Check out the on-demand sessions from the Low-Code/No-Code Summit to learn how to successfully innovate and achieve efficiency by upskilling and scaling citizen developers. Watch now.

Mandiant has observed a “significant increase” in the number of incidents involving a ransomware attack targeted against virtualization infrastructure, an expert at the cybersecurity firm told VentureBeat.

The increase has come over the past six to 12 months, and represents an adjustment of threat actor tactics —enabling them to “more rapidly and efficiently encrypt a large number of hosts,” said Greg Blaum, a principal consultant at Mandiant.

On Tuesday, Mandiant released M-Trends 2022, the firm’s 13th annual threat report. Among the major findings is that Mandiant has observed ransomware-focused threat actors “increasingly targeting virtualization infrastructure,” the firm disclosed in the M-Trends 2022 report.

While a traditional ransomware attack requires deploying the malicious payload across multiple hosts in a victim’s environment, an attack on virtualization infrastructure can potentially infect hundreds of virtual machines at once. With this variety of attack, “hitting one machine is much more effective,” Blaum said.


Intelligent Security Summit

Learn the critical role of AI & ML in cybersecurity and industry specific case studies on December 8. Register for your free pass today.

Register Now

Mandiant reports that it observed a number of ransomware groups targeting VMware vSphere and ESXi platforms during 2021. The attackers included threat actors that’ve been associated with Conti, Hive, DarkSide and Blackcat, according to the firm.

In this type of attack, the threat actors have utilized compromised credentials to access VMware’s vCenter Server management software, Mandiant says. The attackers then use vCenter to discover all ESXi hosts that are being used in the victim’s environment, according to Mandiant.

While traditionally an on-premise virtualization platform, a number of cloud providers will also host this type of virtualization infrastructure for clients.


In terms of mitigations for this type of attack, the most effective is network segmentation, Blaum said. This entails placing the management software used with the virtualization infrastructure on an isolated network, or VLAN.

“If there are no network routes to get to the management infrastructure, it’s going to be really difficult for an attacker to exploit it,” Blaum said.

The use of a privileged access management (PAM) solution would also be helpful in blocking this type of attack, he said.

Ultimately, ransomware attacks against virtualization infrastructure are expected to remain an issue, Blaum said.

“Because the use of the virtualization infrastructure is so pervasive, and the fact that attackers can quickly and easily encrypt large numbers of hosts, we see this trend continuing the future,” he said.

VentureBeat's mission is to be a digital town square for technical decision-makers to gain knowledge about transformative enterprise technology and transact. Discover our Briefings.