Surge in Ransomware Attacks Targeting Hypervisors, Led by Akira Group
Security researchers have reported a dramatic increase in ransomware attacks targeting hypervisors, with Huntress data showing that the proportion of ransomware incidents involving hypervisors jumped from 3% in the first half of 2025 to 25% in the second half. The Akira ransomware group has been identified as the primary actor behind this trend, exploiting the limited visibility and security controls typically present on hypervisors to bypass traditional endpoint and network defenses. Attackers are leveraging built-in tools such as OpenSSL to encrypt virtual machine volumes directly from the hypervisor, allowing them to impact dozens or hundreds of VMs simultaneously and avoid detection by endpoint security solutions.
This shift in tactics underscores the critical need for organizations to harden their hypervisor infrastructure with the same rigor as endpoints and servers. Security experts recommend measures such as patching, strict access control, runtime hardening, and robust backup and recovery strategies to mitigate the risk. The trend highlights that as defenders improve endpoint security, adversaries are increasingly targeting the foundational layers of virtualized environments, making hypervisor security a top priority for organizations relying on virtualization technologies like ESXi.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Huntress publishes ESXi hypervisor hardening guidance
Huntress published practical defensive guidance for securing ESXi and other hypervisors against ransomware, recommending stronger access controls, MFA, network segregation, patching, runtime hardening, logging, and tested backup and recovery procedures. The guidance emphasized that traditional endpoint tools often miss hypervisor activity and that organizations need dedicated monitoring and defense-in-depth at this layer.
Akira identified as primary driver of hypervisor ransomware surge
Huntress identified the Akira ransomware group as the main actor behind the increase in hypervisor-focused attacks. The group was described as exploiting compromised credentials, weak segmentation, built-in tools, and vulnerabilities such as CVE-2024-37085 to gain control of ESXi environments and encrypt virtual machines at scale.
Huntress observes sharp rise in ransomware targeting hypervisors in 2025
Huntress reported that ransomware attacks against hypervisors increased dramatically during 2025, with the share of such incidents rising from about 3% to 25% in the second half of the year. The trend showed hypervisors becoming a major target because they provide centralized control over many virtual machines and often lack strong security visibility.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Google Warns of Rising Cyber Threats Targeting Hypervisors
Google Cloud Security has issued a warning that hypervisors, the core virtualization layer in modern IT environments, are becoming a significant cybersecurity vulnerability. The company highlights that while organizations have focused on securing endpoints, hypervisors have often been left unmonitored, running outdated software and configured with insecure defaults. This oversight, combined with deep integrations into legacy identity services, makes hypervisors a high-leverage target where a single compromise could grant attackers control over an entire digital infrastructure. Google's forecast for 2026 anticipates a surge in fast-moving cyberattacks aimed at hypervisors, primarily driven by financially motivated threat actors. The report urges enterprises to shift their security strategies to address these emerging risks, emphasizing that the virtualization fabric is evolving from a defensive asset into a critical blind spot susceptible to systemic disruption. Organizations are advised to prioritize monitoring and securing hypervisors to prevent large-scale breaches and maintain control over their digital estates.
Mar 21, 2026
Rising Threats to Hypervisors Amid AI and Cloud Expansion
Security experts from Google Cloud have warned that hypervisors and virtualized infrastructure are becoming increasingly attractive targets for cyber attackers. This trend is driven by the widespread adoption of cloud services, containers, and artificial intelligence systems, which expand the attack surface and introduce new vulnerabilities. Hypervisors, often lacking robust external security controls and sometimes running outdated software, are particularly at risk due to their deep integration with identity platforms like Active Directory. The adoption of AI agents, many of which operate with elevated privileges, further exacerbates the risk by increasing the potential impact of a compromise at the hypervisor level. A successful attack on a hypervisor can have cascading effects across an organization, making it a high-value target for threat actors. Google Cloud's 2026 security forecast anticipates a significant increase in targeting of hypervisors, underscoring the need for organizations to strengthen security measures around their virtualized environments.
Mar 21, 2026
ESXiArgs Ransomware Exploited Unpatched VMware ESXi Servers Worldwide
A large-scale **ESXiArgs** ransomware campaign hit internet-exposed VMware ESXi servers by exploiting a long-known vulnerability in the OpenSLP service, with incident responders and national authorities warning that many affected systems had not applied available patches. CERT-FR issued an alert on active exploitation affecting VMware ESXi, while broad reporting described widespread compromises across organizations globally as attackers encrypted virtual machine files and dropped ransom notes on hypervisors. VMware said the attacks did **not** stem from a newly discovered zero-day, but from exploitation of older, already patched weaknesses and insecurely exposed services on unsupported or unpatched ESXi versions. The incident renewed scrutiny of VMware security after earlier warnings that threat actors, including state-backed operators, had abused VMware flaws such as `CVE-2020-4006` for initial access, persistence, and privileged movement inside enterprise environments, underscoring the risk posed by internet-facing virtualization infrastructure that lags on patching and hardening.
May 25, 2026