What starting position does this attack require?

The first step is Drop ransom note in vSphere UI (T1486) — a impact primitive. Assumed environment: target vCenter is reachable from the attacker's foothold and unpatched for a 2023+ pre-auth RCE.

What is the final impact of this kill-chain?

The final step lands on Extract cached ESXi credentials / SSO tokens (HV-NESTED-CRED), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.

How can defenders detect or prevent this attack?

Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

← RegistryDossier · 6 steps · 5 edges

Approved

vCenter pre-auth RCE → root on every ESXi → mass encrypt

Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.

Filed by AD Knowledge BasePublished 2026-05-26

§ Kill-chainDrag · zoom · scroll

Impact

Drop ransom note in vSphere UI

T1486 · Data Encrypted for Impact

Persistence

Push attacker SSH key to every ESXi

T1098 · Account Manipulation

Discovery

Identify vCenter (port 443 / 9443)

N-NMAP-INTERNAL · Internal Nmap Sweep

Initial Access

Pre-auth RCE on vCenter

HV-VCENTER-RCE · vCenter Server RCE

Impact

Mass-encrypt VMDKs across the estate

HV-ESXI-RANSOM · ESXi Mass-Encrypt Ransomware

Credential Access

Extract cached ESXi credentials / SSO tokens

HV-NESTED-CRED · Hypervisor Credential Caches

§ Context

Assumed environment: target vCenter is reachable from the attacker's foothold and unpatched for a 2023+ pre-auth RCE. vCenter manages dozens / hundreds of ESXi hosts.

§ Steps

01
Drop ransom note in vSphere UIImpact
T1486— Data Encrypted for Impact
02
Push attacker SSH key to every ESXiPersistence
T1098— Account Manipulation
03
Identify vCenter (port 443 / 9443)Discovery
N-NMAP-INTERNAL— Internal Nmap Sweep
04
Pre-auth RCE on vCenterInitial Access
HV-VCENTER-RCE— vCenter Server RCE
05
Mass-encrypt VMDKs across the estateImpact
HV-ESXI-RANSOM— ESXi Mass-Encrypt Ransomware
06
Extract cached ESXi credentials / SSO tokensCredential Access
HV-NESTED-CRED— Hypervisor Credential Caches

§ References

T1486Data Encrypted for Impact
T1098Account Manipulation

§ Frequently asked

What is the "vCenter pre-auth RCE → root on every ESXi → mass encrypt" attack path?: Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook. It chains 6 steps drawn from real-world offensive-security techniques.
What starting position does this attack require?: The first step is Drop ransom note in vSphere UI (T1486) — a impact primitive. Assumed environment: target vCenter is reachable from the attacker's foothold and unpatched for a 2023+ pre-auth RCE.
What is the final impact of this kill-chain?: The final step lands on Extract cached ESXi credentials / SSO tokens (HV-NESTED-CRED), which falls under Credential Access. From here, an operator typically pivots into post-exploitation or maintains persistence.
How can defenders detect or prevent this attack?: Detection and prevention vary per step. Refer to each linked MITRE ATT&CK entry under "References" — every technique on that page lists defensive controls, detection telemetry, and known threat-actor usage.

vCenter pre-auth RCE → root on every ESXi → mass encrypt

§ Context

§ Steps

§ References

§ Frequently asked

§ Related dossiers

Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)

BACnet HVAC → disrupt building operations

ESXiArgs — OpenSLP unauth RCE → ransomware

Reachable Modbus PLC → direct register override