One of the greatest challenges in cybersecurity is the constant evolution of threats. While the threat landscape changes frequently, a significant amount of publicly available information is a cumulative summary of threats from the last decade. This makes it difficult for security professionals to prioritize and focus on the attacks that are happening right now, and not the ones from past years. 

This article is part of our initiative to surface the latest threat insights, informing the community about critical and rapidly growing trends. In this case: ransomware attacks that ignore endpoints to target infrastructure directly at the hypervisor level. 

Ransomware groups now prioritize a low profile to avoid law enforcement attention and sanctions, such as being added to the U.S. Treasury's SDN list, which makes it illegal for U.S. entities to pay them. Even without arrests, law enforcement operations can disrupt a group's operations and reputation. This was evident when LockBit's standing dropped significantly after Operation Cronos. 

The decline in traditional data encryption attacks started in 2022 and continues today, but it is not a positive sign. Instead, it indicates that these groups are evolving toward less visible methods. They are increasingly using data exfiltration and targeted attacks on infrastructure, which impact IT departments without necessarily alerting the public. Attacks on hypervisors are a prime example of this change. 

This shift in tactics can also explain a disturbing trend of increased breach concealment. Our 2025 Cybersecurity Assessment revealed that 58% of security professionals were told to keep an incident confidential when they knew it should be reported. This is a 38% increase from 2023.

We hypothesize that the evolution of threat actors toward less obvious attacks on critical infrastructure is directly related to this increase in unreported breaches, as attackers want to avoid public disclosure and organizations want to hide the compromise. During this period, ransomware payments have also been declining, according to Chainalysis data.

We hope there is only a correlation, not a causation, between these trends. 

From Encrypted Files to Unbootable Machines 

The goal of attacking hypervisors is not to encrypt the hypervisor's core operating system, but rather to target all the virtual machines (VMs) running on it. Since most modern corporate infrastructure is now virtualized, compromising the hypervisor gives the attacker the ability to effectively destroy the company's entire infrastructure and bring it to its knees. 

The key difference between attacking an endpoint and a hypervisor lies in the scope of the attack and its technical execution. While an attacker may target many endpoints in a broad campaign, an attack on an endpoint primarily focuses on data encryption; encryption leaves the underlying machine's operating system operational, but the data is inaccessible. The goal is to hold the data hostage.  

In contrast, an attack on a hypervisor is a strike on the central management layer. The attacker compromises the hypervisor to encrypt the virtual disk files of the virtual machines it hosts. This action renders the virtual machines unbootable, effectively taking down entire applications, servers, and services simultaneously. This represents a fundamental shift from disrupting data on individual machines to completely paralyzing the entire IT infrastructure. 

Why Threat Actors Are Targeting Hypervisors 

Threat actors operate with brutal effectiveness, and their decisions are driven by logical assessments, which explains their pragmatic adoption of tools and tactics. Instead of investing heavily in the fancy AI tools often sensationalized by the media, they gravitate toward approaches with a proven return on investment, such as targeting vulnerable edge network devices or critical infrastructure. 

This focus on efficiency and tangible results means that when multiple ransomware groups adopt the same tactics, it's rarely a coincidence; rather, it indicates a clear benefit for them and their affiliates. 

OS-Independent Languages 

A key enabler for targeting hypervisors is the use of modern, cross-platform languages such as Golang and Rust. These languages allow threat actors to compile their malware for multiple operating systems from a single codebase.

This is a significant advantage over legacy malware, which often had to be specifically developed for a single OS like Windows. By writing a single Golang- or Rust-based encryptor, a threat actor can create a tool that is effective against VMware ESXi, which is Linux-based, as well as against traditional Windows or Linux servers. This efficiency allows them to scale their operations and extend their reach into diverse environments with minimal additional effort. 

Minimizing Disruption for Maximum Leverage 

Threat actors have a vested interest in a smooth, successful extortion and negotiation process. By targeting hypervisors, they can encrypt core infrastructure while leaving end-user devices and front-end business operations largely untouched. The regular end-user remains unaware that the business is under a massive ransomware attack until key backend services or applications become unavailable. Even then, the user may simply think it's a routine outage or a technical problem with their application. This is a stark contrast to a traditional ransomware attack, where each infected endpoint often displays a ransom note, making the attack public and impossible to hide.  

This limited-impact strategy simplifies the attack for the threat actor and, most importantly, reduces the public and media pressure on the victim organization. The lack of widespread, immediate chaos makes it easier to conduct discreet negotiations.

