Security Magazine logo
  • Sign In
  • Create Account
  • Sign Out
  • My Account
  • NEWS
  • MANAGEMENT
  • PHYSICAL
  • CYBER
  • BLOG
  • COLUMNS
  • EXCLUSIVES
  • SECTORS
  • EVENTS
  • MEDIA
  • MORE
  • EMAG
  • SIGN UP!
cart
facebook twitter linkedin youtube
  • NEWS
  • Security Newswire
  • Technologies & Solutions
  • MANAGEMENT
  • Leadership Management
  • Enterprise Services
  • Security Education & Training
  • Logical Security
  • Security & Business Resilience
  • Profiles in Excellence
  • PHYSICAL
  • Access Management
  • Fire & Life Safety
  • Identity Management
  • Physical Security
  • Video Surveillance
  • Case Studies (Physical)
  • CYBER
  • Cybersecurity News
  • More
  • COLUMNS
  • Cyber Tactics
  • Leadership & Management
  • Security Talk
  • Career Intelligence
  • Leader to Leader
  • Cybersecurity Education & Training
  • EXCLUSIVES
  • Annual Guarding Report
  • Most Influential People in Security
  • The Security Benchmark Report
  • Top Guard and Security Officer Companies
  • Top Cybersecurity Leaders
  • Women in Security
  • SECTORS
  • Arenas / Stadiums / Leagues / Entertainment
  • Banking/Finance/Insurance
  • Construction, Real Estate, Property Management
  • Education: K-12
  • Education: University
  • Government: Federal, State and Local
  • Hospitality & Casinos
  • Hospitals & Medical Centers
  • Infrastructure:Electric,Gas & Water
  • Ports: Sea, Land, & Air
  • Retail/Restaurants/Convenience
  • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
  • Industry Events
  • Webinars
  • Solutions by Sector
  • Security 500 Conference
  • MEDIA
  • Videos
  • Podcasts
  • Polls
  • Photo Galleries
  • Videos
  • Cybersecurity & Geopolitical Discussion
  • Ask Me Anything (AMA) Series
  • MORE
  • Call for Entries
  • Classifieds & Job Listings
  • Continuing Education
  • Newsletter
  • Sponsor Insights
  • Store
  • White Papers
  • EMAG
  • eMagazine
  • This Month's Content
  • Advertise
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!
CybersecuritySecurity NewswireSecurity Leadership and ManagementCybersecurity News

VMware ESXi flaw leveraged by BlackByte ransomware

By Jordyn Alger, Managing Editor
Laptop and monitor

Image via Unsplash

September 3, 2024

The BlackByte ransomware group typically utilizes tactics, techniques and procedures (TTPs) that leverage vulnerable drivers to evade security measures to deploy a self-spreading ransomware encryptor. However, recent investigations by Talos IR reveal that BlackByte is deploying techniques that vary from its typical methods. BlackByte was observed exploiting a vulnerability in VMware ESXi (CVE-2024-37085), allowing for an authentication bypass.

Darren Guccione, CEO and Co-Founder at Keeper Security, comments, “The exploitation of CVE-2024-37085 represents an aggressive approach by BlackByte. It demonstrates a shift toward quickly iterating and updating tooling to capitalize on vulnerabilities at speed, before organizations are able to bolster their defenses. As ransomware groups like BlackByte continue to evolve their TTPs, organizations must invest in adaptive security measures that can keep up with the ever-evolving threat environment.

“The exploitation of vulnerabilities in ESXi by BlackByte and similar threat actors indicates a focused effort to compromise the core infrastructure of enterprise networks. Given that ESXi servers often host multiple virtual machines, a single successful attack can cause widespread disruption, making them a prime target for ransomware groups. BlackByte’s evolution to using advanced programming languages like C/C++ in their latest encryptor, BlackByteNT, reflects their intent to make their malware more resistant to detection and analysis with sophisticated anti-analysis and anti-debugging techniques.”

Why did BlackByte change tactics? 

Heath Renfrow, Co-founder of Fenix24, offers the following suggestion for why BlackByte may have adjusted its methods, saying, “The reason for this pivot is most likely due to the effectiveness and the number of systems still tied into Active Directory (AD), either directly or through vCenter. Gaining this level of access provides a one-stop shop where attackers can deploy their ransomware or move laterally to other hypervisors.”

Callie Guenther, Senior Manager, Cyber Threat Research at Critical Start, elaborates, “Traditionally, ransomware groups rely on well-established techniques to gain initial access, escalate privileges, and execute their malicious payloads. However, the exploitation of a new, recently disclosed vulnerability (CVE-2024-37085) in VMware ESXi hypervisors indicates a strategic pivot.

