Ransomware hackers turn to virtual machine software to boost extortion schemes

Two Eastern European criminal groups began targeting hypervisors in 2020, according to CrowdStrike.
Two ransomware groups that CrowdStrike dubs Sprite Spider and Carbon Spider are trying to boost revenue (Photo by Christof STACHE / AFP) (Photo by CHRISTOF STACHE/AFP via Getty Images).

Ransomware gangs that target big corporations for extortion have long designed their code to execute on Microsoft Windows systems because of the popularity of the operating software.

Now, though, crooks are increasingly applying that tactic to the “hypervisor” computer servers that organizations use to manage virtual machines as a way of maximizing their extortion schemes, security firm CrowdStrike said Friday.

Ransomware hackers have targeted hospitals and schools throughout the pandemic, a security challenge that the Biden administration has vowed to address. Alejandro Mayorkas, the newly installed Homeland Security secretary, on Thursday called ransomware attacks on U.S. public and private organizations an “epidemic” while pledging more government resources to fight the problem.  

Breaching a hypervisor is an efficient way for the scammers to encrypt all of the virtual machines running on that software system without having to individually infect each machine. The goal is to up the pressure on big organizations to pay out hefty ransoms.


In the second half of 2020, two Eastern European criminal groups that CrowdStrike calls Sprite Spider and Carbon Spider began deploying malicious code written for the Linux operating system and designed to affect ESXi, a type of hypervisor.

CrowdStrike did not name the organizations targeted by the malware, but the firm warned that other groups could emulate the activity. The company published details on the emerging technique in a blog post.

The emergence of the Linux-focused ransomware strains comes as organizations are increasingly using virtual machines to consolidate their IT networks. But that concentration of resources on a few servers also risks creating a “virtual jackpot” for ransomware gangs, as CrowdStrike researchers Eric Loui and Sergei Frankoff put it.

The evolution of the two cybercriminal groups mirrors the broader ransomware ecosystem that now thrives on a “ransomware-as-a-service” model that leases hacking tools to maximize profit. Shortly after the coronavirus pandemic took hold and the hospitality sector suffered, Carbon Spider shifted from targeting point-of-sale devices to large organizations as a business tactic, according to CrowdStrike.

“This development shows that the ransomware actors are continuing to find new targets, when we see more than one adversary evolve in this way, it likely signifies others will follow suit,” said Adam Meyers, CrowdStrike’s vice president of intelligence.

Sean Lyngaas

Written by Sean Lyngaas

Sean Lyngaas is CyberScoop’s Senior Reporter covering the Department of Homeland Security and Congress. He was previously a freelance journalist in West Africa, where he covered everything from a presidential election in Ghana to military mutinies in Ivory Coast for The New York Times. Lyngaas’ reporting also has appeared in The Washington Post, The Economist and the BBC, among other outlets. His investigation of cybersecurity issues in the nuclear sector, backed by a grant from the Pulitzer Center on Crisis Reporting, won plaudits from industrial security experts. He was previously a reporter with Federal Computer Week and, before that, with Smart Grid Today. Sean earned a B.A. in public policy from Duke University and an M.A. in International Relations from The Fletcher School of Law and Diplomacy at Tufts University.

Latest Podcasts