Hypervisors the invisible backbone of modern corporate IT have become the new primary battleground for ransomware groups.
According to new data from Huntress, attacks targeting hypervisors to deploy ransomware have skyrocketed in late 2025.
While hypervisors like VMware ESXi and Microsoft Hyper-V power virtually all enterprise virtual machines (VMs), they often lack the security protections of standard endpoints, making them a “force multiplier” for attackers.
Data from the Huntress Security Operations Center (SOC) reveals a disturbing trend: ransomware incidents involving malicious encryption at the hypervisor layer jumped from just 3% in the first half of 2025 to 25% in the second half of the year.
By compromising the hypervisor layer, attackers bypass traditional endpoint detection and response (EDR) tools installed on guest VMs.
The primary driver of this surge is the Akira ransomware group, which has aggressively pivoted toward targeting Type 1 (“bare metal”) hypervisors.
Instead of hacking fifty separate computers, an attacker with hypervisor access can encrypt all fifty simultaneously with a single command.
How the Attacks Work
Adversaries are following a “land-and-expand” playbook. Once they breach a network often through compromised credentials or unpatched VPNs they move laterally to the hypervisor management plane.
In many cases, attackers avoid uploading custom malware entirely. Instead, they “live off the land,” using built-in tools like openssl to encrypt virtual volumes directly.
A critical vulnerability fueling this fire is CVE-2024-37085. This flaw allows attackers with sufficient Active Directory (AD) permissions to recreate the ‘ESX Admins’ group, instantly seizing complete administrative control of ESXi hosts. This enables mass encryption of all VMs in seconds.
Critical Defense Strategies
Securing the hypervisor requires the same rigor applied to endpoints. Experts recommend a defense-in-depth strategy:
- Isolate Management Networks: Hypervisors should never be exposed to the general corporate network. Use a dedicated VLAN and enforce access strictly through a secure jump box or bastion server.
- Strict Identity Management: Stop using general domain admin accounts for ESXi management. If a domain account is breached, the hypervisor remains secure if it relies on dedicated local accounts. Multi-Factor Authentication (MFA) is non-negotiable for all management interfaces.
- Runtime Hardening: Enable features like VMkernel.Boot.execInstalledOnly = TRUE, which ensures only signed binaries can execute on the host, blocking malicious encryption scripts.
- Immutable Backups: Implement the “3-2-1” backup rule. Crucially, ensure backups are immutable meaning they cannot be altered or deleted by ransomware and that backup repositories are isolated from Active Directory.
As defenders harden endpoints, attackers will continue to seek the path of least resistance. The hypervisor layer currently represents a massive blind spot for many organizations.
By treating hypervisors as high-value assets applying rigorous patching, strict segmentation, and dedicated monitoring businesses can disrupt the Akira group’s playbook and prevent a single breach from becoming a total system failure.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.