From Help Desk to Hypervisor: Defending Your VMware vSphere Estate from UNC3944

**Executive summary:** This advisory details hypervisor-level ransomware activity attributed to UNC3944 that targets vCenter and ESXi to manipulate virtual disks and rapidly deploy ransomware with minimal forensic traces; it emphasizes three defensive pillars—proactive hardening (lockdown mode, execInstalledOnly, VM encryption, posture management), identity and architectural integrity (phishing-resistant MFA, isolated identity clusters, avoiding authentication loops), and advanced detection/recovery (centralized logging, high-fidelity SIEM detections, immutable air-gapped backups)—and warns that these TTPs are being adopted broadly by other ransomware actors.