The ransomware will encrypt all virtual machines' vmdk files on all attached datastores. Screenshot of ESXi virtual machine files encrypted by RansomEXX/Defray777 A future blog post will analyze this in more detail and provide more suggested protections.
![vmware esxi 6.7 vmware esxi 6.7](https://cdn-ak.f.st-hatena.com/images/fotolife/h/htbariki/20190519/20190519162225.png)
This could for example be done through an RCE vulnerability such as the one for SLP in ESXi or through Active Directory->vCenter Server->ESXi, but also in other ways. This blog post won't go into the technical details on how the attacker gets into the ESXi hosts to execute the actual ransomware. This can greatly increase the scope and speed of the attack, which is bad news for us. The benefit of this method from the attackers' side is that they can encrypt numerous systems without having to reach them all over the network and obtain administrative privileges. We have recently seen an increase in ransomware attacks where the encryption is executed from the virtualization platform (ESXi or Hyper-V hosts) rather than from inside each guest operating systems (Windows, Linux etc).
![vmware esxi 6.7 vmware esxi 6.7](https://codeinsane.files.wordpress.com/2020/09/patch-03.png)