The widespread use of VMware’s ESXi hypervisor and the fact that it does not support any third-party malware detection capabilities has made the technology an increasingly attractive target for ransomware operators.
The latest manifestation of that fashion trend is “MichaelKors,” a new ransomware-as-a-service (RaaS) program that researchers at CrowdStrike found attackers recently using to target ESXi/Linux systems. MichaelKors is one of several paid services CrowdStrike is tracking — including Alpha Spider, Bitwise Spider, and Sprite Spider — that currently provide attackers with malicious binaries for locking up ESXi systems.
A Slew of ESXi Ransomware
Earlier this month, SentinelOne reported a similar trend involving ransomware variants based on leaked source code of the Babuk ransomware strain from 2021. Between the second half of 2022 and so far in 2023, SentinelOne has observed at least 10 ransomware families based on Babuk source code targeting the ESXi hypervisor. Among those using the Babuk ESXi variants were small groups and large ransomware operators such as Conti and REvil. SentinelOne found the attackers often taking advantage of ESXi’s native tools and commands to kill guest machines and encrypt hypervisor files.
Other vendors have reported seeing multiple other major ransomware groups, including the operators of Royal ransomware, Luna, and Black Basta, all pivoting from Windows to ESXi/Linux over the past year.
A couple of factors are driving attacker interest in hypervisors and VMware’s ESXi technology in particular.
One of them is the fact that many organizations use ESXi to manage their virtual infrastructure. VMware environments often host hundreds of VMs running business critical applications. By compromising ESXi, attackers can potentially gain control over multiple virtual machines on the host, thereby giving them an opportunity to considerably scale up their attacks. In a ransomware scenario, an attacker can encrypt multiple virtual machines and increase their likelihood of collecting a ransom from victims.
Such “hypervisor jackpotting” is a tactic that attackers use in so-called big game hunting campaigns targeting large and high-profile enterprise organizations. “In hypervisor jackpotting, threat actors deploy Linux versions of ransomware tools specifically designed to affect VMware’s ESXi vSphere hypervisor,” a CrowdStrike spokeswoman says. “By deploying ransomware on ESXi hosts, adversaries quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand.”
A Lack of Support for Malware Detection
The second reason attackers are increasingly targeting ESXi environments is because they know the hypervisor doesn’t support any native malware detection capabilities, according to CrowdStrike. As a hypervisor, ESXi is designed purely to provide virtualization services and services for managing virtual machines. VMware itself has described the hypervisor as not requiring any antivirus software and has not provided any support for third-party malware detection agents either. “ESXi, by design, does not support third-party agents or antivirus software and VMware states in its documentation that antivirus software is not required,” CrowdStrike said in its blog post this week. This fact, combined with the popularity of ESXi has made the hypervisor a highly attractive target for modern adversaries, the security vendor said.
Others have highlighted the same problem. Recorded Future, which counted a threefold increase in ransomware targeting ESxi servers between 2021 and 2022 (from 434 to 1,188) recently noted the immaturity of antivirus and malware detection technologies for ESXi — and the difficulty in implementing them — as lowering the barrier for threat actors. “Defensive practices are difficult to implement due to the complex nature of hypervisors,” Recorded Future said.
ESXi vulnerabilities are another problem. A case in point is a global ransomware attack on ESXi servers earlier this year that exploited two vulnerabilities in the hypervisor one from 2021 (CVE-2021-21974) and the other from 2020 (CVE-2020-3992) to drop a novel ransomware strain called ESXiArgs.
“Given the popularity of VMware products and the continuous adoption of cloud infrastructure, this problem appears to be getting worse,” the CrowdStrike spokeswoman says. “CrowdStrike Intelligence has also observed hypervisor jackpotting becoming a dominant trend.”
The larger issue at play is that there is currently no solution out there to help with the threat. Threat actors continue to target VMware as they know that the ESXi environment is vulnerable and without remedy at the moment, the CrowdStrike spokeswoman notes. “More and more threat actors are recognizing that the lack of security technology and monitoring, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment” for ransomware attackers.