Search
Close this search box.
IT Vortex - Managed IT Services

How to Secure VMware Environments in 2026: Tools and Tips

A few years ago, securing a VMware environment meant hardening the guest operating systems and segmenting the network so a compromised virtual machine could not spread. That advice is still correct, and it is no longer enough. The defining VMware threat of the current era does not bother with your guests at all. It goes straight for the hypervisor, encrypts every virtual machine from underneath, and never trips the endpoint protection running inside them. According to Huntress security-operations data, ransomware that encrypts at the hypervisor layer jumped from 3% of cases in the first half of 2025 to 25% in the second half, driven largely by the Akira ransomware group. Your ESXi hosts are now a primary target, not a background detail.

That single shift changes how you have to think about VMware security. It is not only that there are more threats, but that the most damaging one operates below the layer most security tools watch. This guide brings VMware hardening current for 2026: why the hypervisor became the bullseye, the specific flaws attackers exploit, the modern controls that actually blunt them, and the backup posture that decides whether a hypervisor-level attack is a bad day or a business-ending one.

The New Threat Model: Ransomware Targets the Hypervisor

Attackers made a rational choice. Encrypt one ESXi host and you encrypt every VM it runs in a single stroke, and because the encryption happens at the hypervisor, the endpoint detection and response agents inside those VMs never see it. The management plane became the highest-value target in the data center, and the campaigns followed.

The wake-up call was ESXiArgs in February 2023, a mass-exploitation campaign that hit thousands of internet-exposed ESXi hosts through CVE-2021-21974, a vulnerability in the OpenSLP service. CISA and the FBI issued a recovery advisory after more than 3,000 servers were compromised worldwide. The pattern has only matured since. In 2024, CVE-2024-37085 exposed an ESXi authentication bypass, where a specifically named Active Directory group granted full host administrator rights by default, and ransomware operators including Akira and Black Basta weaponized it for hypervisor access. Akira, Black Basta, and RansomEXX all now ship Linux and ESXi encryptors. CISA’s #StopRansomware advisory on Akira attributes roughly $244 million in ransom proceeds to that group alone.

The typical kill chain is consistent: compromise an identity, reach vCenter or the ESXi hosts, enable or abuse SSH on the hosts, and then mass-encrypt the VMs from the hypervisor. Notice what is missing from that chain. At no point does the attacker need to defeat the security software inside your virtual machines. That is precisely why hypervisor hardening has moved from best-practice hygiene to frontline defense.

How a Hypervisor Ransomware Attack Actually Unfolds

It helps to see the sequence, because each step is a place you can break the chain. A typical ESXi-targeting attack moves through predictable stages.

  • Initial access. A phished credential, an exposed VPN, or an unpatched internet-facing service gives the attacker a foothold somewhere in the environment.
  • Escalation and discovery. They harvest credentials and map the environment, looking specifically for the virtualization management plane, because that is where the leverage is.
  • Reaching vCenter or ESXi. Using a stolen admin credential or a flaw like the CVE-2024-37085 authentication bypass, they gain administrative control of the hosts.
  • Enabling the attack surface. They turn on SSH on the hosts, disable or evade logging, and often locate and neutralize backups first.
  • Mass encryption. They deploy the ESXi encryptor and lock every virtual machine on the host at once, from below the guest operating systems.

Every one of the controls in this article maps to a stage in that chain. MFA on vCenter breaks step three. Lockdown mode and SSH discipline break step four. Immutable, isolated backups defeat the backup-deletion step and preserve your recovery even if everything else fails. You do not need to stop the attacker at the door to win. You need to break the chain before it reaches mass encryption, and to survive it if it does.

Detection: Watch the Management Plane

Prevention is not complete without visibility. Because the dangerous activity happens on the hosts and in vCenter rather than inside the guests, your monitoring has to watch the management plane specifically. Alert on SSH being enabled on an ESXi host, on new or unexpected administrative logins to vCenter, on the creation of unusual local accounts, and on ESXi hosts entering maintenance mode or powering off VMs outside a change window. These are the signals that separate a normal operation from the opening moves of an encryption event, and they are exactly the telemetry an in-guest antivirus product cannot provide. Feeding host and vCenter logs into a monitored security operation, rather than leaving them unread on the appliance, is what turns hypervisor hardening from a static configuration into an active defense.

The Broadcom-Era Wrinkle: Unpatched Hosts Are the Hunting Ground

There is a business dynamic making this worse, and a 2019 article could not have seen it coming. Since Broadcom acquired VMware in late 2023, the platform moved to subscription-only licensing, the free ESXi hypervisor was discontinued, the per-server core minimum was raised, and the product line was consolidated. The result is that a meaningful number of organizations stalled on renewals or migrations and are now running ESXi versions that are unsupported or behind on patches.

Unpatched, internet-adjacent ESXi is exactly the population ransomware crews scan for. The licensing upheaval did not create the vulnerabilities, but it widened the window in which they stay exploitable by pushing patching and lifecycle work to the back burner. Security and licensing used to be separate conversations. Under Broadcom, they are the same conversation, because a host you cannot afford to keep current is a host an attacker can afford to target.

