Ransomware attacks are rapidly shifting from individual systems to the foundations of virtual infrastructure. Hypervisors such as VMware ESXi and Microsoft Hyper-V are increasingly becoming the primary target.
Attackers realize that control over this layer directly affects all underlying virtual machines, meaning a single breach can disrupt entire environments.
Research by security company Huntress shows how rapidly this trend is developing. In the second half of 2025, the share of hypervisors in ransomware incidents rose from a few percent to a quarter of all observed cases. That amounts to an increase of hundreds of percent, The Register reported based on Huntress data. The Akira ransomware group plays a dominant role in this, but other attackers are following the same pattern.
The motivation behind this shift is pragmatic. Hypervisors often have less built-in security and are rarely protected by traditional endpoint detection. As with VPN equipment earlier, attackers are discovering that this is a relatively poorly guarded entry point. Once inside, they can exploit built-in management functionality to shut down virtual machines, change configurations, and encrypt storage, sometimes without installing additional ransomware files.
Attacks difficult to detect
In several incidents, researchers observed how attackers reused authentication credentials after an initial hack to access hypervisor management interfaces. They then used management tools to disable security, modify network configurations, and prepare for large-scale encryption. This makes these attacks difficult to detect and highly effective.
The impact extends beyond on-premises data centers. The Register points out that a successful escape from a virtual machine to the hypervisor could have significant consequences for public cloud environments, which also rely on hypervisors for tenant isolation. Although such scenarios are rare, they underscore the fundamental role of this layer.
Defense begins with recognizing that risk. Hypervisors must be treated as critical infrastructure, with strict access control, multi-factor authentication, minimal exposure of management interfaces, and consistent patching. Monitoring also deserves extra attention, so that unusual management actions or configuration changes are quickly noticed.
Even then, recovery remains crucial. Attacks at the hypervisor level explicitly target virtual disks and host files. Without properly separated and regularly tested backups, there is no realistic alternative to paying. The conclusion is inevitable: anyone who uses virtualization must consider the hypervisor as a primary line of defense, not as a self-evident underlying layer.