This tactic is especially useful given the hypothesis that many companies, particularly those in critical infrastructure, are typically bound by legal restrictions that prevent them from paying a ransom outright or attempting payment without appropriate review and authorization. By offering a private and contained resolution, threat actors provide a pathway for the victim to find an alternative to public disclosure. 

The Higher Recovery Rate Advantage 

Decryption tools provided after a ransom payment are more likely to successfully recover encrypted VMs than endpoints. With a hypervisor attack, the adversary first shuts down all active virtual machines. This process ensures that all files are closed and not actively in use by any process, which prevents the encryptor from being blocked by open files. By encrypting the VM disk images while they are in a static, offline state, threat actors can achieve a near-perfect encryption rate.

This means that the decryptor they provide is more likely to work flawlessly, increasing the victim's confidence in the threat actor's technical capability and making them more likely to pay the ransom. Furthermore, the recovery process is also centralized, running a single decryptor on the hypervisor instead of requiring it to be executed on each individual impacted endpoint. 

Limited Security Controls 

IT management teams are frequently focused on operational efficiency and stability rather than stringent security controls. This can result in critical security gaps, such as the absence of Multi-Factor Authentication (MFA) for the hypervisor management interface, or unpatched vulnerabilities that would be immediately detected in a more mature endpoint environment. 

A perfect example is CVE-2024-37085, which has been actively exploited by groups like Black Basta and Akira. This flaw lets an attacker use a simple trick: ESXi hypervisors that are joined to a domain automatically give full admin access to anyone in a domain group called "ESX Admins".

This is a major design flaw because the hypervisor doesn't check if the group is legitimate or if it has a proper security ID. An attacker who has already infiltrated the network can simply create or rename a domain group to "ESX Admins," add themselves to it, and instantly get full control of all domain-joined ESXi hypervisors. 

Another example was ESXiArgs ransomware campaign. The campaign exploited a known vulnerability in the OpenSLP service (CVE-2021-21974) to gain full control of ESXi hosts, despite the patch having been available for nearly two years prior to the attacks. 

Many hypervisors do not officially support running EDR/XDR agents on the host itself. Instead, the vendors often recommend the traditional and ineffective approach of running these security tools inside each virtual machine. Because these VMs are shut down when they are encrypted, their security stacks become irrelevant. 

Concentrating Pressure on IT 

Finally, targeting hypervisors concentrates the pressure of the attack onto a small, dedicated team within the organization: the IT and systems administrators.

This small group is tasked with managing the immediate crisis, dealing with the technical fallout, and often leading the ransom negotiations. Unlike a widespread attack that could affect thousands of employees and departments, the hypervisor attack focuses the strain on a single, isolated team. This intense, isolated pressure can make the victim organization more susceptible to a quick payment, as the small team feels the direct burden of the downtime and the immense responsibility of restoring services. This pressure is often compounded by demands from the business and the board of directors, who are focused on restoring business operations and view the situation as a critical business decision rather than a technical one. 

Case Studies 

Several RaaS groups have been known to target hypervisors. The practice of targeting these critical virtualization components has become a common strategy for many of the most sophisticated ransomware operations. 

CACTUS 

The Cactus ransomware attack was a prime example of a sophisticated, multi-platform attack. The group used separate ransomware payloads for both Hyper-V and ESXi hypervisors in a single operation. For Hyper-V, they used their standard Windows ransomware, but for ESXi, they deployed a custom-built version, proving their investment in multi-platform tools. 

The attack on ESXi was very methodical. The custom program was copied to the ESXi host, given permission to run, and then launched with specific commands. These commands allowed the attackers to control the attack with precision, from killing VM processes using the 

esxcli command to setting the exact percentage of partial encryption. This level of control shows a sophistication that goes far beyond simple ransomware. 

RedCurl 

While often described as a corporate espionage group, a compelling hypothesis suggests that RedCurl's primary focus may actually be on discreet, direct negotiations with victims. Adding hypervisor encryption to their portfolio would allow them to apply significant business pressure without creating a public spectacle or garnering even more attention.

For instance, the group has been observed operating in a manner that explicitly excludes the VMs responsible for network routing from encryption, ensuring that basic network connectivity and user access remain functional. This deliberate action minimizes immediate chaos for the organization's employees and focuses the full weight of the crisis on the IT department and leadership team. 

Other RaaS Groups 

Important note – it's common for RaaS groups to disband, discontinue their operations due to law enforcement attention, or simply rebrand. However, the technical knowledge, specialized tools (like encryptors for hypervisors), and attack playbooks often persist and are adopted or sold to other threat actors. This means that a technique pioneered by a group that is no longer active can still be a significant threat. 

