{ "id": "1d47e48c-934f-40c9-8e08-20283833f16e", "created_at": "2026-04-06T01:31:24.300612Z", "updated_at": "2026-04-10T13:13:01.597366Z", "deleted_at": null, "sha1_hash": "a117ed596f9c605e9e07af7d4afba9a75c807bce", "title": "Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting of ESXi Servers with Ransomware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 98709, "plain_text": "Hypervisor Jackpotting, Part 2: eCrime Actors Increase Targeting\r\nof ESXi Servers with Ransomware\r\nBy Michael Dawson\r\nArchived: 2026-04-06 00:23:17 UTC\r\nThis is Part 2 of a three-part blog series. Read Part 1 and Part 3.\r\nCrowdStrike has observed a significant increase in eCrime actors targeting VMware ESXi hypervisors with\r\nransomware since our February 2021 blog post on Hypervisor Jackpotting.\r\nMany of these adversaries share common tradecraft such as gaining interactive access via SSH, listing and\r\nterminating running VM processes prior to encryption, and targeting the vmfs/volumes datastore path to\r\nencrypt disk volumes and snapshots.\r\nSeveral defensive controls, listed later in this blog, should be implemented to mitigate the success or\r\nimpact of hypervisor jackpotting.\r\nIn February 2021, CrowdStrike blogged about Hypervisor Jackpotting, a technique that involves targeting\r\nVMware ESXi hypervisors with ransomware to increase the scope of impact. CrowdStrike noted that two big\r\ngame hunting (BGH) adversaries, CARBON SPIDER and SPRITE SPIDER, were observed utilizing this\r\ntechnique with their respective ransomware variants, Darkside and Defray777. Since then, CrowdStrike has\r\nobserved a significant uptrend in hypervisor jackpotting by other adversaries, including PINCHY SPIDER and\r\nVIKING SPIDER. In this blog, we overview each new campaign CrowdStrike has observed targeting ESXi\r\nsystems and detail defensive controls that can be implemented to protect these critical assets.\r\nBabuk Locker\r\nIn March 2021, operators of Babuk Locker ransomware offered access to an ESXi variant as part of a sought-out\r\npartnership opportunity. In May 2021, CrowdStrike Services observed a victim targeted with this ESXi variant.\r\nThe ransomware appends the file extension .babyk_esxi to files it encrypts, and creates a ransom note named\r\nHow To Restore Your Files.txt . The ransom note contains two URLs: a victim-specific .onion URL for\r\ncommunications, and one for the Babuk Locker dedicated leak site (DLS).\r\nFERAL SPIDER and DeathKitty\r\nSince March 2021, FERAL SPIDER, the developers and operators of DeathKitty (aka HelloKitty) ransomware\r\nadded functionality to terminate and encrypt virtual machines running on a VMware ESXi hypervisor. If VMware\r\nESXi targeting is enabled ( -e option), the ransomware will only encrypt file extensions related to disk volumes\r\nand snapshots: . vmdk , .vmsd and .vmsn . When executed with the -k argument, the ransomware will\r\nterminate all running virtual machines using VMware ESXi’s command-line administration utility ( esxcli ) prior\r\nto beginning the encryption process.\r\nhttps://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nPage 1 of 5\n\nCYBORG SPIDER and Pysa\r\nSince May 2021, CYBORG SPIDER, the developers and operators of Pysa ransomware, have targeted ESXi\r\nservers for encryption. After compromising an environment, CYBORG SPIDER operators move laterally to the\r\nhypervisors via HTTPS using the native ESXi root account, where they enable SSH for a remote shell. The\r\noperators then use PuTTY and WinSCP to copy the ransomware to the /tmp directory and execute the\r\ncommands shown in Table 1.\r\nCommand Description\r\npython --version Check version of Python installed\r\ncd /tmp/ Change to /tmp/ directory\r\nchmod +x \u003cFILENAME\u003e Add execute permission to Pysa script\r\n./\u003cFILENAME\u003e /vmfs/volumes 4096 Execute Pysa against the VM datastore path\r\nTable 1. Pysa commands\r\nCrowdStrike observed multiple cases in which the Pysa ransomware script was tailored for the version of Python\r\ninstalled on the ESXi, with Pysa filenames 27 and 3 noted as highly likely to correspond with Python v2.7 or\r\nv3.x. The ransomware also appends the file extension .pysa to files it encrypts, and creates a ransom note\r\nnamed RECOVER_YOUR_DATA.txt at the root ( / ) of the volume. The ransom note provides two email addresses,\r\nhosted on OnionMail and ProtonMail, for communications and includes Pysa’s DLS .onion domain.\r\nPINCHY SPIDER and REvix\r\nSince June 2021, PINCHY SPIDER has distributed a Linux ransomware variant named REvix to target ESXi\r\nsystems. The ELF binary uses the same encryption algorithm as PINCHY SPIDER’s Windows REvil ransomware.\r\nThe ransomware contains a JSON configuration block that specifies the ransom note filename and encrypted file\r\nextension to use. For example, in a sample of REvix v1.1c, the ransomware was configured to append the file\r\nextension .rhkrc to encrypted files, and use the name rhkrc-readme.txt as the ransom note. By default, the\r\nransomware will encrypt only the current directory and requires the --path option to specify the target folder\r\n(e.g., /vmfs/ ), which is then recursively enumerated. Prior to encryption, the ransomware executes the\r\ncommands shown in Table 2.\r\nCommand Description\r\npkill -9 vmx-*\r\nTerminate any processes named\r\nvmx-*\r\nesxcli --formatter=csv --format-param=fields==\"WorldID,DisplayName\" vm process list | awk -F\r\n\"\\\"*,\\\"*\" {system(\"esxcli vm process kill --type=force --world-id=\" $1)}\r\nList the running VMs on this\r\nsystem and force terminate each\r\nVM based on the enumerated list\r\nof World IDs\r\nhttps://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nPage 2 of 5\n\nTable 2. REvix commands\r\nIn July 2021, PINCHY SPIDER began distributing REvix v1.2a, which added execution of VM termination\r\nfunctionality within a separate thread, and support for additional encryption types. In mid-July 2021, PINCHY\r\nSPIDER’s DLS infrastructure went offline, leaving in question the future of these operations.\r\nVIKING SPIDER and Ragnar Locker\r\nSince June 2021, VIKING SPIDER has deployed Ragnar Locker’s ELF binary to ESXi systems via SSH using the\r\nnative root account. VIKING SPIDER copies the binary to the /tmp directory and issues the commands shown\r\nin Table 3.\r\nCommand Description\r\nuname -a Print all system information\r\nesxcli system version get Display the product name, version and build information\r\nesxcli system hostname get Display the fully qualified hostname of the ESXi host\r\nesxcli system account list List local user accounts\r\nesxcli --formatter=csv vm\r\nprocess list\r\nList the running VMs on this system\r\nesxcli vm process kill -w \u003cWID\u003e\r\n-t soft\r\nPerform a “soft” kill (clean shutdown) of the VM associated with the\r\ngiven World ID This command is repeated for each running VM to kill\r\ne sxcli --formatter=csv vm\r\nprocess list\r\nList the running VMs on this system (again) to confirm they are all\r\nshutdown\r\nfind /vmfs/volumes/ -type f -\r\nname \"*.vmdk\"\r\nSearch for all virtual disk files within the VM datastore path\r\nchmod a+x /tmp/\u003cFILENAME\u003e Add execute permission to Ragnar Locker binary\r\n/tmp/\u003cFILENAME\u003e\r\n/vmfs/volumes/\u003cUUID\u003e/\r\nExecute Ragnar Locker against the VM datastore path\r\nps | grep \u003cFILENAME\u003e Ensure Ragnar Locker process is running\r\nTable 3. Ragnar Locker commands\r\nThe ransomware appends the file extension .crypted to files it encrypts, and creates a ransom note per\r\nencrypted file using the original filename appended with the extension .crypted.README_TO_RESTORE . The\r\nransom note includes a unique victim URL for live chat communications via Tor, as well as VIKING SPIDER’s\r\ndedicated leak site (DLS) .onion domain.\r\nHow to Protect Your Cluster\r\nhttps://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nPage 3 of 5\n\nListed below are CrowdStrike’s top five recommendations that organizations should implement to mitigate the\r\nsuccess or impact of hypervisor jackpotting.\r\nAvoid direct access to ESXi hosts. Use the vSphere Client to administer ESXi hosts that are managed by a\r\nvCenter Server. Do not access managed hosts directly with the VMware Host Client, and do not change\r\nmanaged hosts from the Direct Console User Interface (DCUI). (Note: This is a VMware-specific\r\nrecommendation.)\r\nIf direct access to an ESXi host is necessary, use a hardened jump server with multifactor\r\nauthentication. ESXi DCUI access should be limited to a jump server used for only administrative or\r\nprivileged purposes with full auditing capabilities and multifactor authentication (MFA) enabled.\r\nEnsure vCenter is not exposed to the internet over SSH or HTTP. CrowdStrike has observed\r\nadversaries gaining initial access to vCenter using valid accounts or exploiting remote code execution\r\n(RCE) vulnerabilities (e.g., CVE-2021-21985). Although these vulnerabilities have been addressed by\r\nVMware, these services should not be exposed to the internet to mitigate risk.\r\nEnsure ESXi datastore volumes are regularly backed up. Specifically, virtual machine disk images and\r\nsnapshots should be backed up daily (more frequently if possible) to an offsite storage provider.