Ghosts in the Hypervisor: Dissecting TTPs Behind Ransomware Attacks on Virtualization Infrastructure
Austin Gaton
BSides Seattle 2026 · Day 1 · Track 1
Austin Gaton, CTO and co-founder of Valley Cyber (a Linux and hypervisor security company), delivers a technically dense talk on how attackers are targeting VMware ESXi hypervisors for both ransomware and espionage campaigns. Backed by multiple live demos, Gaton walks through the complete attack lifecycle: from the 2021 SLP heap overflow exploit (CVE widely exploited in 2023) through Scattered Spider's identity-based attacks on MGM Resorts ($100 million in damages), Active Directory privilege escalation via the ESX Admins group, the MITRE breach of May 2024, a novel technique to bypass VMware's exec-installed-only protection using Config Store CLI, and the Brickstorm nation-state espionage campaign's VMDK exfiltration techniques.
AI review
Five live demos, a novel exec-installed-only bypass disclosed to VMware, deep analysis of real-world ransomware and espionage campaigns (ESXArgs, Scattered Spider, MITRE breach, Brickstorm), and original vulnerability research. Austin Gaton demonstrates the complete lifecycle of hypervisor attacks from heap exploitation through living-off-the-land ransomware to VMDK exfiltration. This is exactly the kind of technically rigorous, demo-backed offensive research that advances the field.