ESXi
-
Blog
Fake KeePass password manager leads to ESXi ransomware attack
Threat actors have been distributing trojanized versions of the KeePass password manager for at least eight months to install Cobalt Strike beacons, steal credentials, and ultimately, deploy ransomware on the breached network. WithSecure’s Threat Intelligence team discovered the campaign after they were brought in to investigate a ransomware attack. The researchers found that the attack started with a malicious KeePass…
Read More » -
Blog
Hackers exploit VMware ESXi, Microsoft SharePoint zero-days at Pwn2Own
During the second day of Pwn2Own Berlin 2025, competitors earned $435,000 after exploiting zero-day bugs in multiple products, including Microsoft SharePoint, VMware ESXi, Oracle VirtualBox, Red Hat Enterprise Linux, and Mozilla Firefox. The highlight was a successful attempt from Nguyen Hoang Thach of STARLabs SG against the VMware ESXi, which earned him $150,000 for an integer overflow exploit. Dinh Ho…
Read More » -
Blog
New VanHelsing ransomware targets Windows, ARM, ESXi systems
A new multi-platform ransomware-as-a-service (RaaS) operation named VanHelsing has emerged, targeting Windows, Linux, BSD, ARM, and ESXi systems. VanHelsing was first promoted on underground cybercrime platforms on March 7, offering experienced affiliates a free pass to join while mandating a deposit of $5,000 from less experienced threat actors. The new ransomware operation was first documented by CYFIRMA late last week,…
Read More » -
Blog
Ransomware gang uses SSH tunnels for stealthy VMware ESXi access
Ransomware actors targeting ESXi bare metal hypervisors are leveraging SSH tunneling to persist on the system while remaining undetected. VMware ESXi appliances have a critical role in virtualized environments as they can run on a single physical server multiple virtual machines of an organization. They are largely unmonitored and have been a target for hackers looking to access corporate networks…
Read More » -
Blog
VMware ESXi Servers Targeted by New Ransomware Variant
A new double-extortion ransomware variant targets VMware ESXi servers, security researchers have found. The group behind it, named Cicada3301, has been promoting its ransomware-as-a-service operation since June. Once an attacker has initial access to a corporate network, they can copy and encrypt its private data using the Cicada3301 ransomware. They can then withhold the decryption key and threaten to expose…
Read More » -
Blog
Linux version of new Cicada ransomware targets VMware ESXi servers
Image: Midjourney A new ransomware-as-a-service (RaaS) operation is impersonating the legitimate Cicada 3301 organization and has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. The new cybercrime operation is named after and uses the same logo as the mysterious 2012-2014 online/real-world game named Cicada 3301 that involved elaborate cryptographic puzzles. However, there’s no connection between…
Read More » -
Blog
Cicada3301 ransomware’s Linux encryptor targets VMware ESXi systems
Image: Midjourney A new ransomware-as-a-service (RaaS) operation named Cicada3301 has already listed 19 victims on its extortion portal, as it quickly attacked companies worldwide. The new cybercrime operation is named after the mysterious 2012-2014 online/real-world game that involved elaborate cryptographic puzzles and used the same logo for promotion on cybercrime forums. However, it is unlikely there’s a connection between the…
Read More »