A hypervisor is software that runs and manages virtual machines (VMs). What Is ESXi?ĮSXi is a Type-1 hypervisor (aka a “bare-metal” hypervisor) developed by VMware. This is a new BGH tactic CrowdStrike refers to as Hypervisor Jackpotting. By deploying ransomware on these ESXi hosts, adversaries were able to quickly increase the scope of affected systems within the victim environments, resulting in additional pressure on victims to pay a ransom demand. However, in the second half of 2020, SPRITE SPIDER and CARBON SPIDER began deploying Linux versions of Defray777 and Darkside, respectively, designed specifically to affect ESXi.Īffected victims include organizations that have used virtualization to host many of their corporate systems on a few ESXi servers, creating a virtual jackpot for the ransomware. This likely reflects the overwhelming dominance of the Windows operating system in businesses and large organizations. While ransomware for Linux has existed for many years, BGH actors have not historically targeted Linux, much less the ESXi hypervisor specifically.
Two such groups are SPRITE SPIDER, the operators of the Defray777 ransomware (aka Defray, Defray 2018, Target777, RansomX, RansomEXX ), and CARBON SPIDER, a group formerly focused on compromising point-of-sale (POS) devices, and that was responsible for introducing the Darkside ransomware. The relentless volume and pace of these campaigns mean that some sophisticated BGH actors have not attracted much attention. Targeted large-scale ransomware campaigns, referred to as big game hunting (BGH), remained the primary eCrime threat to organizations across all sectors in 2020.
This is Part 1 of a two-part blog series.