Security researchers at Mandiant have identified a new ransomware strain dubbed BlackNova that specifically targets VMware ESXi hypervisors, encrypting entire virtual machine environments in as little as 45 minutes after initial access.
BlackNova exploits a recently patched vulnerability in ESXi's SSH implementation to gain root access, then deploys custom encryption routines optimized for VMDK disk files. At least 120 organizations across 14 countries have been affected since the campaign began in late March.
VMware issued an emergency advisory urging administrators to apply patch ESXi-8.0U3c immediately and disable SSH access unless absolutely necessary. The ransom demands have ranged from $500,000 to $5 million in Monero cryptocurrency.
