From Retail Floors to Virtual Cores: ESXi Is the Next Attack Vector in Retail

In April 2025, a ransomware attack on Marks & Spencer paralyzed its core systems by encrypting its VMware ESXi hypervisors. The breach halted online sales, disrupted logistics, and left customers in limbo. With damages estimated at over $400 million, the attack revealed a growing trend in ransomware: infrastructure-layer targeting.

This blog explores why hypervisors like ESXi are now a top attack vector for ransomware groups—and what retailers can do to strengthen virtual infrastructure before the next incident strikes.

The Rise of Ransomware in Retail

Ransomware attacks against the retail sector are accelerating, and attackers are increasingly bypassing endpoints in favor of core virtualization systems. In 2024, 45% of retail organizations were hit by ransomware, with recovery costs rising by 50%.

According to threat intelligence reports from Q1 2025, ransomware targeting the virtualization layer—especially VMware ESXi—is growing rapidly. These attacks impact not just desktops or file servers, but entire business operations. The Marks & Spencer breach is just one example of a broader shift toward infrastructure-aware ransomware.

The inclusion of ESXi-specific TTPs in MITRE ATT&CK v17 further validates this shift. What was once a backend layer is now a primary ransomware target—and most retailers have not yet adapted.

Case in Point: The M&S, Harrods, and Co-op ESXi Attacks

In spring 2025, a coordinated ransomware campaign led by DragonForce and Scattered Spider targeted UK retailers using ESXi-focused payloads and credential abuse. Marks & Spencer was the most visible target. Attackers reportedly gained access through a third-party vendor, escalated privileges, and encrypted hypervisors—bringing down online sales, logistics, and internal systems.

Other retailers, including Harrods and the Co-op Group, also detected suspicious activity and took emergency containment steps, including VPN shutdowns, credential resets, and restricted remote access. These events demonstrate how quickly hypervisor breaches can escalate into sector-wide disruption.

What Hypervisor Security Should Look Like in Retail

Most endpoint and network security tools were not designed to protect the hypervisor layer. As attackers shift their focus to VMware ESXi and similar platforms, organizations must rethink their defenses.

Key elements of a hypervisor-aware security strategy include:

• Enforcing Multi-Factor Authentication for administrative access and remote shell protocols
• Applying hardening policies and virtual patching to reduce risk without downtime
• Controlling native hypervisor tool usage (e.g., esxcli, vim-cmd) to prevent abuse
• Monitoring for behavioral anomalies that indicate privilege escalation or lateral movement
• Integrating with SIEM/SOAR tools to support faster detection and response

These practices align with guidance outlined in MITRE ATT&CK v17 and support compliance frameworks like NIST, SOC, ISO, and others.

Final Thoughts: What’s Your Plan for ESXi Risk?

Hypervisor security is no longer a backend concern—it’s a frontline defense issue. As ransomware groups increasingly target virtualization infrastructure, retailers must take proactive steps to secure ESXi environments and prepare for infrastructure-layer attacks.

MITRE ATT&CK v17 and recent high-profile incidents make one thing clear: the hypervisor is now part of the modern attack surface. Retailers that protect this layer today are better positioned to avoid outages, reduce risk, and maintain customer trust tomorrow.