Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.

Upgrade to Pro
THREAT-ESXi-HypervisorRansomware

Service Stop — ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption

Impact Last updated:

Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.

What is THREAT-ESXi-HypervisorRansomware ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption?

ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption (THREAT-ESXi-HypervisorRansomware) is a sub-technique of Service Stop (T1489) in the MITRE ATT&CK framework. It maps to the Impact tactic — the adversary is trying to manipulate, interrupt, or destroy your systems and data.

This page provides production-ready detection logic for ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption, covering the data sources and telemetry it touches: VMware ESXi Shell.log, hostd.log, vobd.log, auth.log forwarded via syslog, Azure Monitor Agent Linux syslog collection, vCenter Server task/event logs (if vCenter itself remains available). The queries below are rated critical severity at high confidence, and ship for 7 SIEM platforms — KQL, SPL, Elastic, QRadar, Sumo, YARA-L, LogScale.

MITRE ATT&CK

Tactic
Impact
Microsoft Sentinel / Defender
kusto
// THREAT-ESXi-HypervisorRansomware (T1489 Service Stop -> T1486 Data Encrypted for Impact)
// Requires ESXi/vCenter syslog forwarded to the Syslog table (Azure Monitor Agent Linux syslog collection)
let ESXiHosts = dynamic(["<YOUR_ESXI_HOST_FQDNS_OR_IPS>"]); // populate from vCenter inventory; leave empty to match on ProcessName instead
let Lookback = 1h;
// Signal 1: SSH enabled/used on ESXi shortly before mass VM kill activity
let SSHActivity = Syslog
| where TimeGenerated > ago(Lookback)
| where ProcessName has_any ("sshd", "hostd")
| where SyslogMessage has_any ("Accepted password", "Accepted publickey", "TSM-SSH", "SSH login enabled")
| project TimeGenerated, Computer, SyslogMessage, Indicator = "SSHEnabledOrUsed";
// Signal 2: burst of forced VM kills / power-off commands on a single host
let VMKillBurst = Syslog
| where TimeGenerated > ago(Lookback)
| where (isempty(ESXiHosts) or Computer in (ESXiHosts))
| where SyslogMessage has_any ("esxcli vm process kill", "vim-cmd vmsvc/power.off", "vim-cmd vmsvc/power.shutdown")
| extend WorldOrVmId = extract(@"(world-id|--world-id)[= ]([0-9]+)", 2, SyslogMessage)
| summarize KillCount = count(), DistinctTargets = dcount(WorldOrVmId), SampleCommands = make_set(SyslogMessage, 10) by Computer, bin(TimeGenerated, 10m)
| where KillCount >= 5 or DistinctTargets >= 5
| project TimeGenerated, Computer, SyslogMessage = strcat_array(SampleCommands, " | "), Indicator = "MassVMKill";
// Signal 3: bulk datastore file rename/delete of VM disk files in the same window (encryption/corruption in progress)
let DatastoreBulkOps = Syslog
| where TimeGenerated > ago(Lookback)
| where ProcessName has "hostd"
| where SyslogMessage has_any (".vmdk", ".vmx", ".vmsd", ".vswp")
| where SyslogMessage has_any ("Rename", "rm -f", "unlink", "delete")
| summarize FileOpCount = count(), SampleFiles = make_set(SyslogMessage, 10) by Computer, bin(TimeGenerated, 10m)
| where FileOpCount >= 20
| project TimeGenerated, Computer, SyslogMessage = strcat_array(SampleFiles, " | "), Indicator = "BulkDatastoreFileOps";
union SSHActivity, VMKillBurst, DatastoreBulkOps
| sort by TimeGenerated desc

Three-signal detection over ESXi/vCenter logs forwarded to the Syslog table. Signal 1 flags SSH being enabled or used on the ESXi shell (SSH is disabled by default, so any use is notable). Signal 2 flags a burst of forced VM process kills or power-off commands against five or more distinct VMs within a 10-minute window on a single host — normal maintenance restarts one VM at a time, ransomware kills all of them almost simultaneously to clear file locks before encryption. Signal 3 flags bulk rename/delete operations against VM disk files (.vmdk/.vmx/.vmsd/.vswp), which is what the encryption or corruption routine looks like at the datastore-file level. Any one signal alone can be benign; two or more from the same host within the lookback window is a high-confidence hypervisor ransomware indicator.

critical severity high confidence

Data Sources

VMware ESXi Shell.log, hostd.log, vobd.log, auth.log forwarded via syslog Azure Monitor Agent Linux syslog collection vCenter Server task/event logs (if vCenter itself remains available)

Required Tables

Syslog

False Positives

  • Planned maintenance windows (ESXi patching, host reboot, DRS maintenance mode) where an administrator or vCenter orchestrates an intentional mass VM shutdown across a host
  • Disaster recovery failover tests that power off VMs on a source host as part of a rehearsed cutover
  • Backup software (Veeam, Commvault) that briefly quiesces or snapshots VMs, which can appear in hostd.log as file operations against VMDK/VMSD files
  • vMotion or Storage vMotion operations that create transient rename/copy activity against datastore files during live migration
  • Legitimate SSH access by infrastructure teams for authorized troubleshooting, especially where SSH is intentionally left enabled in lab/dev clusters

Sigma rule & cross-platform mapping

The detection logic for ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption (THREAT-ESXi-HypervisorRansomware) above is provided in a vendor-neutral form so you can deploy it on any SIEM. The same logic is shipped here as native KQL (Microsoft Sentinel / Defender), SPL (Splunk), Elastic (Elastic Security (EQL)), QRadar (IBM QRadar (AQL)), Sumo (Sumo Logic CSE), YARA-L (Google Chronicle / SecOps), LogScale (CrowdStrike LogScale (CQL)) queries. In Sigma terms, this detection targets the following logsource:

logsource:
  product: azure

Browse the community-maintained Sigma rules for this technique:


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)

    Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.

  2. Test 2Simulated SSH Enablement on ESXi (Lab Only)

    Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.

  3. Test 3Simulated Bulk Datastore File Rename (Lab Only)

    Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub