Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.
Upgrade to ProDetect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in IBM QRadar
Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.
MITRE ATT&CK
- Tactic
- Impact
QRadar Detection Query
SELECT
DATEFORMAT(devicetime, 'yyyy-MM-dd HH:mm:ss') AS EventTime,
sourceip AS HostIP,
UTF8(payload) AS RawMessage,
CASE
WHEN LOWER(UTF8(payload)) LIKE '%accepted password%' OR LOWER(UTF8(payload)) LIKE '%accepted publickey%' OR LOWER(UTF8(payload)) LIKE '%tsm-ssh%' THEN 'SSHEnabledOrUsed'
WHEN LOWER(UTF8(payload)) LIKE '%esxcli vm process kill%' OR LOWER(UTF8(payload)) LIKE '%vim-cmd vmsvc/power%' THEN 'VMKillCommand'
WHEN (LOWER(UTF8(payload)) LIKE '%.vmdk%' OR LOWER(UTF8(payload)) LIKE '%.vmx%' OR LOWER(UTF8(payload)) LIKE '%.vmsd%')
AND (LOWER(UTF8(payload)) LIKE '%rename%' OR LOWER(UTF8(payload)) LIKE '%rm -f%' OR LOWER(UTF8(payload)) LIKE '%unlink%' OR LOWER(UTF8(payload)) LIKE '%delete%')
THEN 'DatastoreFileOp'
ELSE 'Other'
END AS Indicator
FROM events
WHERE
(
LOWER(UTF8(payload)) LIKE '%accepted password%'
OR LOWER(UTF8(payload)) LIKE '%accepted publickey%'
OR LOWER(UTF8(payload)) LIKE '%tsm-ssh%'
OR LOWER(UTF8(payload)) LIKE '%esxcli vm process kill%'
OR LOWER(UTF8(payload)) LIKE '%vim-cmd vmsvc/power%'
OR (
(LOWER(UTF8(payload)) LIKE '%.vmdk%' OR LOWER(UTF8(payload)) LIKE '%.vmx%' OR LOWER(UTF8(payload)) LIKE '%.vmsd%')
AND (LOWER(UTF8(payload)) LIKE '%rename%' OR LOWER(UTF8(payload)) LIKE '%delete%')
)
)
ORDER BY devicetime DESC
LAST 24 HOURS QRadar AQL query over generic syslog-ingested ESXi log events (no vendor-specific DSM assumed — matches on raw payload content since ESXi is commonly forwarded via a Universal DSM or generic syslog log source). Categorizes matches into SSHEnabledOrUsed, VMKillCommand, and DatastoreFileOp indicators for SOC triage. Recommend building a QRadar AQL view or rule that requires 5+ VMKillCommand events or 20+ DatastoreFileOp events from the same sourceip within 10 minutes for the high-confidence burst pattern.
Data Sources
Required Tables
False Positives & Tuning
- Scheduled host maintenance or patch windows with intentional mass VM shutdown
- Backup software VM quiescing/snapshot activity
- Storage vMotion live-migration file operations
- Authorized SSH troubleshooting sessions in environments where SSH is deliberately enabled
Other platforms for THREAT-ESXi-HypervisorRansomware
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)
Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.
- Test 2Simulated SSH Enablement on ESXi (Lab Only)
Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.
- Test 3Simulated Bulk Datastore File Rename (Lab Only)
Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.
References (6)
- https://attack.mitre.org/techniques/T1489/
- https://attack.mitre.org/techniques/T1486/
- https://attack.mitre.org/tactics/TA0040/
- https://core.vmware.com/resource/esxi-log-files
- https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-CE538A24-CB54-4B25-BF20-9CD5CEE0D2A2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month