Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.

Upgrade to Pro
THREAT-ESXi-HypervisorRansomware Splunk · SPL

Detect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in Splunk

Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.

MITRE ATT&CK

Tactic
Impact

SPL Detection Query

Splunk (SPL)
spl
index=esxi sourcetype=syslog
(
  (CommandLine="*Accepted password*" OR CommandLine="*Accepted publickey*" OR _raw="*TSM-SSH*")
  OR (_raw="*esxcli vm process kill*" OR _raw="*vim-cmd vmsvc/power.off*" OR _raw="*vim-cmd vmsvc/power.shutdown*")
  OR (
    (_raw="*.vmdk*" OR _raw="*.vmx*" OR _raw="*.vmsd*" OR _raw="*.vswp*")
    AND (_raw="*Rename*" OR _raw="*rm -f*" OR _raw="*unlink*" OR _raw="*delete*")
  )
)
| eval Indicator=case(
    match(_raw, "(?i)(accepted password|accepted publickey|tsm-ssh)"), "SSHEnabledOrUsed",
    match(_raw, "(?i)(esxcli vm process kill|vim-cmd vmsvc/power)"), "VMKillCommand",
    true(), "DatastoreFileOp"
  )
| bin _time span=10m
| stats count as EventCount, values(_raw) as SampleEvents, dc(host) as HostCount by host, _time, Indicator
| where (Indicator="VMKillCommand" AND EventCount>=5) OR (Indicator="DatastoreFileOp" AND EventCount>=20) OR Indicator="SSHEnabledOrUsed"
| sort - _time
critical severity high confidence

SPL detection over ESXi syslog ingested with a generic syslog sourcetype (no dedicated VMware TA required — ESXi log forwarding is commonly configured as plain RFC3164 syslog). Flags SSH enablement/use, bursts of five or more VM kill/power-off commands within a 10-minute bucket, and 20+ datastore file rename/delete operations against VM disk files in the same window. If the Splunk Add-on for VMware (TA-vmware) is deployed, the equivalent structured sourcetypes (vmware:esxlog:shell, vmware:esxlog:hostd) can replace the raw-text match for higher fidelity.

Data Sources

VMware ESXi Shell.log, hostd.log, vobd.log, auth.log via syslog forwardingSplunk Add-on for VMware (optional, for structured field extraction)

Required Sourcetypes

syslog

False Positives & Tuning

  • Scheduled host maintenance or patching windows where an admin or vCenter DRS intentionally powers off every VM on a host
  • DR failover tests and rehearsed cutovers
  • Backup software VM quiescing/snapshot activity that touches VMDK/VMSD files
  • Storage vMotion generating rename/copy operations against datastore files during live migration
  • Authorized SSH access for infrastructure troubleshooting in environments where SSH is deliberately kept enabled

Other platforms for THREAT-ESXi-HypervisorRansomware


Testing Methodology

Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.

  1. Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)

    Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.

  2. Test 2Simulated SSH Enablement on ESXi (Lab Only)

    Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.

  3. Test 3Simulated Bulk Datastore File Rename (Lab Only)

    Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.

Unlock playbooks & atomic tests with Pro

Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.

df00tech Pro — £29/user/month

Response PlaybookInvestigation GuideHunting QueriesAtomic Red Team TestsTuning Guidance

Related Detections

Tactic Hub