Securing VMware: 2019 assumptions vs. 2026 reality
Area The old assumption The 2026 reality
Primary targetThe guest OS and applicationsThe ESXi hypervisor and vCenter
How ransomware hitsInside a VM, caught by endpoint toolsFrom the hypervisor, bypassing in-guest EDR
Key controlAntivirus and network firewallsLockdown mode, MFA on vCenter, SLP/SSH off
Encryption defenseExternal key server (KMS)vSphere Native Key Provider, no external KMS
Last line of defenseRegular backupsImmutable, isolated backups attackers can’t delete
The fundamentals still matter. The center of gravity moved down to the hypervisor.

Hardening the Hypervisor: The Controls That Matter Now

Broadcom publishes the authoritative baseline in the vSphere Security Configuration Guide, the successor to the old hardening guide, with controls mapped to standards like NIST and DISA STIGs. The high-leverage moves for defending against the current threat are a manageable list.

  • Enable lockdown mode. It disables direct access to the host and forces all management through vCenter, where role-based access control is enforced. Normal lockdown mode is the recommended baseline.
  • Disable SLP and keep SSH off by default. Disabling the OpenSLP service is the direct mitigation for the ESXiArgs class of attack; enable SSH only transiently when you genuinely need it, never as a standing configuration.
  • Put multi-factor authentication and SSO in front of vCenter. The kill chain starts with a compromised identity, so making vCenter access phishing-resistant closes the front door most operators come through.
  • Use VM Encryption with the vSphere Native Key Provider. Native Key Provider gives you built-in key management with no external key server to stand up and secure, enabling VM encryption, virtual TPM, and vSAN data-at-rest encryption. This did not exist when older guidance was written.
  • Turn on Secure Boot and TPM 2.0 for host and boot integrity, and manage certificates deliberately rather than leaving defaults in place.
  • Patch on a real cadence. Given the licensing-driven patch gap above, disciplined, timely patching of ESXi and vCenter is now one of the single most important security controls you have.

Treat the management plane, meaning vCenter, the ESXi hosts, and their SSH access, as your crown jewels. Isolate it on a dedicated, MFA-gated network segment, and never expose an ESXi host directly to the internet. Almost every catastrophic hypervisor-ransomware case traces back to a management interface that was reachable when it should not have been.

Hardening is also not a one-time task. Configurations drift as hosts are added, upgraded, and reconfigured, so the Security Configuration Guide baseline is something to audit against continuously, not to apply once and forget. A quarterly review that re-checks lockdown mode, SSH state, SLP status, certificate validity, and patch level across every host catches the slow erosion that turns a hardened environment back into a soft target. The strongest programs treat that audit as code, running it automatically and flagging any host that has fallen out of compliance.

Segmentation and Zero Trust Still Do Heavy Lifting

The controls that were good advice in 2019 remain essential, they just protect a bigger surface now. NSX micro-segmentation applies distributed firewall rules at the level of the individual virtual machine, so a compromised workload cannot pivot freely to its neighbors. In a world where attackers move laterally from an initial foothold toward the management plane, east-west segmentation is what buys your team the time to detect and contain before they reach the hypervisor.

The mental model to adopt is zero trust applied to infrastructure, not just users. No workload, and no administrator, should have standing access to more than its job requires. Segment aggressively, require strong authentication everywhere, and assume any single component can be compromised. The goal is not to make a breach impossible, which no control can promise, but to make sure that one compromised VM or one stolen credential does not hand an attacker the whole estate.

Immutable Backups: The Control That Decides the Outcome

When ransomware reaches the hypervisor, your recovery capability is what determines whether you pay or restore. Attackers know this, which is why they hunt backups before they encrypt. Veeam’s 2025 ransomware research found that 89% of organizations had their backups targeted in an attack, yet only 32% used immutable repositories. That gap is where recoverable incidents turn into unrecoverable ones.

Immutability is the fix. A backup that cannot be altered or deleted, even by a valid administrator credential, survives an attacker who has otherwise taken over the environment. Modern Veeam makes backups immutable by default, and the best practice is to keep the backup server and its repositories in a separate, hardened, MFA-protected security domain, so the immutable copies remain out of reach even if the production side is fully compromised. This is where a strong VMware security posture connects to immutable Backup as a Service and a tested Disaster Recovery as a Service plan. Finding the weakness matters, but being able to restore to a known-good state, fast, is what keeps a hypervisor-level attack from ending the business. For context on the stakes, IBM’s 2025 Cost of a Data Breach Report puts the global average breach at $4.44 million, and the US average at an all-time high of $10.22 million.

Where a Managed VMware Cloud Carries the Load

Doing all of this well, hypervisor hardening, identity and MFA on the management plane, micro-segmentation, disciplined patching, and immutable, isolated backups, is a real operational program, not a checklist you complete once. For many mid-market teams, the honest answer is that they do not have the staff to run it to this standard around the clock.

