Researchers spot 700 percent increase in hypervisor ransomware attacks
(2025/12/09)
- Reference: 1765262487
- News link: https://www.theregister.co.uk/2025/12/09/hypervisor_ransomware_attacks_increasing/
- Source link:
Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
“Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [1]post .
“The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”
[2]
Huntress’s threat hunters think ransomware scum are going after hypervisors because they’re not well defended, and cracking them means attackers can mess with the virtual machines and networks they manage.
[3]
[4]
“This shift underscores a growing and uncomfortable trend: Attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion,” the researchers wrote.
Attacks on hypervisors follow “a familiar playbook,” the trio wrote. “We've seen it with attacks on VPN appliances: Threat actors realize that the host operating system is often proprietary or restricted, meaning defenders cannot install critical security controls like EDR [Endpoint Detection and Response]. This creates a significant blind spot.”
[5]
Huntress has observed “multiple cases where ransomware operators deploy ransomware payloads directly through hypervisors, bypassing traditional endpoint protections entirely. In some instances, attackers leverage built-in tools such as OpenSSL to perform encryption of the virtual machine volumes, avoiding the need to upload custom ransomware binaries.”
The researchers also see attackers compromise a network, steal authentication credentials, and then target hypervisors. “We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features,” they add. “This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale.”
[6]VMware splats guest-to-hypervisor escape bugs already exploited in wild
[7]CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV
[8]Microsoft fixes under-attack privilege-escalation holes in Hyper-V
[9]Veeam bets on more VMware alternatives, including Red Hat and China’s Sangfor
Given the elevated level of attacks on hypervisors, the researchers recommend admins revisit some infosec basics like ensuring the use of multi-factor authentication and complex passwords, and staying up to date with patches. They also suggest adopting some hypervisor-specific defences, such as using settings that ensure only allow-listed binaries can run on a host.
Ensuring Security Information and Event Management systems ingest and analyze hypervisor logs is also on the researchers’ to-do list.
Infosec folks have known for decades that the hypervisor is a very tasty target, especially in the worst-case scenario of a successful VM escape in which an attack on a guest virtual machine allows takeover of the host and its hypervisor. Were such an attack to become possible, the consequences could be immense given that all hyperscale clouds rely on hypervisors to isolate tenants’ virtual machines. ®
Get our [10]Tech Resources
[1] https://www.huntress.com/blog/hypervisor-defenses-against-ransomware-targeting-esxi
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/03/04/vmware_plugs_three_hypervisorhijack_holes/
[7] https://www.theregister.com/2025/11/14/cisa_akira_ransomware/
[8] https://www.theregister.com/2025/01/15/patch_tuesday_january_2025/
[9] https://www.theregister.com/2025/11/21/veeam_13_hypervisor_support/
[10] https://whitepapers.theregister.com/
“Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday [1]post .
“The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”
[2]
Huntress’s threat hunters think ransomware scum are going after hypervisors because they’re not well defended, and cracking them means attackers can mess with the virtual machines and networks they manage.
[3]
[4]
“This shift underscores a growing and uncomfortable trend: Attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion,” the researchers wrote.
Attacks on hypervisors follow “a familiar playbook,” the trio wrote. “We've seen it with attacks on VPN appliances: Threat actors realize that the host operating system is often proprietary or restricted, meaning defenders cannot install critical security controls like EDR [Endpoint Detection and Response]. This creates a significant blind spot.”
[5]
Huntress has observed “multiple cases where ransomware operators deploy ransomware payloads directly through hypervisors, bypassing traditional endpoint protections entirely. In some instances, attackers leverage built-in tools such as OpenSSL to perform encryption of the virtual machine volumes, avoiding the need to upload custom ransomware binaries.”
The researchers also see attackers compromise a network, steal authentication credentials, and then target hypervisors. “We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features,” they add. “This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale.”
[6]VMware splats guest-to-hypervisor escape bugs already exploited in wild
[7]CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV
[8]Microsoft fixes under-attack privilege-escalation holes in Hyper-V
[9]Veeam bets on more VMware alternatives, including Red Hat and China’s Sangfor
Given the elevated level of attacks on hypervisors, the researchers recommend admins revisit some infosec basics like ensuring the use of multi-factor authentication and complex passwords, and staying up to date with patches. They also suggest adopting some hypervisor-specific defences, such as using settings that ensure only allow-listed binaries can run on a host.
Ensuring Security Information and Event Management systems ingest and analyze hypervisor logs is also on the researchers’ to-do list.
Infosec folks have known for decades that the hypervisor is a very tasty target, especially in the worst-case scenario of a successful VM escape in which an attack on a guest virtual machine allows takeover of the host and its hypervisor. Were such an attack to become possible, the consequences could be immense given that all hyperscale clouds rely on hypervisors to isolate tenants’ virtual machines. ®
Get our [10]Tech Resources
[1] https://www.huntress.com/blog/hypervisor-defenses-against-ransomware-targeting-esxi
[2] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=2&c=2aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D2%26raptor%3Dcondor%26pos%3Dtop%26test%3D0
[3] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[4] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=3&c=33aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D3%26raptor%3Deagle%26pos%3Dmid%26test%3D0
[5] https://pubads.g.doubleclick.net/gampad/jump?co=1&iu=/6978/reg_software/virtualization&sz=300x50%7C300x100%7C300x250%7C300x251%7C300x252%7C300x600%7C300x601&tile=4&c=44aTgBRigTh0tCvRuoCOEzKwAAAE0&t=ct%3Dns%26unitnum%3D4%26raptor%3Dfalcon%26pos%3Dmid%26test%3D0
[6] https://www.theregister.com/2025/03/04/vmware_plugs_three_hypervisorhijack_holes/
[7] https://www.theregister.com/2025/11/14/cisa_akira_ransomware/
[8] https://www.theregister.com/2025/01/15/patch_tuesday_january_2025/
[9] https://www.theregister.com/2025/11/21/veeam_13_hypervisor_support/
[10] https://whitepapers.theregister.com/
Re: Proprietary OS?
Jou (Mxyzptlk)
Proxmox is simply not yet on the "worthy target list". That is about to change due to VMware/Broadcom, I suspect Q1 2026 it will step up on that ladder, similar as Hyper-V stepped up on that ladder Q3 2025 for the same reason. And then the usual applies you should always apply to hypervisors:
Separate them, inaccessible from outside (DUH!), and inaccessible from the normal work network where the normal users operate their mail surf the web and so on.
esxi 6
harrys
I wonder how many of these are still esxi 6 or less?
Twas when vmware started their "artificial" hardware requirements for v7 .... windows 10 to 11 style!
If they are out there.... thats some decent hardware :)
% parts per 100?
Old Man Ted
Please explain to me how there can be more than 100 parts per? Or has this octonarian miss understood what I was taught in the 1940's , That % was parts per 100. I know that somewhere over the Atlantic the ex French colony likes to use the term % as an excuse to display their lack of education and have a statue in the ex Dutch island.
"likes to use the term % as an excuse to display their lack of education"
Bebu sa Ware
I cannot say that I have detected any need for an excuse from that quarter when arrogantly exhibiting their profound ignorance — certainly not recently.
One wonder whether the ‰ symbol might trigger some kind of existential crisis in such small crania. ;)
Proprietary OS?
Threat actors realize that the host operating system is often proprietary or restricted
Just a friendly reminder Proxmox runs on plain ol' Debian. Not necessarily more secure out of the box, but at least you're in control!