I'm sure everyone has heard a story about ransomware attacking virtual machines from within ESXi. While I thought that those were rare, special cases, I was quite surprised when reading VMware's security blog.
One post mentions 15 different ransomware families, which 'support' VMware ESXi.
- AvosLocker
- Babuk
- Black Basta
- BlackCat
- Cheerscrypt
- Conti
- DarkSide/BlackMatter
- Defray777/RansomEXX
- GwisinLocker
- HelloKitty
- Hive
- Lockbit
- Luna
- RedAlert
- REvil
Some of them were designed for ESXi, others are more generic and don't even shutdown the VMs before starting the encryption.
At the end they cause catastrophic damage and are hard to detect or stop.
Protect against ESXi ransomware
It seems that ransomware on ESXi hosts often will need to be executed manually.
So the primary goal will be to secure access to the ESXi hosts:
- separate management and production network
- lockdown ESXi shell/SSH
- regularly patch ESXi hosts (some attacks were possible via unpatched vulnerabilites)
- keep ESXi credentials secure
- monitor for login attempts and unusual actions
Regular security solutions which run inside the VMs won't be any help against those attacks.
VMware recommends their NSX products, although I don't have much experience with them.
Storage snapshots could be handy, if the storage itself isn't compromised.
Finally, if all fails, a well-designed backup should be able to save the day.
For more information visit the corresponding VMware blog posts: