Akira Ransomware Gang Launches Massive Campaign Targeting VMware ESXi Servers

The Akira ransomware group has launched an aggressive campaign specifically targeting VMware ESXi servers, compromising more than 300 organizations across North America and Europe in the past month, according to security researchers.

The attacks exploit CVE-2024-37085, a vulnerability in VMware ESXi that was patched last year but remains unpatched in many environments. Akira affiliates are scanning the internet for vulnerable servers and deploying a Linux variant of their ransomware designed specifically for ESXi environments.

"By targeting the hypervisor layer, attackers can encrypt dozens of virtual machines with a single attack," explained Dr. Marcus Webb, threat researcher at Recorded Future. "It's an incredibly efficient way to maximize damage and pressure victims to pay."

The ransom demands range from $500,000 to $4 million, depending on the size of the victim organization. The group has also adopted double extortion tactics, threatening to publish stolen data if victims refuse to pay.

Security firm Sophos has published indicators of compromise and detailed analysis of the attack chain, which typically begins with compromised VPN credentials purchased from initial access brokers or obtained through brute-force attacks against systems with weak passwords.

VMware parent company Broadcom has issued an urgent advisory reminding customers to apply the patch and implement recommended hardening measures for ESXi environments.

Organizations are advised to ensure ESXi servers are not directly exposed to the internet, implement strong authentication for management interfaces, and maintain offline backups of virtual machine data.