Response playbooks, investigation guides, and Atomic Red Team tests are Pro-only. Upgrade to unlock the full detection package for THREAT-ESXi-HypervisorRansomware.
Upgrade to ProDetect ESXi Hypervisor Ransomware — Mass VM Termination and Datastore Encryption in Sumo Logic CSE
Modern ransomware affiliates increasingly bypass Windows endpoints entirely and encrypt directly on the VMware ESXi hypervisor, since ESXi has no support for traditional AV/EDR agents and a single host often backs dozens of production VMs. The attack chain — used by ESXiArgs, Cheerscrypt, Royal, Black Basta, Akira, and LockBit's ESXi locker variant — is consistent across families: gain access via stolen vCenter/ESXi credentials, exposed SLP/OpenSLP services, or an unpatched CVE; enable the ESXi Shell/SSH (TSM-SSH) service if it is disabled by default; enumerate every running VM on the host (`esxcli vm process list` or `vim-cmd vmsvc/getallvms`); force-kill every VM process in rapid succession (`esxcli vm process kill --type=force`) so no file locks block encryption; then iterate the datastore(s) encrypting or corrupting each VMDK/VMSD/VMX file, typically with an embedded OpenSSL-based routine, before dropping a ransom note into every datastore directory. Because there is no endpoint agent, detection must rely on ESXi/vCenter log forwarding — Shell.log (interactive shell command history), hostd.log (VM lifecycle and datastore file operations), vobd.log (VMkernel observation events), and auth.log (SSH session activity) — shipped to a SIEM via syslog, plus vCenter task/event auditing where vCenter itself has not also been compromised or shut down.
MITRE ATT&CK
- Tactic
- Impact
Sumo Detection Query
_sourceCategory=*esxi* or _sourceCategory=*vmware* or _sourceCategory=*syslog*
| where _raw matches "(?i).*(accepted password|accepted publickey|tsm-ssh).*"
or _raw matches "(?i).*(esxcli vm process kill|vim-cmd vmsvc/power).*"
or (_raw matches "(?i).*(\\.vmdk|\\.vmx|\\.vmsd|\\.vswp).*" and _raw matches "(?i).*(rename|rm -f|unlink|delete).*")
| eval Indicator = if(_raw matches "(?i).*(accepted password|accepted publickey|tsm-ssh).*", "SSHEnabledOrUsed",
if(_raw matches "(?i).*(esxcli vm process kill|vim-cmd vmsvc/power).*", "VMKillCommand", "DatastoreFileOp"))
| timeslice 10m
| stats count as EventCount, values(_raw) as SampleEvents by _sourceHost, _timeslice, Indicator
| where (Indicator="VMKillCommand" and EventCount>=5) or (Indicator="DatastoreFileOp" and EventCount>=20) or Indicator="SSHEnabledOrUsed"
| sort by EventCount desc Sumo Logic query over ESXi/VMware syslog sources matching SSH enablement/use, VM kill/power-off commands, and bulk datastore file rename/delete operations. Groups into 10-minute timeslices per host and applies the same burst thresholds (5+ kills, 20+ file ops) as the primary KQL/SPL detections.
Data Sources
Required Tables
False Positives & Tuning
- Planned maintenance windows with intentional mass VM shutdown
- Backup software VM quiescing/snapshot activity
- Storage vMotion live-migration operations
- Authorized SSH troubleshooting in environments where SSH is deliberately enabled
Other platforms for THREAT-ESXi-HypervisorRansomware
Testing Methodology
Validate this detection against 3 adversary techniques from Atomic Red Team. Each test below lists the behaviour to exercise and the telemetry you should expect to see. Executable commands and cleanup steps are available with Pro.
- Test 1Simulated ESXi VM Enumeration and Forced Kill (Lab Only)
Expected signal: Shell.log/hostd.log entries recording the esxcli vm process list and esxcli vm process kill --type=force invocations with the target world ID, timestamped seconds apart. hostd.log records the corresponding VM power-state transition to poweredOff.
- Test 2Simulated SSH Enablement on ESXi (Lab Only)
Expected signal: vobd.log records the TSM-SSH service state change to running; a subsequent successful SSH login appears in auth.log with 'Accepted password' or 'Accepted publickey'.
- Test 3Simulated Bulk Datastore File Rename (Lab Only)
Expected signal: hostd.log records rename operations against the .vmdk-named test files in rapid succession.
References (6)
- https://attack.mitre.org/techniques/T1489/
- https://attack.mitre.org/techniques/T1486/
- https://attack.mitre.org/tactics/TA0040/
- https://core.vmware.com/resource/esxi-log-files
- https://docs.vmware.com/en/VMware-vSphere/8.0/vsphere-security/GUID-CE538A24-CB54-4B25-BF20-9CD5CEE0D2A2.html
- https://github.com/redcanaryco/atomic-red-team/blob/master/atomics/T1489/T1489.md
Unlock playbooks & atomic tests with Pro
Get the full detection package for THREAT-ESXi-HypervisorRansomware — response playbook and atomic red team tests, plus investigation guidance and hunting queries.
df00tech Pro — £29/user/month