That is the case for running VMware in a hardened, managed private cloud. IT Vortex builds these controls into our VMware cloud services by default: locked-down hosts, an isolated and MFA-gated management plane, NSX segmentation, a current patch posture, and immutable backups kept in a separate security domain. Paired with our Security as a Service (SECaaS) practice and wrapped in a fully managed service, it means the hypervisor that runs your business is defended by a team that does this every day, not by a stretched admin patching between other fires.

The old advice to harden your guests and back up your data was never wrong. It is just no longer the whole job. Attackers moved down a layer, to the hypervisor that a single compromise can turn into a mass-encryption event your in-guest tools will never see. Meet them there: lock down the management plane, segment aggressively, patch on time despite the licensing friction, and make your backups immutable and isolated so recovery is always an option. Do that, and a hypervisor-level attack becomes a contained incident instead of a headline. Talk with IT Vortex about running your VMware workloads in a hardened, managed private cloud built to defend the hypervisor.

Securing VMware in 2026: Frequently Asked Questions

Why is ransomware now targeting ESXi hypervisors directly?

Because it is efficient and evasive. Encrypting one ESXi host encrypts every virtual machine it runs at once, and because the encryption happens at the hypervisor layer, the endpoint detection tools inside the VMs never see it. Groups like Akira, Black Basta, and RansomEXX now ship dedicated ESXi encryptors, and hypervisor-layer encryption rose sharply through 2025.

What is the most important step to secure an ESXi host?

Protect the management plane. Enable lockdown mode, keep SSH and the OpenSLP service off, put multi-factor authentication in front of vCenter, never expose an ESXi host to the internet, and patch promptly. Most catastrophic hypervisor-ransomware cases begin with a reachable or under-secured management interface.

Do immutable backups really help against VMware ransomware?

Yes, and they are often decisive. Attackers target backups before encrypting, so a backup that cannot be altered or deleted even with admin credentials is what lets you restore instead of pay. Veeam research found 89% of organizations had backups targeted, but only 32% used immutable repositories. Keep immutable copies in a separate, hardened security domain.

How does the Broadcom acquisition affect VMware security?

Broadcom moved VMware to subscription-only licensing, ended the free ESXi hypervisor, and raised the core minimum, leading some organizations to stall on renewals and run unpatched or unsupported hosts. Those hosts are exactly what ransomware crews scan for, which makes timely patching and lifecycle management a security priority, not just an operational one.

Share this post

questions about our services?

Request a free consultation. Fill out the form and we will call you to answer all your questions

Ready to Modernize Your Infrastructure?

Let's find the right cloud for your workloads.

A 30-minute working session with an IT Vortex cloud architect — no obligation.

Get a Quote

Apply for this position

Fill out the form below and our hiring team will reach out to you as soon as possible

zoom-logo

We use Zoom extensively to meet internally and externally. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

wasabi logo

Wasabi is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

vmware logo

Our Datacenter is built on a VMWare architecture. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation. 

veeam green logo

Veeam is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Trend Micro Logo
Solarwinds Logo

Solarwinds is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Proofpoint essentials Logo

Fortinet is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

observe IT Logo

ObserveIT/Fortinet is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

NEAT Logo

We use NEAT extensively in our offices. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

mitel logo

Our telephone platform of choice. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

microsoft logo

Various Microsoft technologies are offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation. 

ingram micro cloud logo

Our distribution preferred partner for our technology offerings.

Fortinet logo

Fortinet is offered in our Cloud Hosting Platform? We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

DTEN logo

We use DTEN extensively in our offices. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Dropbox logo

We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Dell logo

Dell servers are a key component offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Condusiv Technologies logo

Condusiv Technology is offered in our Cloud Hosting Platform? We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Cisco logo

Cisco Technology is offered in our Cloud Hosting Platform via DUO for MFA. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Barracuda Logo

Barracuda Technology is offered in our Cloud Hosting Platform. We are Certified Reseller, we have Certified Implementation Experts on staff, we provide architecture advisory services for a robust implementation.

Amazon_Web_Services_Logo

IT Vortex partners with AWS via VMware for the VMware on AWS offering that allows for cloud services fulfillment via AWS utilizing the same VMware products many companies already enjoy the benefits from.

ACTI Logo

Technology Reseller and Distributor, Certified Implementation Expertise with all ACTi products and services. IT Vortex has worked with ACTi for over a decade implementing security camera solutions for a multitude of industries with AI, Facial Recognition, License Plate Recognition, Loitering Detection, Cloud storage, and more.

questions about our services?

Request a free consultation. Fill out the form and we will call you to answer all your questions

microsoft logo

Microsoft

IT Vortex integrates Microsoft 365, Azure Active Directory, and Entra ID across our cloud platform—enabling seamless SSO, identity governance, and hybrid connectivity between on-premises and cloud workloads.

Security as a Service (SECaaS) by IT Vortex

Pricing Calculator

Choose a service, answer a few simple questions, and receive an individual quote for our services

User count by type

Fill out the form and we will call you to answer all your questions