Background & Intelligence

*“VMware ESXi (formerly ESX) is an enterprise-class, type-1 hypervisor developed by VMware, a subsidiary of Broadcom, for deploying and serving virtual computers. As a type-1 hypervisor, ESXi is not a software application that is installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel.*” - Wikipedia

Understanding Virtualization: A Simple Overview Part 2 — ESXi | by Owais Sajid | Medium

ESXi has 3 common management interfaces:

Direct Console User Interface (DCUI)
SSH
Web Interface

The below details common files and the potential impact following encryption:

.vmdk (Virtual Disk Files) – Contains VM data; encryption renders the VM unusable.
.vmx (VM Configuration Files) – Defines VM settings; loss of these files complicates recovery.
.nvram (VM BIOS Settings) – Stores firmware-level settings for VMs.
.vmxf (Additional VM Metadata) – Aids in VM management and migration.

Source: https://stonefly.com/blog/esxiargs-ransomware-how-to-protect-vmware-esxi-servers/

Documented Attacks Against ESXi

ESXi has become a prime target in enterprise intrusions, especially where impact is an objective. This is due to enterprises typically virtualising their IT estate, especially servers. If an attacker can gain administrative privileges over a hypervisor, they can control - at scale - all servers, including Domain Controllers (if virtualised).