From File Encryption to Hostile Infrastructure: The Silent Rise of Hypervisor Ransomware

In cybersecurity, the constant churn of new threats challenges defenders every day. Yet much of the publicly discussed threat intelligence is retrospective—summaries of the last decade’s attacks. That backward-facing lens makes it harder for organizations to spot the bleeding edge of attack trends and redirect defensive focus to what’s happening now. 

With this blog, we aim to spotlight one of those emerging fronts: ransomware that bypasses endpoints altogether and strikes infrastructure at its core—namely, the hypervisor layer. This is not a hypothetical threat. It is already underway. 

Why This Matters: The Shift to Low-Visibility, High-Impact Attacks 

Decline in Traditional Ransomware ≠ Decline in Threats 

Since around 2022, incident trackers and industry reports have documented a decrease in high-volume, mass-scale endpoint encryption attacks. But rather than reflecting a safer environment, many experts interpret it as evidence that threat actors are evolving—employing more covert strategies such as data exfiltration, stealthy lateral movement, and infrastructure-level targeting. 

For instance: 

• Bitdefender’s 2025 Cybersecurity Assessment found that 58% of security professionals were instructed to keep an incident confidential, even when it should have been reported a 38% increase from 2023. This suggests many breaches are occurring behind closed doors.  

• Veeam’s 2025 ransomware trends highlight a drop in ransom payments and a growing pressure from law enforcement crackdowns as motivating factors driving attackers to adopt stealthier, higher-leverage tactics.  

• Unit 42’s 2025 Global Incident Response Report emphasizes that 86% of incidents involve business disruption, not just data loss—showing attackers increasingly aim for operational paralysis.  

Hence, the decline in encryption-based endpoint attacks is not reassurance,it’s a red flag that adversaries are shifting tactics to maximize damage while minimizing exposure. 

Hypervisors: The “Tier-0” Prize 

A hypervisor is the cornerstone of virtualized infrastructure. It hosts multiple virtual machines (VMs), allocates compute/storage/network resources, and forms a management plane. When compromised, the hypervisor becomes a conduit to entire server fleets, business-critical systems, and their data. 

Here’s what makes hypervisor-level attacks distinct and especially dangerous: 

• Wide scope with one strike: Instead of infecting hundreds or thousands of endpoints, an attacker compromises the hypervisor and cripples all VMs underneath. 

• Silent disruption: Unlike classic ransomware, which displays ransom notes on user desktops, hypervisor attacks may render VMs unbootable without overt signals to end users. 

• Higher likelihood of successful decryption: Because attackers first shut down VMs and then encrypt the virtual disk images (which aren’t in use), decryption is more reliable. This centralized approach means victims are more confident the threat actor can “deliver.” 

• Attack pressure concentrated on IT: The fallout is thrust onto system administrators, who must manage recovery, negotiations, and communications with the board—often under extreme stress and tight deadlines. 

How Attackers Are Doing It: Tools, Vulnerabilities, and Trends 

Use of Cross-Platform Languages (Golang, Rust) 

Modern threat actors increasingly favor Golang or Rust to build tooling that compiles across architectures. A single encryptor can target Linux-based ESXi hosts, Windows servers, and Linux workloads—reducing development overhead and widening their reach. 

Vulnerabilities Under Attack 

A defining example is CVE-2024-37085, an authentication bypass flaw in domain-joined VMware ESXi hosts.  
Here’s how it works: 

• VMware ESXi hypervisors, when joined to Active Directory, treat any member of a domain group named “ESX Admins” as having full admin privileges—without validating whether the group was legitimate or was originally present.  

• An attacker with enough AD privileges can create this group or rename an existing one, add themselves, and immediately gain hypervisor administration rights.  

• Several ransomware operations, including Storm-0506, Storm-1175, Octo Tempest, Manatee Tempest, Akira, and Black Basta, have leveraged this vulnerability in active campaigns.  

The vulnerability was patched in June 2024 as part of VMware’s VMSA-2024-0013 advisory. But because exploit code was already circulating, many organizations remained vulnerable even after patches were issued.  

More recently, new zero-day flaws (CVE-2025-22224, CVE-2025-22225, CVE-2025-22226) have been disclosed that allow VM escapes or hypervisor control from guest-level compromise. Tens of thousands of ESXi instances remain exposed.  

RaaS Groups That Embrace Hypervisor Attacks 

Some ransomware-as-a-service (RaaS) groups have explicitly integrated hypervisor tactics into their playbooks: 

• LockBit (incl. the Linux/ESXi branch) continues to maintain hypervisor targets in certain campaigns 

• BlackCat (ALPHV) has also used Rust-based tools suited for hybrid environments.  

