Ransomware gangs are exploiting the VMWare ESXi product to encrypt the virtual hard drives found in virtual machines. These attacks were first seen in October 2020, and have been linked to a criminal group that deployed the RansomExx ransomware.
Evidence from multiple security researchers suggests that the hackers used CVE-2019-5544 and CVE-2020-3992. These are found in VMware ESXi, a hypervisor solution that allows multiple virutal machines to share hard drive storage. These bugs impact the Service Location Protocol (SLP) and allow an attacker to send malicious requests to an ESXi device, resulting in a complete take over.
