Home / Threat Intelligence bulletins / VMWare Ransomware


Researchers at Sophos have documented a ransomware attack targeting an ESXi hypervisor.
The threat actor gained access to the network through a compromised TeamViewer account.

This gave them access to a Domain Administrator’s account and from there they were able to SSH to the ESXi server and run a python script to encrypt the VMs.


The attacker was able to encrypt ESXi virtual disks on the host. This meant that recovery was much harder than if the VMs themselves had been targeted.

Vulnerability Detection

The attacker connected to ESXi over SSH.
This is disabled by default and VMWare advise that it should remain disabled when not in use. A warning can be seen in the web interface when it’s enabled.

Containment, Mitigations & Remediations

VMware have published guidance on securing ESXi on their website.

The initial breach was through a compromised TeamViewer account. TeamViewer and other remote access tools should have MFA enabled where available.

Indicators of Compromise

None listed.

Threat Landscape

A VM server would normally provide some protection against ransomware as VMs could be shut down and restored to contain the breach.

By targetting the hypervisor itself, the threat actor was able to use this control to their advantage.

Mitre Methodologies

T1219 – Remote Access Software
T1021.004 – Remote SSH Service
T1486 – Data Encrypted for Impact

Further Information

Python ransomware script targets ESXi server for encryption