Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Hypervisor. Show all posts
Infrastructure Security
Critical Infrastructure Security Cyber Attacks Cyber Security Ransomware Attacks Cyber Threats Hypervisor Infrastructure Security

Hypervisor Ransomware Attacks Surge as Threat Actors Shift Focus to Virtual Infrastructure

 

Hypervisors have emerged as a highly important, yet insecure, component in modern infrastructural networks, and attackers have understood this to expand the reach of their ransomware attacks. It has been observed by the security community that the modes of attack have changed, where attackers have abandoned heavily fortified devices in favor of the hypervisor, the platform through which they have the capability to regulate hundreds of devices at one time. In other words, a compromised hypervisor forms a force multiplier in a ransomware attack. 

Data from Huntress on threat hunting indicates the speed at which this trend is gathering pace. Initially in the early part of 2025, hypervisors were involved in just a few percent of ransomware attacks. However, towards the latter part of the year, this number had risen substantially, with hypervisor-level encryption now contributing towards a quarter of these attacks. This is largely because the Akira ransomware group is specifically leveraging vulnerabilities within virtualized infrastructure.  

Hypervisors provide attackers the opportunity by typically residing outside the sight of traditional security software. For this reason, bare-metal hypervisors are of particular interest to attackers since traditional security software cannot be set up on these environments. Attacks begin after gaining root access, and the attackers will be able to encrypt the disks on the virtual machines. Furthermore, attackers will be able to use the built-in functions to execute the encryption process without necessarily setting up the ransomware. 

In this case, security software would be rendered unable to detect the attacks. These attacks often begin with loopholes in credentials and network segmentation. With the availability of Hypervisor Management Interfaces on the larger internets inside organizations, attackers can launch lateral attacks when they gain entry and gain control of the virtualization layer. Misuse of native management tools has also been discovered by Huntress for adjusting Machine Settings, degrading defenses, and preparing the environment for massive Ransomware attacks. 

Additionally, the increased interest in hypervisors has emphasized that this layer must be afforded the equivalent security emphasis on it as for servers and end-points. Refined access controls and proper segmentation of management networks are required to remediate this. So too is having current and properly maintained patches on this infrastructure, as it has been shown to have regularly exploited vulnerabilities for full administrative control and rapid encryption of virtualized environments. While having comprehensive methods in place for prevention, recovery planning is essential in this scenario as well. 

A hypervisor-based ransomware is meant for environments, which could very well go down, hence the need for reliable backups, ideally immutables. This is especially true for organizations that do not have a recovery plan in place. As ransomware threats continue to evolve and become more sophisticated, the role of hypervisors has stepped up to become a focal point on the battlefield of business security. 

This is because by not securing and protecting the hypervisor level against cyber threats, what a business will essentially present to the cyber attackers is what they have always wanted: control of their whole operation with a mere click of their fingers.
Read more »
Ransomware
AI Akira Cloud Cyber Attacks Hypervisor Internet Ransomware

Researchers Find Massive Increase in Hypervisor Ransomware Incidents


Rise in hypervisor ransomware incidents 

Cybersecurity experts from Huntress have noticed a sharp rise in ransomware incidents on hypervisors and have asked users to be safe and have proper back-up. 

The Huntress case data has disclosed a surprising increase in hypervisor ransomware. It was involved in malicious encryption and rose from a mere three percent in the first half to a staggering 25 percent in 2025. 

Akira gang responsible 

Experts think that the Akira ransomware gang is the primary threat actor behind this, other players are also going after hypervisors to escape endpoint and network security controls. According to Huntress threat hunters, players are going after hypervisors as they are not secure and hacking them can allow hackers to trigger virtual machines and manage networks.

Why hypervisors?

“This shift underscores a growing and uncomfortable trend: Attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion," experts said. The attack tactic follows classic playbook. Researchers have "seen it with attacks on VPN appliances: Threat actors realize that the host operating system is often proprietary or restricted, meaning defenders cannot install critical security controls like EDR [Endpoint Detection and Response]. This creates a significant blind spot.”

Other instances 

The experts have also found various cases where ransomware actors install ransomware payloads directly via hypervisors, escaping endpoint security. In a few cases, threat actors used built-in-tools like OpenSSL to run encryption of the virtual machine volume without having to upload custom ransomware binaries.

Attack tactic 

Huntress researchers have also found attackers disrupting a network to steal login credentials and then attack hypervisors.

“We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features,” they add. “This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale," they said.

Mitigation strategies 

Due to the high level of attacks on hypervisors, experts have suggested admins to revisit infosec basics such as multi-factor authentication and password patch updates. Admins should also adopt hypervisor-specific safety measures like only allow-listed binaries can run on a host.

For decades, the Infosec community has known hypervisors to be an easy target. In a worst-case scenario of a successful VM evasion where an attack on a guest virtual machine allows hijacking of the host and its hypervisor, things can go further south. If this were to happen, the impact could be massive as the entire hyperscale clouds depend on hypervisors to isolate tenants' virtual systems.

Read more »
Ransomware
Cyber Attacks Cybersecurity Hypervisor News Ransomware

Hypervisor Ransomware Threat Grows: MITRE ATT&CK v17 Puts C-Suite on Alert

 

The latest update to the MITRE ATT&CK framework—version 17—has brought hypervisor security into sharp focus, prompting a necessary shift in how organizations view the core of their virtualized infrastructure. For the first time, VMware ESXi hypervisors have received a dedicated matrix within the widely adopted framework, underscoring their growing vulnerability to targeted cyberattacks. This move serves as a wake-up call for executive leadership: hypervisor security is no longer just a technical concern, but a strategic imperative. 

As enterprises increasingly rely on virtual machines to run mission-critical workloads and store sensitive data, any compromise at the hypervisor level can have devastating consequences. A single attack could trigger operational downtime, lead to failed audits, and expose the organization to compliance violations and regulatory scrutiny. Experts warn that unaddressed ESXi vulnerabilities may even be classified as preventable lapses in due diligence. 

Compounding the issue is the fact that many organizations still lack defined incident response playbooks tailored to hypervisor attacks. With MITRE ATT&CK now mapping tactics used to breach, move laterally, and deploy ransomware within hypervisors, the risks are no longer theoretical—they are measurable and real. 

To mitigate them, leadership must champion a security strategy that includes robust access controls such as multi-factor authentication, role-based permissions, lockdown policies, and virtual patching to cover unpatched or zero-day vulnerabilities. Additionally, organizations are urged to deploy runtime monitoring and align defences with the MITRE ATT&CK framework to improve security posture and audit readiness. Failing to address this blind spot could cost companies more than just operational delays—it could lead to loss of customer trust and reputational damage. 

As threat actors grow more sophisticated, overlooking the hypervisor layer is no longer an acceptable risk. The inclusion of ESXi in ATT&CK v17 represents a broader industry recognition that hypervisors must be part of the core cybersecurity conversation. For the C-suite, this means embracing their role in driving hypervisor resilience across security, infrastructure, and governance functions before an attack makes that decision for them.
Read more »
Subscribe to: Comments (Atom)