One of the greatest challenges in cybersecurity is the constant evolution of threats. While the threat landscape changes frequently, a significant amount of publicly available information is a cumulative summary of threats from the last decade. This makes it difficult for security professionals to prioritize and focus on the attacks that are happening right now, and not the ones from past years.
This article is part of our initiative to surface the latest threat insights, informing the community about critical and rapidly growing trends. In this case: ransomware attacks that ignore endpoints to target infrastructure directly at the hypervisor level.
Ransomware groups now prioritize a low profile to avoid law enforcement attention and sanctions, such as being added to the U.S. Treasury's SDN list, which makes it illegal for U.S. entities to pay them. Even without arrests, law enforcement operations can disrupt a group's operations and reputation. This was evident when LockBit's standing dropped significantly after Operation Cronos.
The decline in traditional data encryption attacks started in 2022 and continues today, but it is not a positive sign. Instead, it indicates that these groups are evolving toward less visible methods. They are increasingly using data exfiltration and targeted attacks on infrastructure, which impact IT departments without necessarily alerting the public. Attacks on hypervisors are a prime example of this change.
This shift in tactics can also explain a disturbing trend of increased breach concealment. Our 2025 Cybersecurity Assessment revealed that 58% of security professionals were told to keep an incident confidential when they knew it should be reported. This is a 38% increase from 2023.
We hypothesize that the evolution of threat actors toward less obvious attacks on critical infrastructure is directly related to this increase in unreported breaches, as attackers want to avoid public disclosure and organizations want to hide the compromise. During this period, ransomware payments have also been declining, according to Chainalysis data.
We hope there is only a correlation, not a causation, between these trends.
The goal of attacking hypervisors is not to encrypt the hypervisor's core operating system, but rather to target all the virtual machines (VMs) running on it. Since most modern corporate infrastructure is now virtualized, compromising the hypervisor gives the attacker the ability to effectively destroy the company's entire infrastructure and bring it to its knees.
The key difference between attacking an endpoint and a hypervisor lies in the scope of the attack and its technical execution. While an attacker may target many endpoints in a broad campaign, an attack on an endpoint primarily focuses on data encryption; encryption leaves the underlying machine's operating system operational, but the data is inaccessible. The goal is to hold the data hostage.
In contrast, an attack on a hypervisor is a strike on the central management layer. The attacker compromises the hypervisor to encrypt the virtual disk files of the virtual machines it hosts. This action renders the virtual machines unbootable, effectively taking down entire applications, servers, and services simultaneously. This represents a fundamental shift from disrupting data on individual machines to completely paralyzing the entire IT infrastructure.
Threat actors operate with brutal effectiveness, and their decisions are driven by logical assessments, which explains their pragmatic adoption of tools and tactics. Instead of investing heavily in the fancy AI tools often sensationalized by the media, they gravitate toward approaches with a proven return on investment, such as targeting vulnerable edge network devices or critical infrastructure.
This focus on efficiency and tangible results means that when multiple ransomware groups adopt the same tactics, it's rarely a coincidence; rather, it indicates a clear benefit for them and their affiliates.
A key enabler for targeting hypervisors is the use of modern, cross-platform languages such as Golang and Rust. These languages allow threat actors to compile their malware for multiple operating systems from a single codebase.
This is a significant advantage over legacy malware, which often had to be specifically developed for a single OS like Windows. By writing a single Golang- or Rust-based encryptor, a threat actor can create a tool that is effective against VMware ESXi, which is Linux-based, as well as against traditional Windows or Linux servers. This efficiency allows them to scale their operations and extend their reach into diverse environments with minimal additional effort.
Threat actors have a vested interest in a smooth, successful extortion and negotiation process. By targeting hypervisors, they can encrypt core infrastructure while leaving end-user devices and front-end business operations largely untouched. The regular end-user remains unaware that the business is under a massive ransomware attack until key backend services or applications become unavailable. Even then, the user may simply think it's a routine outage or a technical problem with their application. This is a stark contrast to a traditional ransomware attack, where each infected endpoint often displays a ransom note, making the attack public and impossible to hide.
This limited-impact strategy simplifies the attack for the threat actor and, most importantly, reduces the public and media pressure on the victim organization. The lack of widespread, immediate chaos makes it easier to conduct discreet negotiations.
This tactic is especially useful given the hypothesis that many companies, particularly those in critical infrastructure, are typically bound by legal restrictions that prevent them from paying a ransom outright or attempting payment without appropriate review and authorization. By offering a private and contained resolution, threat actors provide a pathway for the victim to find an alternative to public disclosure.
Decryption tools provided after a ransom payment are more likely to successfully recover encrypted VMs than endpoints. With a hypervisor attack, the adversary first shuts down all active virtual machines. This process ensures that all files are closed and not actively in use by any process, which prevents the encryptor from being blocked by open files. By encrypting the VM disk images while they are in a static, offline state, threat actors can achieve a near-perfect encryption rate.
This means that the decryptor they provide is more likely to work flawlessly, increasing the victim's confidence in the threat actor's technical capability and making them more likely to pay the ransom. Furthermore, the recovery process is also centralized, running a single decryptor on the hypervisor instead of requiring it to be executed on each individual impacted endpoint.
IT management teams are frequently focused on operational efficiency and stability rather than stringent security controls. This can result in critical security gaps, such as the absence of Multi-Factor Authentication (MFA) for the hypervisor management interface, or unpatched vulnerabilities that would be immediately detected in a more mature endpoint environment.
A perfect example is CVE-2024-37085, which has been actively exploited by groups like Black Basta and Akira. This flaw lets an attacker use a simple trick: ESXi hypervisors that are joined to a domain automatically give full admin access to anyone in a domain group called "ESX Admins".