“Previously, BlackByte and similar groups have frequently relied on exploiting known vulnerabilities in widely used software (e.g., ProxyShell vulnerabilities in Microsoft Exchange) or leveraging phishing campaigns and brute-force attacks to gain access. They have used web shells, Cobalt Strike, and credential-stealing tools like Mimikatz to move laterally across networks and escalate privileges within compromised environments. The group has historically used methods such as process hollowing, registry modifications, and manipulation of system components like Volume Shadow Copies to ensure the success of their ransomware execution.

“By exploiting CVE-2024-37085, BlackByte is demonstrating an ability to quickly integrate new vulnerabilities into their toolkit, moving away from purely relying on older, well-known techniques. This shift shows that they are willing to adopt cutting-edge methods to improve the effectiveness of their attacks. VMware ESXi hypervisors are critical in many enterprise environments, often hosting multiple virtual machines that run vital business applications. Targeting such infrastructure allows the attackers to cause significant disruption, increasing the pressure on victims to pay the ransom.”

Why is this significant? 

Guenther explains, “The focus on VMware ESXi hypervisors by groups like BlackByte is particularly concerning because these servers are often central to the IT infrastructure of enterprises. By compromising an ESXi server, attackers can potentially disrupt or gain control over multiple virtual machines running critical services, magnifying the impact of the attack. The adoption of the CVE-2024-37085 vulnerability by BlackByte signals an understanding of the value in targeting these systems, as they offer a high return on investment for the attackers in terms of potential ransom payouts.

“Overall, BlackByte’s ability to adapt and leverage both new vulnerabilities and sophisticated techniques like BYOVD reflects their intent to remain a potent threat in the ransomware landscape. The group's persistence in attacking ESXi servers highlights the importance of keeping such critical infrastructure updated and secured against the latest threats.”

How can security leaders defend against BlackByte or similar tactics? 

To protect against these sophisticated attacks, Guccione advises, “Defending against these threats requires regularly hardening and patching ESXi hosts to address vulnerabilities swiftly. Implementing multi-factor authentication for remote access, auditing VPN configurations and closely monitoring privileged access are essential to minimizing the risk of compromise. Additionally, securing authentication protocols, disabling unused vendor accounts and maintaining robust detection capabilities for unauthorized changes are crucial to securing these key systems from the increasingly sophisticated tactics we’re seeing from ransomware groups like BlackByte.”

KEYWORDS: ransomware threat intelligence threat landscape vulnerability vulnerability assessment

Share This Story

Looking for a reprint of this article?
From high-res PDFs to custom plaques, order your copy today!

Jordynalger

Jordyn Alger is the managing editor for Security magazine. Alger writes for topics such as physical security and cyber security and publishes online news stories about leaders in the security industry. She is also responsible for multimedia content and social media posts. Alger graduated in 2021 with a BA in English – Specialization in Writing from the University of Michigan. Image courtesy of Alger

Recommended Content

JOIN TODAY
To unlock your recommendations.

Already have an account? Sign In

  • Security's Top Cybersecurity Leaders 2024

    Security's Top Cybersecurity Leaders 2024

    Security magazine's Top Cybersecurity Leaders 2024 award...
    Top Cybersecurity Leaders
    By: Security Staff
  • cyber brain

    The intersection of cybersecurity and artificial intelligence

    Artificial intelligence (AI) is a valuable cybersecurity...
    Security Leadership and Management
    By: Pam Nigro
  • artificial intelligence AI graphic

    Assessing the pros and cons of AI for cybersecurity

    Artificial intelligence (AI) has significant implications...
    Technologies & Solutions
    By: Charles Denyer
Manage My Account
  • Security eNewsletter & Other eNews Alerts
  • eMagazine Subscriptions
  • Manage My Preferences
  • Online Registration
  • Mobile App
  • Subscription Customer Service

Security’s Top 5 – 2024 Year in Review

Security’s Top 5 – 2024 Year in Review

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

Middle East Escalation, Humanitarian Law and Disinformation – Episode 25

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

The Money Laundering Machine: Inside the global crime epidemic - Episode 24

More Videos

Sponsored Content

Sponsored Content is a special paid section where industry companies provide high quality, objective, non-commercial content around topics of interest to the Security audience. All Sponsored Content is supplied by the advertising company and any opinions expressed in this article are those of the author and not necessarily reflect the views of Security or its parent company, BNP Media. Interested in participating in our Sponsored Content section? Contact your local rep!

