
  • Security
  • Privacy
  • Cybercrime
  • AI
  • OSINT
  • Reviews
  • Threat Groups
  • Stealer Logs
  • Ransomtracker
  • Stealercheck
  • FortiBleed Checker

// Site

  • About Us
  • Editorial Team
  • Contact
  • Tip Line
  • Editorial

// Legal

  • Privacy Policy
  • Terms of Service
  • Cookie Policy
  • Affiliate Disclosure
  • RSS Feed
© 2026 Ransomnews.com · Tracking the criminal infrastructure of the internet.