Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical US Infrastructure

pThe notorious cybercrime group known as Scattered Spider is targeting VMware ESXi hypervisors in attacks targeting retail airline and transportation sectors in North AmericappThe groups core tactics have remained consistent and do not rely on software exploits Instead they use a proven playbook centered on phone calls to an IT help desk Googles Mandiant team said in an extensive analysisppThe actors are aggressive creative and particularly skilled at using social engineering to bypass even mature security programs Their attacks are not opportunistic but are precise campaigndriven operations aimed at an organizations most critical systems and datappAlso called 0ktapus Muddled Libra Octo Tempest and UNC3944 the threat actors have a history of conducting advanced social engineering attacks to obtain initial access to victim environments and then adopting a livingofftheland LotL approach by manipulating trusted administrative systems and leveraging their control of Active Directory to pivot to the VMware vSphere environmentppGoogle said the method which provides a pathway for data exfiltration and ransomware deployment directly from the hypervisor is highly effective as it bypasses security tools and leaves few traces of compromiseppThe groups heavy use of social engineering has revealed recurring patterns particularly in how they register domains that closely mimic legitimate company infrastructure or login portals NCC Group pointed out ppSome of their typical naming conventions includeppThe attack chain unfolds over five distinct phases ppUNC3944s playbook requires a fundamental shift in defensive strategy moving from EDRbased threat hunting to proactive infrastructurecentric defense Google said This threat differs from traditional Windows ransomware in two ways speed and stealthppThe tech giant also called out the threat actors extreme velocity stating the whole infection sequence from initial access to data exfiltration and final ransomware deployment can transpire within a short span of a few hoursppAccording to Palo Alto Networks Unit 42 Scattered Spider actors have not only become adept at social engineering but also have partnered with the DragonForce aka Slippery Scorpius ransomware program in one instance exfiltrating over 100 GB of data during a twoday periodppTo counter such threats organizations are advised to follow three layers of protections ppGoogle is also urging organizations to rearchitect their systems with security in mind when transitioning from VMware vSphere 7 as it approaches endoflife EoL in October 2025ppRansomware aimed at vSphere infrastructure including both ESXi hosts and vCenter Server poses a uniquely severe risk due to its capacity for immediate and widespread infrastructure paralysis Google saidppFailure to proactively address these interconnected risks by implementing these recommended mitigations will leave organizations exposed to targeted attacks that can swiftly cripple their entire virtualized infrastructure leading to operational disruption and financial lossppJoin our free webinar to master AIpowered workflowspractical steps for secure scalable automationppJoin us this Halloween for a live webinar exposing real password breaches and how to stop themppGet the latest news expert insights exclusive resources and strategies from industry leaders all for freep