• LockBit: This group has been responsible for numerous high-profile attacks and continues to be a major threat, with a Linux-based encryptor designed to target ESXi hypervisors. 
• BlackCat (ALPHV): As a significant and aggressive RaaS group, BlackCat has demonstrated a strong focus on targeting hypervisors. This group is now disrupted, but their use of the Rust programming language made their encryptor highly adaptable to different operating systems. 
• ESXiArgs: This is a family of ransomware, rather than a single group, that gained notoriety for a large-scale, opportunistic campaign that targeted thousands of unpatched VMware ESXi servers. While the initial campaign was widespread, the specific ransomware and its techniques remain a threat and have been adopted by other groups. 
• Hunters International: This group emerged after acquiring the source code and infrastructure of the now-defunct Hive ransomware group. They are still active and have deployed their own ESXi encryptor. This serves as a clear example of how ransomware capabilities are often bought and sold in the criminal underworld. 
• RansomHouse: RansomHouse has been identified as an active RaaS group that specifically targets hypervisors using a custom tool called MrAgent. They focus on automating the encryption of all managed virtual machines once they gain access to a system. 
• Scattered Spider: Scattered Spider group often initiates its attacks with help desk social engineering, tricking support staff into granting them access to internal systems. Once inside, they escalate their privileges to compromise high-privileged accounts. Unlike groups that rely on a single, self-developed tool, Scattered Spider collaborates with various RaaS groups such as Akira, ALPHV, and RansomHub, giving them access to a diverse range of encryptors. 

This is not a comprehensive list – just a few examples of RaaS groups that leveraged this tactic.  Many other well-known groups, such as Babuk, Black Basta, REvil, Dark Angels, and RansomHub, have also been active in this space, further demonstrating the widespread nature of this approach. When a new tactic, such as targeting hypervisors, proves effective, the RaaS ecosystem is quick to adopt it. 

Recommendations 

The most basic defense is keeping your hypervisors and their management software updated. The ESXiArgs attacks showed devastating results of leaving known vulnerabilities unpatched for years. Organizations need a strong patch management program that prioritizes hypervisor-level vulnerabilities. 

Use MFA for all administrative logins, especially for hypervisor management consoles. The Principle of Least Privilege (PoLP) should be strictly enforced, ensuring that no user or service has more permissions than they need to do their job. You also need to harden the host operating system by disabling unnecessary services like OpenSLP and restricting network access to management interfaces with firewall rules and dedicated management networks. 

EDR and XDR platforms like GravityZone provide the essential detection and response capabilities, but they must be paired with human expertise to be most effective. Whether an organization chooses to build an internal SOC or partner with a specialized provider like Bitdefender MDR, this operation layer is critical. 

But to effectively counter threats like Scattered Spider, organizations must move beyond a purely reactive security posture. EDR/XDR platforms are often designed to respond after an attack has been initiated. The rapid, social-engineering-led nature of these attacks, combined with their reliance on living-off-the-land (LOTL) tactics, demands a more proactive strategy. 

The key is to introduce friction into the attacker's workflow, slowing them down and increasing their chances of being detected. Solutions like Proactive Hardening and Attack Surface Reduction (PHASR) can help by disrupting the attack kill chain.

PHASR works by analyzing user behavior and dynamically creating unique behavioral profiles for each user on each machine, rather than relying on static rules or job titles. By comparing these profiles to known threat actor tactics, PHASR can recommend or automatically apply policies that block high-risk actions without disrupting normal business operations. 

Your recovery strategy serves as a critical last line of defense, but it must be built to withstand an attacker who has gained elevated privileges and may attempt to corrupt or delete backups. The good standard for ransomware resilience is the 3-2-1-1-0 Backup Rule.  

This rule means you should have: 

• 3 copies of your data. 

• On 2 different media types. 

• With 1 copy off-site. 

• And 1 copy that is immutable (or "air-gapped"), meaning it can't be encrypted or deleted by an attacker.24 

• The final 0 stands for "zero recovery surprises," meaning you should regularly test your backups to make sure they work. 

Organizations must also have a specific, well-rehearsed incident response plan for a hypervisor attack. This plan should include clear steps for containment, such as physically disconnecting infected hosts to prevent the spread, and a communication plan for everyone from employees to stakeholders. 

More Resources 

Bitdefender continuously supports the community through complimentary resources like our monthly ransomware report, a whitepaper that we frequently update ( we often remove obsolete information as much as we add new), and our quarterly ransomware masterclass where we analyze recent ransomware cases. You can also find the latest threat research news by visiting the Bitdefender Business Insights Blog.