In 2024, ransomware attacks targeting VMware ESXi servers reached alarming levels, with the average ransom demand skyrocketing to $5 million. With approximately 8,000 ESXi hosts exposed directly to the internet (according to Shodan), the operational and business impact of these attacks is profound.
Most of the Ransomware strands that are attacking ESXi servers nowadays, are variants of the infamous Babuk ransomware, adapted to avoid detection of security tools. Moreover, accessibility is becoming more widespread, as attackers monetize their entry points by selling Initial Access to other threat actors, including ransomware groups. As organizations are dealing with compounded threats on an ever-expanding front: new vulnerabilities, new entry points, monetized cyber-crime networks, and more, there is ever-growing urgency for enhanced security measures and vigilance.
The architecture of ESXi
Understanding how an attacker can gain control of the ESXi host begins with understanding the architecture of virtualized environments and their components. This will help identify potential vulnerabilities and points of entry.
Building on this, attackers targeting ESXi servers might look for the central node that manages multiple ESXi hosts. This will allow them to maximize their impact.
This brings us to the vCenter, which is the central administration for VMware infrastructure and is designed to manage several ESXi hosts. The vCenter server orchestrates ESXi host management with the default “vpxuser” account. Holding root permissions, the “vpxuser” account is responsible for administrative actions on the virtual machines residing on the ESXi hosts. For example, transferring VMs between hosts and modifying configurations of active VMs.
Encrypted passwords for each connected ESXi host are stored in a table within the vCenter server. A secret key stored on the vCenter server facilitates password decryption, and, consequently, total control over each and every one of the ESXi hosts. Once decrypted, the “vpxuser” account can be used for root permissions operations, including altering configurations, changing passwords of other accounts, SSH login, and executing ransomware.
Encryption on ESXi
Ransomware campaigns are intended to make recovery exceedingly difficult, coercing the organization toward paying the ransom. With ESXi attacks, this is achieved by targeting four file types that are essential for operational continuity:
- VMDK Files: A virtual disk file that stores the contents of a virtual machine’s hard drive. Encrypting these files renders the virtual machine completely inoperable.
- VMEM Files: The paging file of each virtual machine. Encrypting or deleting VMEM files can result in significant data loss and complications when attempting to resume suspended VMs.
- VSWP Files: Swap files, which store some of the VM’s memory beyond what the physical memory of the host can provide. Encrypting these swap files can cause crashes in VMs.
- VMSN Files: Snapshots for backing up VMs. Targeting these files complicates disaster recovery processes.
Since the files involved in ransomware attacks on ESXi servers are large, attackers typically employ a hybrid encryption approach. They combine the rapidity of symmetric encryption with the security of asymmetric encryption.
- Symmetric encryption – These methods, such as AES or Chacha20, allow speed and efficiency in encrypting large volumes of data. Attackers can quickly encrypt files, reducing the window of opportunity for detection and mitigation by security systems.
- Asymmetric encryption – Asymmetric methods, such as RSA, are slower since they involve a public key and a private key and require complex mathematical operations.
Therefore, in ransomware, asymmetric encryption is primarily used for securing the keys used in symmetric encryption, rather than the data itself. This ensures that the encrypted symmetric keys can only be decrypted by someone possessing the corresponding private key, i.e the attacker. Doing so prevents easy decryption, adding an extra layer of security for the attacker.
4 Key Strategies for Risk Mitigation
Once we’ve acknowledged that vCenter security is at risk, the next step is to strengthen defenses by putting obstacles in the path of potential attackers. Here are some strategies:
- Regular VCSA Updates: Always use the latest version of the VMware vCenter Server Appliance (VCSA) and keep it updated. Transitioning from a Windows-based vCenter to the VCSA can improve security, as it’s designed specifically for managing vSphere.
- Implement MFA and Remove Default Users: Don’t just change default passwords—set up strong Multi-Factor Authentication (MFA) for sensitive accounts to add an extra layer of protection.
- Deploy Effective Detection Tools: Use detection and prevention tools directly on your vCenter. Solutions like EDRs, XDRs or third-party tools can help with monitoring and alerts, making it harder for attackers to succeed. For example, setting up monitoring policies that specifically track unusual access attempts to the vpxuser account or alerts for encrypted file activity within the vCenter environment.
- Network Segmentation: Segment your network to control traffic flow and reduce the risk of lateral movement by attackers. Keeping the vCenter management network separate from other segments helps contain potential breaches.
Continuous Testing: Strengthening Your ESXi Security
Protecting your vCenter from ESXi ransomware attacks is vital. The risks tied to a compromised vCenter can affect your entire organization, impacting everyone who relies on critical data.
Regular testing and assessments can help identify and address security gaps before they become serious issues. Work with security experts who can help you implement a Continuous Threat Exposure Management (CTEM) strategy tailored to your organization.
