Vali Cyber warns ESXi VPN gap

A hypervisor is the software layer that lets one physical server run many virtual machines at once. When ransomware hits that layer in VMware ESXi, dozens of systems can go down together. (huntress.com) (ic3.gov) That is the gap Vali Cyber is trying to spotlight: a virtual private network can control remote entry, but it does not stop an attacker who reaches vCenter or an ESXi host and encrypts from inside. Vali’s ZeroLock product page says it is built for VMware ESXi 6.7+ and other Linux-based hypervisors. (valicyber.com) Vali says the answer is enforcement at the infrastructure layer itself, including SSH multifactor authentication, application filtering, lockdown rules, virtual patching, and runtime malware blocking. The company says its detection and stopping algorithms work against traditional and fileless ransomware with efficacy above 98%. (valicyber.com) The warning lines up with what incident responders have been seeing. Huntress said hypervisor ransomware jumped from 3% of its cases in the first half of 2025 to 25% in the second half, with Akira the main actor in that dataset. (huntress.com) Google threat intelligence findings published in July 2025 described Scattered Spider moving through IT help desks, Active Directory, vCenter, and then into ESXi hosts. Infosecurity Magazine reported the group could go from initial access to ransomware deployment in mere hours. (infosecurity-magazine.com) That playbook helps explain why endpoint tools often miss the final blow. Huntress said attackers have deployed ransomware directly through hypervisors and, in some cases, used built-in tools such as openssl to encrypt virtual machine volumes. (huntress.com) Government guidance has focused first on basic exposure reduction. In its February 8, 2023 ESXiArgs advisory, CISA and the Federal Bureau of Investigation said more than 3,800 servers had been compromised globally and urged admins to patch ESXi, disable Service Location Protocol, and keep hypervisors off the public internet. (ic3.gov) VMware’s own security guidance also centers on hardening the platform and automating secure configuration. Its hardening guides for vSphere are published as prescriptive deployment guidance for customers running VMware products. (vmware.com) Vali’s argument goes a step further than perimeter hardening alone: treat the hypervisor and its management plane as protected workloads with their own access controls and runtime defenses. The company is selling that as a separate security layer for the part of the stack where one compromise can fan out across an entire virtual estate. (valicyber.com)