Article Details

Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure. The notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail, airline, and transportation sectors in North America. "The group's core tactics have remained consistent and do not rely on software exploits. Instead, they use a proven playbook centered on phone calls to an IT help desk," Google's Mandiant team said in an extensive analysis. "The actors are aggressive, creative, and particularly skilled at using social engineering to bypass even mature security programs. Their attacks are not opportunistic but are precise, campaign-driven operations aimed at an organization's most critical systems and data." Also called 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a "living-off-the-land" (LotL) approach by manipulating trusted administrative systems and leveraging their control of Active Directory to pivot to the VMware vSphere environment. Google said the method, which provides a pathway for data exfiltration and ransomware deployment directly from the hypervisor, is "highly effective," as it bypasses security tools and leaves few traces of compromise. The attack chain unfolds over five distinct phases - "UNC3944's playbook requires a fundamental shift in defensive strategy, moving from EDR-based threat hunting to proactive, infrastructure-centric defense," Google said. "This threat differs from traditional Windows ransomware in two ways: speed and stealth." The tech giant also called out the threat actors' "extreme velocity," stating the whole infection sequence from initial access to data exfiltration and final ransomware deployment can transpire within a short span of a few hours. According to Palo Alto Networks Unit 42, Scattered Spider actors have not only become adept at social engineering, but also have partnered with the DragonForce (aka Slippery Scorpius) ransomware program, in one instance exfiltrating over 100 GB of data during a two-day period. To counter such threats, organizations are advised to follow three layers of protections - Google is also urging organizations to re-architect the system with security in mind when transitioning from VMware vSphere 7, as it approaches end-of-life (EoL) in October 2025. "Ransomware aimed at vSphere infrastructure, including both ESXi hosts and vCenter Server, poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis," Google said. "Failure to proactively address these interconnected risks by implementing these recommended mitigations will leave organizations exposed to targeted attacks that can swiftly cripple their entire virtualized infrastructure, leading to operational disruption and financial loss."