VMware’s ESXi security issues spur new ransomware gang into action

The popularity of ESXi combined with a lack of security tools makes it an “attractive target” for threat actors


Image: GEtty via Dennis

Security experts have issued a warning over a new ransomware-as-a-service (RaaS) gang that has been observed targeting VMware ESXi servers.

Researchers at CrowdStrike said the new group, dubbed ‘MichaelKors’, was first identified operating in the wild in April this year.

The group was observed providing affiliate groups with ransomware binaries specifically targeting Windows and ESXi/Linux systems.



The discovery comes amid a period of rising concern over threat actors increasingly targeting ESXi interfaces due to a pervasive lack of security tools, researchers said.

“More and more threat actors are recognising that the lack of security tools, lack of adequate network segmentation of ESXi interfaces, and in-the-wild vulnerabilities for ESXi create a target-rich environment,” they said.

CrowdStrike said it has “increasingly observed big game hunting threat actors” deploying Linux versions of ransomware tools to target VMware’s ESXi vSphere hypervisors.

This trend escalated significantly in the first quarter of 2023, the company added.

“RaaS platforms including ALPHV, LockBit and Defray – tracked by CrowdStrike Intelligence as Alpha Spider, Bitwise Spider and Sprite Spider – have been leveraged to target ESXi,” researchers at the firm said.

ESXi vulnerabilities

According to CrowdStrike, the emergence of an aggressive new RaaS group could pose significant risks for organizstions leveraging VMware’s hypervisor.

ESXi by design, researchers said, “does not…