close
  • Sureview screen
    Sponsored bySureView Systems

    The Evolution of Automation in the Command Center

  • Crisis Response Team
    Sponsored byEverbridge

    Automate or Fall Behind – Crisis Response at the Speed of Risk

  • Perimeter security
    Sponsored byAMAROK

    Why Property Security is the New Competitive Advantage

Popular Stories

Rendered computer with keyboard

16B Login Credentials Exposed in World’s Largest Data Breach

Verizon on phone screen

61M Records Listed for Sale Online, Allegedly Belong to Verizon

Security’s 2025 Women in Security

Security’s 2025 Women in Security

Red spiderweb

From Retail to Insurance, Scattered Spider Changes Targets

blurry multicolored text on black screen

PowerSchool Education Technology Company Announces Data Breach

2025 Security Benchmark banner

Events

July 17, 2025

Tech in the Jungle: Leveraging Surveillance, Access Control, and Technology in Unique Environments

What do zebras, school groups and high-tech surveillance have in common? They're all part of a day’s work for the security team at the Toledo Zoo.

August 7, 2025

Threats to the Energy Sector: Implications for Corporate and National Security

The energy sector has found itself in the crosshairs of virtually every bad actor on the global stage.

View All Submit An Event

Products

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

Security Culture: A How-to Guide for Improving Security Culture and Dealing with People Risk in Your Organisation

See More Products

Related Articles

  • Coding on monitor

    ESXi environments targeted with new Linux variant ransomware strain

    See More
  • Padlock with computer keys

    Ransomware incidents increase by 132%, vishing by 1,633%

    See More
  • Columbus Ohio

    500,000 people impacted by ransomware attack on Columbus, Ohio

    See More

Related Products

See More Products
  • 9780128147948.jpg

    Effective Security Management, 7th Edition

  • Hospitality-Security.gif

    Hospitality Security: Managing Security in Today's Hotel, Lodging, Entertainment, and Tourism Environment

See More Products
×

Sign-up to receive top management & result-driven techniques in the industry.

Join over 20,000+ industry leaders who receive our premium content.

SIGN UP TODAY!
  • RESOURCES
    • Advertise
    • Contact Us
    • Store
    • Want More
  • SIGN UP TODAY
    • Create Account
    • eMagazine
    • eNewsletter
    • Customer Service
    • Manage Preferences
  • SERVICES
    • Marketing Services
    • Reprints
    • Market Research
    • List Rental
    • Survey/Respondent Access
  • STAY CONNECTED
    • LinkedIn
    • Facebook
    • YouTube
    • X (Twitter)
  • PRIVACY
    • PRIVACY POLICY
    • TERMS & CONDITIONS
    • DO NOT SELL MY PERSONAL INFORMATION
    • PRIVACY REQUEST
    • ACCESSIBILITY

Copyright ©2025. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing

Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • NEWS
    • Security Newswire
    • Technologies & Solutions
  • MANAGEMENT
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • Logical Security
    • Security & Business Resilience
    • Profiles in Excellence
  • PHYSICAL
    • Access Management
    • Fire & Life Safety
    • Identity Management
    • Physical Security
    • Video Surveillance
    • Case Studies (Physical)
  • CYBER
    • Cybersecurity News
    • More
  • BLOG
  • COLUMNS
    • Cyber Tactics
    • Leadership & Management
    • Security Talk
    • Career Intelligence
    • Leader to Leader
    • Cybersecurity Education & Training
  • EXCLUSIVES
    • Annual Guarding Report
    • Most Influential People in Security
    • The Security Benchmark Report
    • Top Guard and Security Officer Companies
    • Top Cybersecurity Leaders
    • Women in Security
  • SECTORS
    • Arenas / Stadiums / Leagues / Entertainment
    • Banking/Finance/Insurance
    • Construction, Real Estate, Property Management
    • Education: K-12
    • Education: University
    • Government: Federal, State and Local
    • Hospitality & Casinos
    • Hospitals & Medical Centers
    • Infrastructure:Electric,Gas & Water
    • Ports: Sea, Land, & Air
    • Retail/Restaurants/Convenience
    • Transportation/Logistics/Supply Chain/Distribution/ Warehousing
  • EVENTS
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
  • MEDIA
    • Videos
      • Cybersecurity & Geopolitical Discussion
      • Ask Me Anything (AMA) Series
    • Podcasts
    • Polls
    • Photo Galleries
  • MORE
    • Call for Entries
    • Classifieds & Job Listings
    • Continuing Education
    • Newsletter
    • Sponsor Insights
    • Store
    • White Papers
  • EMAG
    • eMagazine
    • This Month's Content
    • Advertise
  • SIGN UP!