Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.

Upgrade to Pro
THREAT-ESXi-HypervisorRansomware Elastic Security · Elastic

Detect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in Elastic Security

Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.

MITRE ATT&CK

Tactic
Impact

Elastic Detection Query

Elastic Security (Elastic)
eql
any where event.dataset == "system.syslog" and (
  message : ("*Accepted password*", "*Accepted publickey*", "*TSM-SSH*") or
  message : ("*esxcli vm process kill*", "*vim-cmd vmsvc/power.off*", "*vim-cmd vmsvc/power.shutdown*") or
  (
    message : ("*.vmdk*", "*.vmx*", "*.vmsd*", "*.vswp*") and
    message : ("*Rename*", "*rm -f*", "*unlink*", "*delete*")
  )
)
critical severity high confidence

Detects ESXi hypervisor ransomware precursor activity using the Elastic Agent System integration's syslog dataset (logs-system.syslog-*), which ingests ESXi log forwarding as unstructured syslog since there is no native Elastic ESXi integration. Matches SSH enablement/use, VM kill/power-off commands, and bulk datastore file rename/delete operations in the raw message field. Pair with a downstream aggregation (Elastic transform or detection-rule threshold) to require 5+ kill events or 20+ file-op events within a 10-minute bucket for the full-fidelity burst signal.

Data Sources

Elastic Agent System integration (syslog dataset)logs-system.syslog-* (ESXi log forwarding ingested as generic syslog)

Required Tables

logs-system.syslog-*

False Positives & Tuning

  • Planned host maintenance or DRS-orchestrated mass VM shutdown during patching windows
  • Backup software VM quiescing/snapshot activity touching VMDK/VMSD files
  • Storage vMotion generating rename/copy operations during live migration
  • Authorized SSH access for infrastructure troubleshooting where SSH is intentionally enabled

Other platforms for THREAT-ESXi-HypervisorRansomware


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)

    Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.

  2. Test 2Simulated SSH Enablement on ESXi (Lab Only)

    Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.

  3. Test 3Simulated Bulk Datastore File Rename (Lab Only)

    Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub