Ransomware operators are continually refining their tactics in a bid to evade detection. This has led to a growing number of attackers relying on Virtual Machines (VMs) to run their ransomware payloads on compromised computers. The motivation behind this tactic is to lower the risk of discovery while the encryption process is underway.

The rise in the malicious use of VMs

  • The trend emerged last year when Sophos researchers found that Ragnar Locker ransomware was being deployed via an Oracle VirtualBox to hide its presence.
  • The tactic was eventually adopted by the Ragnar Locker and Maze ransomware gangs to target Windows XP and Windows 7 computers, respectively.
  • However, as attackers continued to expand their targets, researchers witnessed a growing usage of VMs.
  • Recently, Symantec researchers found an unknown threat actor group, allegedly an affiliate of both Conti and Mount Locker, flying under the radar by hiding its ransomware payload in VMs.

Attackers redefine the use of VMs

  • Given the efficacy in hiding ransomware activity, attackers widened the scope of the use of VMs to target Linux machines as well.
  • Recently, a security researcher from MalwareHunterTeam discovered numerous Linux ELF64 versions of HelloKitty targeting ESXi servers running on Linux operating systems.
  • Once the ransomware is successful in shutting down virtual machines, it encrypts virtual hard disk, metadata and snapshot information, and files.
  • Not just HelloKitty, other ransomware operators such as those behind RansomExx/Defray, Babuk, GoGoogle, DarkSide, REvil and Mespinoza, have also developed Linux encryptors to target ESXi virtual machines.

Worth noting

  • It is to be noted that as VMs are legitimate software, they do not raise any red flags on traditional antivirus tools and let attackers operate unnoticed.
  • While abusing previously disclosed vulnerabilities remains one of the easiest ways to target VMs, McAfee found that there are many other ways to compromise virtual software.
  • Several initial access brokers are also trading access to compromised vCenter/ESXi servers on underground forums. Moreover, ransomware groups are developing specific ransomware binaries for encrypting ESXi servers.


Virtualization and its underlying technologies play a critical role for a large number of organizations. Obviously, threat actors have got the taste of it and are shifting focus to cause greater damage using such technologies. Therefore, organizations should exercise increased vigilance in relation to the unauthorized installation of virtual machines on their networks.

Cyware Publisher