"Hypervisors such as VMware ESXi and Microsoft Hyper-V are increasingly becoming the primary target. Attackers realize that control over this layer directly affects all underlying virtual machines, meaning a single breach can disrupt entire environments. Research by security company Huntress shows how rapidly this trend is developing. In the second half of 2025, the share of hypervisors in ransomware incidents rose from a few percent to a quarter of all observed cases."
"The motivation behind this shift is pragmatic. Hypervisors often have less built-in security and are rarely protected by traditional endpoint detection. As with VPN equipment earlier, attackers are discovering that this is a relatively poorly guarded entry point. Once inside, they can exploit built-in management functionality to shut down virtual machines, change configurations, and encrypt storage, sometimes without installing additional ransomware files."
"In several incidents, researchers observed how attackers reused authentication credentials after an initial hack to access hypervisor management interfaces. They then used management tools to disable security, modify network configurations, and prepare for large-scale encryption. This makes these attacks difficult to detect and highly effective. The impact extends beyond on-premises data centers. The Register points out that a successful escape from a virtual machine to the hypervisor could have significant consequences for public cloud environments, which also rely on hypervisors for tenant isolation."
Ransomware operations are shifting focus from endpoints to hypervisors, with Huntress data showing hypervisors accounted for about a quarter of incidents in late 2025. The Akira group is a prominent actor in these campaigns, and other groups are following suit. Hypervisors frequently lack strong built-in protections and are seldom monitored by endpoint detection, creating lucrative attack surfaces. Intruders reuse credentials to access management interfaces, then disable security, alter network configurations, and prepare widespread encryption, sometimes without deploying additional ransomware binaries. Successful hypervisor compromise can affect on-premises and public cloud tenant isolation, increasing potential blast radius and impact.
Read at Techzine Global
Unable to calculate read time
Collection
[
|
...
]