Akira Group Exploits Vulnerabilities, Triggering Surge in Ransomware Attacks on Hyper-V and VMware ESXi

Recent findings from Huntress reveal a sharp increase in hypervisor-targeted ransomware activity, with incidents rising from just 3% in early 2025 to 25% in the second half of the year.

The primary culprit behind this surge is the Akira ransomware group, which has evolved its tactics to compromise both Microsoft Hyper-V and VMware ESXi environments, bypassing traditional endpoint defenses.

Ransomware Moves Down the Stack

Hypervisors, the core software layer managing virtual machines (VMs), are becoming prime targets due to their central role in enterprise infrastructure.

Unlike endpoints, hypervisors often operate with limited visibility and lack advanced protections such as Endpoint Detection and Response (EDR). Once compromised, attackers gain control over potentially hundreds of VMs, enabling mass encryption in minutes.

Huntress researchers note a growing trend in which adversaries, after gaining internal access through stolen credentials or a domain controller compromise, pivot laterally toward the hypervisor management interface.

In ESXi deployments, attackers often exploit misconfigurations in administrative groups, such as the “ESX Admins” Active Directory role, which grants complete administrative control when not adequately secured.

This technique was weaponized in attacks linked to CVE-2024-37085, a critical vulnerability that enables AD-based privilege escalation and can result in a complete host takeover.

Attackers have also been observed leveraging built-in utilities, such as OpenSSL, on compromised hosts to encrypt VM volumes, directly eliminating the need to upload custom ransomware binaries and thereby reducing the likelihood of detection.

In Hyper-V environments, adversaries modify management utilities to turn off VM security controls, tamper with virtual switches, and prepare for large-scale encryption across multiple servers.

Hardening the Hypervisor Layer

Experts emphasize that defending hypervisors requires the same rigor applied to endpoints and servers. Huntress recommends several key steps:

• Restrict and separate access. Use dedicated local accounts for ESXi management, enforce multi-factor authentication, and segregate management networks from production VLANs.
• Lock down runtime execution. Enable the VMkernel.Boot.execInstalledOnly = TRUE setting to ensure only signed code runs on ESXi hosts. Disable unused services, such as SSH, and enable lockdown mode.
• Maintain strict patch management. Keep hosts up to date with the latest vendor patches and disable obsolete services, such as Service Location Protocol (SLP), which have been exploited by groups such as ESXArgs.
• Implement immutable backups. Store backup images off-network and test complete VM recovery procedures regularly to ensure continuity during ransomware incidents.

As ransomware groups like Akira intensify their focus on hypervisors, organizations must treat virtualization layers as high-value infrastructure and implement strong segmentation, continuous monitoring, and zero-trust principles.

Hypervisor security is no longer optional; it’s essential to preventing mass-encryption events across virtualized enterprise environments.

Find this Story Interesting! Follow us on Google News , LinkedIn and X to Get More Instant Updates

The post Akira Group Exploits Vulnerabilities, Triggering Surge in Ransomware Attacks on Hyper-V and VMware ESXi appeared first on Cyber Security News.