This is a major design flaw because the hypervisor doesn't check if the group is legitimate or if it has a proper security ID. An attacker who has already infiltrated the network can simply create or rename a domain group to "ESX Admins," add themselves to it, and instantly get full control of all domain-joined ESXi hypervisors.
Another example was ESXiArgs ransomware campaign. The campaign exploited a known vulnerability in the OpenSLP service (CVE-2021-21974) to gain full control of ESXi hosts, despite the patch having been available for nearly two years prior to the attacks.
Many hypervisors do not officially support running EDR/XDR agents on the host itself. Instead, the vendors often recommend the traditional and ineffective approach of running these security tools inside each virtual machine. Because these VMs are shut down when they are encrypted, their security stacks become irrelevant.
Finally, targeting hypervisors concentrates the pressure of the attack onto a small, dedicated team within the organization: the IT and systems administrators.
This small group is tasked with managing the immediate crisis, dealing with the technical fallout, and often leading the ransom negotiations. Unlike a widespread attack that could affect thousands of employees and departments, the hypervisor attack focuses the strain on a single, isolated team. This intense, isolated pressure can make the victim organization more susceptible to a quick payment, as the small team feels the direct burden of the downtime and the immense responsibility of restoring services. This pressure is often compounded by demands from the business and the board of directors, who are focused on restoring business operations and view the situation as a critical business decision rather than a technical one.
Several RaaS groups have been known to target hypervisors. The practice of targeting these critical virtualization components has become a common strategy for many of the most sophisticated ransomware operations.
The Cactus ransomware attack was a prime example of a sophisticated, multi-platform attack. The group used separate ransomware payloads for both Hyper-V and ESXi hypervisors in a single operation. For Hyper-V, they used their standard Windows ransomware, but for ESXi, they deployed a custom-built version, proving their investment in multi-platform tools.
The attack on ESXi was very methodical. The custom program was copied to the ESXi host, given permission to run, and then launched with specific commands. These commands allowed the attackers to control the attack with precision, from killing VM processes using the
esxcli command to setting the exact percentage of partial encryption. This level of control shows a sophistication that goes far beyond simple ransomware.
While often described as a corporate espionage group, a compelling hypothesis suggests that RedCurl's primary focus may actually be on discreet, direct negotiations with victims. Adding hypervisor encryption to their portfolio would allow them to apply significant business pressure without creating a public spectacle or garnering even more attention.
For instance, the group has been observed operating in a manner that explicitly excludes the VMs responsible for network routing from encryption, ensuring that basic network connectivity and user access remain functional. This deliberate action minimizes immediate chaos for the organization's employees and focuses the full weight of the crisis on the IT department and leadership team.
Important note – it's common for RaaS groups to disband, discontinue their operations due to law enforcement attention, or simply rebrand. However, the technical knowledge, specialized tools (like encryptors for hypervisors), and attack playbooks often persist and are adopted or sold to other threat actors. This means that a technique pioneered by a group that is no longer active can still be a significant threat.
This is not a comprehensive list – just a few examples of RaaS groups that leveraged this tactic. Many other well-known groups, such as Babuk, Black Basta, REvil, Dark Angels, and RansomHub, have also been active in this space, further demonstrating the widespread nature of this approach. When a new tactic, such as targeting hypervisors, proves effective, the RaaS ecosystem is quick to adopt it.
The most basic defense is keeping your hypervisors and their management software updated. The ESXiArgs attacks showed devastating results of leaving known vulnerabilities unpatched for years. Organizations need a strong patch management program that prioritizes hypervisor-level vulnerabilities.
Use MFA for all administrative logins, especially for hypervisor management consoles. The Principle of Least Privilege (PoLP) should be strictly enforced, ensuring that no user or service has more permissions than they need to do their job. You also need to harden the host operating system by disabling unnecessary services like OpenSLP and restricting network access to management interfaces with firewall rules and dedicated management networks.
EDR and XDR platforms like GravityZone provide the essential detection and response capabilities, but they must be paired with human expertise to be most effective. Whether an organization chooses to build an internal SOC or partner with a specialized provider like Bitdefender MDR, this operation layer is critical.
But to effectively counter threats like Scattered Spider, organizations must move beyond a purely reactive security posture. EDR/XDR platforms are often designed to respond after an attack has been initiated. The rapid, social-engineering-led nature of these attacks, combined with their reliance on living-off-the-land (LOTL) tactics, demands a more proactive strategy.
The key is to introduce friction into the attacker's workflow, slowing them down and increasing their chances of being detected. Solutions like Proactive Hardening and Attack Surface Reduction (PHASR) can help by disrupting the attack kill chain.
PHASR works by analyzing user behavior and dynamically creating unique behavioral profiles for each user on each machine, rather than relying on static rules or job titles. By comparing these profiles to known threat actor tactics, PHASR can recommend or automatically apply policies that block high-risk actions without disrupting normal business operations.
Your recovery strategy serves as a critical last line of defense, but it must be built to withstand an attacker who has gained elevated privileges and may attempt to corrupt or delete backups. The good standard for ransomware resilience is the 3-2-1-1-0 Backup Rule.
This rule means you should have:
Organizations must also have a specific, well-rehearsed incident response plan for a hypervisor attack. This plan should include clear steps for containment, such as physically disconnecting infected hosts to prevent the spread, and a communication plan for everyone from employees to stakeholders.
Bitdefender continuously supports the community through complimentary resources like our monthly ransomware report, a whitepaper that we frequently update ( we often remove obsolete information as much as we add new), and our quarterly ransomware masterclass where we analyze recent ransomware cases. You can also find the latest threat research news by visiting the Bitdefender Business Insights Blog.