• ESXiArgs is a ransomware family targeted exclusively at ESXi hosts via the OpenSLP service (CVE-2021-21974) vulnerability.  

• Hunters International, using source code from the defunct Hive group, has built and deployed its own ESXi encryptor.  

• RansomHouse has built “MrAgent” for automated encryption of VMs on hypervisors.  

• Scattered Spider, known for social-engineering helpdesk attacks, has been reported targeting VMware ESXi and vSphere platforms in recent campaigns.  

Defensive Strategies: How to Protect Against Hypervisor Ransomware 

Given the stakes, defenses must be multi-layered, proactive, and tailored to the peculiarities of virtual infrastructure. 

Patch and Harden Without Delay 

• Prioritize hypervisor and virtualization management software in your patching workflow. The impact of vulnerabilities like CVE-2024-37085 underlines how fast attackers exploit unpatched lenses. 

• Disable or isolate nonessential services such as OpenSLP, and strictly restrict which network segments and hosts can reach management interfaces. 

• Use firewalls or RPC filters to block unauthorized traffic to hypervisor ports. Some firms propose using RPC firewalls to thwart attacks leveraging group-based bypass techniques. 

Secure Access and Authorization 

• Mandate Multi-Factor Authentication (MFA) for any administrative access, especially for the hypervisor or management console. 

• Enforce Least Privilege (PoLP): Give users the minimum roles necessary; avoid granting domain-level authority to hypervisor admins unless necessary. 

• Perform periodic audits of AD groups and their mappings; pay special attention to groups named “ESX Admins” or equivalents. 

Visibility, Detection & Response 

• Use detection rules (e.g. Sigma signatures) to spot patterns related to hypervisor exploitation (e.g. creation of “ESX Admins”, suspicious commands) SOC Prime 

• Employ EDR/XDR tools that can monitor VM activity and detect unusual I/O patterns, even when VMs are offline or in migration. 

• Consider human-led threat hunting or outsourced MDR (Managed Detection & Response) services to spot advanced techniques employing living-off-the-land behaviours. 

Proactive Controls: Slowing the Adversary 

• Implement Proactive Hardening & Attack Surface Reduction (PHASR)-type techniques—creating dynamic user–machine behavioural profiles and blocking anomalous high-risk actions. 

• Enforce network segmentation so that even if a hypervisor is compromised, lateral movement is constrained. 

• Regularly test backup resilience with immutable or air-gapped backup copies. Use a standard like 3-2-1-1-0 (3 copies, 2 media, 1 off-site, 1 immutable, 0 recovery surprises) to build confidence in restoring readiness. 

Incident Response Planning 

A hypervisor ransomware event demands a different playbook than a simple desktop encryption: 

• Have well-defined containment steps (e.g. isolate compromised hosts, revoke credentials, block network paths). 

• Prepare communication plans: your board, regulators, legal teams, and customers may demand rapid visibility. 

• Regularly rehearse the plan (tabletop or live drills) specifically for infrastructure-level compromise. 

Looking Ahead: What to Watch in 2025 and Beyond 

• AI-augmented attacks: Emerging research hints at ransomware “3.0” tools that dynamically adapt payloads and extortion methods through LLM orchestration.  

• Zero-space detection and anomaly models: Advanced frameworks are emerging that go beyond signature-based detection to spot latent behavior changes—even in highly compressed or latent storage layers.  

• Heightened regulatory pressure: As governments tighten rules around ransom payments, threat actors will increasingly prefer stealth tactics that delay detection and minimize public exposure. 

• More hypervisor-native tooling: As hypervisor attacks prove effective, more threat groups will invest in specialized toolkits for VMware, Hyper-V, KVM, and other platforms. 

• Cross-domain attacks: Future campaigns may combine hypervisor, container orchestration (e.g. Kubernetes), firmware, and supply chain compromise to amplify impact. 

Final Thoughts 

The evolution of ransomware from noisy, visible endpoint campaigns to quiet, infrastructure-level strikes is not a surprise—but it is a warning. Organizations must reimagine defenses beyond the endpoint and build protection around their computing fabric. 

For Open Storage Solutions, this shift is especially relevant: your clients’ data lives in virtualized infrastructure and relies on hypervisors, storage stacks, and orchestration layers. Ensuring those layers are strengthened, monitored, and recoverable is as critical as protecting the data itself. Contact us today to learn more.