Researchers at security software vendor Huntress say they’ve noticed a huge increase in ransomware attacks on hypervisors and urged users to ensure they’re as secure as can be and properly backed up.
“Huntress case data revealed a stunning surge in hypervisor ransomware: its role in malicious encryption rocketed from just three percent in the first half of the year to 25 percent so far in the second half,” wrote Senior Hunt & Response Analyst Anna Pham, Technical Account Manager Ben Bernstein, and Senior Manager for Hunt & Response, Dray Agha in a Monday post.
“The primary actor driving this trend is the Akira ransomware group,” the trio warned, adding that the gang, and other attackers, are going after hypervisors “in an attempt to circumvent endpoint and network security controls.”
Huntress’s threat hunters think ransomware scum are going after hypervisors because they’re not well defended, and cracking them means attackers can mess with the virtual machines and networks they manage.
“This shift underscores a growing and uncomfortable trend: Attackers are targeting the infrastructure that controls all hosts, and with access to the hypervisor, adversaries dramatically amplify the impact of their intrusion,” the researchers wrote.
Attacks on hypervisors follow “a familiar playbook,” the trio wrote. “We've seen it with attacks on VPN appliances: Threat actors realize that the host operating system is often proprietary or restricted, meaning defenders cannot install critical security controls like EDR [Endpoint Detection and Response]. This creates a significant blind spot.”
Huntress has observed “multiple cases where ransomware operators deploy ransomware payloads directly through hypervisors, bypassing traditional endpoint protections entirely. In some instances, attackers leverage built-in tools such as OpenSSL to perform encryption of the virtual machine volumes, avoiding the need to upload custom ransomware binaries.”
The researchers also see attackers compromise a network, steal authentication credentials, and then target hypervisors. “We’ve seen misuse of Hyper-V management utilities to modify VM settings and undermine security features,” they add. “This includes disabling endpoint defenses, tampering with virtual switches, and preparing VMs for ransomware deployment at scale.”
- VMware splats guest-to-hypervisor escape bugs already exploited in wild
- CISA flags imminent threat as Akira ransomware starts hitting Nutanix AHV
- Microsoft fixes under-attack privilege-escalation holes in Hyper-V
- Veeam bets on more VMware alternatives, including Red Hat and China’s Sangfor
Given the elevated level of attacks on hypervisors, the researchers recommend admins revisit some infosec basics like ensuring the use of multi-factor authentication and complex passwords, and staying up to date with patches. They also suggest adopting some hypervisor-specific defences, such as using settings that ensure only allow-listed binaries can run on a host.
Ensuring Security Information and Event Management systems ingest and analyze hypervisor logs is also on the researchers’ to-do list.
Infosec folks have known for decades that the hypervisor is a very tasty target, especially in the worst-case scenario of a successful VM escape in which an attack on a guest virtual machine allows takeover of the host and its hypervisor. Were such an attack to become possible, the consequences could be immense given that all hyperscale clouds rely on hypervisors to isolate tenants’ virtual machines. ®