Hypervisors like ESXi continue to become more ubiquitous due to the power and convenience of managing virtual machines rather than physical ones. Unfortunately, that power and convenience also attract threat actors. The compromise of a hypervisor also implies the compromise of every virtual machine housed within. In a single stroke, dozens to hundreds of critical virtual machines could be encrypted and held for ransom.
ESXi servers are particularly vulnerable, inciting the recent trend of ransomware operations to focus on specific unpatched vulnerabilities. Tens of thousands of VMware ESXi servers exposed on the Internet reached their end-of-life in October, according to a Lansweeper report. These systems will only receive technical support from now on but no security updates, which exposes them to ransomware attacks.
Binary Defense strongly recommends that any hypervisor of any kind should not be accessible from the internet. A Shodan search uncovered over 100 ESXi servers compromised worldwide in the past few days in the wake of the ESXiArgs campaign abusing a vulnerability found in ESXi. Binary Defense also strongly recommends maintaining a frequent patch cycle for ESXi servers to help keep important systems from the clutches of attackers.
https://www.bleepingcomputer.com/news/security/linux-version-of-royal-ransomware-targets-vmware-esxi-servers/