\r\nIf encryption activity is observed, do not shut down the ESXi hosts. If encryption activity is observed,\r\nsystem administrators may be tempted to reboot or shutdown VMs. Be aware that ransomware is not able\r\nto modify locked files, and if a VM is still powered on, it will be considered locked. As a result, shutting\r\ndown or rebooting VMs will actually release the lock and allow the ransomware to encrypt the virtual disk\r\nfiles.\r\nAdditional ESXi security recommendations are available from VMware at https://docs.vmware.com/en/VMware-vSphere/7.0/com.vmware.vsphere.security.doc/GUID-B39474AF-6778-499A-B8AB-E973BE6D4899.html.\r\nConclusion\r\nCrowdStrike has observed a significant uptrend in eCrime campaigns targeting VMware ESXi hypervisors with\r\nransomware to maximize encryption impact across a victim environment. This targeting modus operandi is\r\nbecoming prevalent, with adversaries developing and deploying ESXi ransomware variants, and in some cases\r\nseeking partnership opportunities with other operators or access brokers. CrowdStrike recommends that\r\norganizations review their ESXi security posture and implement the specific defensive controls outlined in this\r\nblog to protect these critical assets.\r\nAdditional Resources\r\nTo learn more about eCrime adversaries tracked by CrowdStrike Intelligence, visit the CrowdStrike\r\nAdversary Universe.\r\nTo find out how to incorporate intelligence on threat actors into your security strategy, visit the\r\nCROWDSTRIKE FALCON® INTELLIGENCE™ Threat Intelligence page.\r\nLearn about the powerful, cloud-native CrowdStrike Falcon® platform by visiting the product webpage.\r\nGet a full-featured free trial of CrowdStrike Falcon® Prevent™ to see for yourself how true next-gen AV\r\nperforms against today’s most sophisticated threats.\r\nhttps://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nPage 4 of 5\n\nSource: https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nhttps://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "origins": [ "web" ], "references": [ "https://www.crowdstrike.com/en-us/blog/hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers/" ], "report_names": [ "hypervisor-jackpotting-ecrime-actors-increase-targeting-of-esxi-servers" ], "threat_actors": [ { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "6f37e16f-64b2-4b9c-b5b4-08d0884660eb", "created_at": "2022-10-25T16:07:24.380872Z", "updated_at": "2026-04-10T02:00:04.966462Z", "deleted_at": null, "main_name": "Viking Spider", "aliases": [], "source_name": "ETDA:Viking Spider", "tools": [ "Ragnar Locker", "RagnarLocker" ], "source_id": "ETDA", "reports": null }, { "id": "5bc2bb61-9b32-496f-b54b-61cf3d01969f", "created_at": "2023-01-06T13:46:39.246266Z", "updated_at": "2026-04-10T02:00:03.259193Z", "deleted_at": null, "main_name": "GOLD BURLAP", "aliases": [ "CYBORG SPIDER" ], "source_name": "MISPGALAXY:GOLD BURLAP", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "8610b0d9-a6af-4010-818f-28671efc5d5e", "created_at": "2023-01-06T13:46:38.897477Z", "updated_at": "2026-04-10T02:00:03.138459Z", "deleted_at": null, "main_name": "PINCHY SPIDER", "aliases": [], "source_name": "MISPGALAXY:PINCHY SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c84bbd2e-003d-4c43-8a46-d777455db2c7", "created_at": "2022-10-25T15:50:23.701006Z", "updated_at": "2026-04-10T02:00:05.378962Z", "deleted_at": null, "main_name": "GOLD SOUTHFIELD", "aliases": [ "GOLD SOUTHFIELD", "Pinchy Spider" ], "source_name": "MITRE:GOLD SOUTHFIELD", "tools": [ "ConnectWise", "REvil" ], "source_id": "MITRE", "reports": null }, { "id": "b4ec06e5-60c9-4796-9f85-129c77d1652b", "created_at": "2023-01-06T13:46:39.21956Z", "updated_at": "2026-04-10T02:00:03.249407Z", "deleted_at": null, "main_name": "VIKING SPIDER", "aliases": [], "source_name": "MISPGALAXY:VIKING SPIDER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9df68733-9bcd-43b1-88f1-24b110fa3d56", "created_at": "2022-10-25T16:07:24.051993Z", "updated_at": "2026-04-10T02:00:04.851037Z", "deleted_at": null, "main_name": "Pinchy Spider", "aliases": [ "G0115", "Gold Garden", "Gold Southfield", "Pinchy Spider" ], "source_name": "ETDA:Pinchy Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "GandCrab", "GrandCrab", "REvil", "Sodin", "Sodinokibi", "VIDAR", "Vidar Stealer", "certutil", "certutil.exe", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439084, "ts_updated_at": 1775826781, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a117ed596f9c605e9e07af7d4afba9a75c807bce.pdf", "text": "https://archive.orkl.eu/a117ed596f9c605e9e07af7d4afba9a75c807bce.txt", "img": "https://archive.orkl.eu/a117ed596f9c605e9e07af7d4afba9a75c807bce.jpg" } }