ESXi Mass-Encrypt Ransomware
Once root on ESXi, enumerate /vmfs/volumes and encrypt every .vmdk in place — single host outage takes down hundreds of VMs.
§ Where this technique fits
HV-ESXI-RANSOM is catalogued under the Impact tactic of the offensive-security kill-chain. It appears in 3 approved dossiers in the registry, typically at step 5.7 on average.
§ Dossiers chaining this technique
- step 5 / 6
ESXiArgs — OpenSLP unauth RCE → ransomware
Internet-facing ESXi with SLP service on TCP/427 unpatched for CVE-2021-21974. Single ROP gadget chain yields root, then a small bash script encrypts every .vmdk on local datastores.
- step 5 / 6
vCenter pre-auth RCE → root on every ESXi → mass encrypt
Pre-auth RCE on vCenter Server (DCERPC or vSphere Client class CVE). Deploy SSH key via vCenter to every managed ESXi, then mass-encrypt every .vmdk — the ESXiArgs / Black Basta playbook.
- step 7 / 7
Vish helpdesk → Okta MFA reset → admin → ransomware (MGM-class)
Identify an Okta admin via LinkedIn. Vish the helpdesk pretending to be that admin, get MFA reset. Sign in, plant attacker MFA factor, then push policy changes that disable MFA for chosen apps before mass-deploying ransomware.
§ What commonly comes next
- 01Data Encrypted for Impactseen 1×T1486 · Impact
- 02Inhibit System Recoveryseen 1×T1490 · Impact