Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.
Upgrade to ProDetect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in Google Chronicle
Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.
MITRE ATT&CK
- Tactic
- Impact
YARA-L Detection Query
rule esxi_hypervisor_ransomware {
meta:
author = "df00tech Detection Engineering"
description = "Detects ESXi hypervisor ransomware precursor activity: SSH enablement/use, mass VM kill commands, and bulk datastore file operations"
reference = "https://attack.mitre.org/techniques/T1489/"
severity = "CRITICAL"
priority = "HIGH"
mitre_attack_tactic = "Impact"
mitre_attack_technique = "T1489, T1486"
false_positives = "Planned maintenance, DR tests, backup software quiescing, Storage vMotion"
version = "1.0"
events:
$e.metadata.event_type = "GENERIC_EVENT"
(
re.regex($e.metadata.description, `(?i)(accepted password|accepted publickey|tsm-ssh)`) or
re.regex($e.metadata.description, `(?i)(esxcli vm process kill|vim-cmd vmsvc/power)`) or
(
re.regex($e.metadata.description, `(?i)(\.vmdk|\.vmx|\.vmsd|\.vswp)`) and
re.regex($e.metadata.description, `(?i)(rename|rm -f|unlink|delete)`)
)
)
condition:
$e
} Chronicle YARA-L 2.0 rule matching GENERIC_EVENT UDM records populated from ESXi syslog forwarding (ESXi/vCenter logs typically arrive as unstructured/generic events rather than a dedicated Chronicle parser). Fires on SSH enablement/use, VM kill/power-off command patterns, or bulk datastore file rename/delete activity captured in the event description field. Correlate $e.principal.hostname across matches within a 10-minute window in Chronicle's rule aggregation to build the full burst-detection signal.
Data Sources
Required Tables
False Positives & Tuning
- Planned maintenance windows with intentional mass VM shutdown
- Backup software VM quiescing/snapshot activity
- Storage vMotion live-migration file operations
- Authorized SSH troubleshooting where SSH is deliberately enabled
Other platforms for THREAT-ESXi-HypervisorRansomware
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)
Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.
- Test 2Simulated SSH Enablement on ESXi (Lab Only)
Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.
- Test 3Simulated Bulk Datastore File Rename (Lab Only)
Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.
References (6)
- https://attack.mitre.org/techniques/T1489/
- https://attack.mitre.org/techniques/T1486/
- https://attack.mitre.org/tactics/TA0040/
- https://core.vmware.com/resource/esxi-log-files
- https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-CE538A24-CB54-4B25-BF20-9CD5CEE0D2A2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month