Scattered Spider Unleashes VMware ESXi Ransomware on US Retail, Transport & Insurance via Social Engineering

The Scattered Spider group has intensified its assaults on corporate IT environments, concentrating its efforts on VMware ESXi hypervisors within U.S. companies across the retail, transportation, and insurance sectors. Rather than exploiting conventional software vulnerabilities, the attackers exhibit exceptional proficiency in social engineering tactics, allowing them to bypass even the most fortified systems.

According to Google’s Threat Intelligence Group, the attack typically begins with an adversary impersonating an internal employee during a call to the IT helpdesk. The attacker persuades support staff to reset a user’s Active Directory password, thus gaining initial access to the corporate network. From there, the intruders seek out technical documentation and privileged accounts, with a particular focus on domain administrators, VMware vSphere environment admins, and users within elevated permission groups.

Concurrently, they scan the network for Privileged Access Management (PAM) solutions, which may harbor sensitive data and aid further lateral movement. Once the names of privileged users are identified, the attackers initiate additional calls—this time posing as administrators—to request further password resets, ultimately acquiring high-level access.

The next objective is to seize control of the VMware vCenter Server Appliance (vCSA), the centralized management server for the ESXi architecture and its virtual machines. Upon achieving this level of access, the attackers enable SSH on ESXi hosts, reset root user passwords, and initiate what is known as a virtual disk swapping attack.

This technique involves shutting down a domain controller, detaching its virtual disk, and mounting it on a separate attacker-controlled VM. There, the threat actors extract the NTDS.dit file—the Active Directory database containing password hashes—before remounting the disk and restarting the original machine. This method allows the silent exfiltration of highly sensitive data without triggering OS-level alerts.

With full control over virtualization, the attackers proceed to sabotage backup systems: clearing schedules, deleting snapshots, and wiping backup storage. The final blow comes in the form of ransomware, deployed via SSH connections across all identified virtual machines, resulting in widespread encryption and complete organizational incapacitation.

Google describes the architecture of these attacks in five phases: from social engineering to total ESXi infrastructure compromise. Remarkably, the entire chain—from the initial helpdesk call to ransomware deployment—can unfold within a matter of hours. No software exploits are used, yet the efficacy of these campaigns enables attackers to bypass most built-in security mechanisms.

This methodology was notably employed by Scattered Spider during the high-profile MGM Resorts incident in 2023. Today, an increasing number of threat actors are adopting similar tactics. A contributing factor is the widespread lack of deep understanding of VMware environments, leading to insufficient protection.

To mitigate risk, Google has issued technical recommendations across three key domains:

1. Hardening vSphere: Enable execInstalledOnly, encrypt virtual machines, disable SSH access, remove orphaned VMs, and strictly enforce multi-factor authentication.
2. Asset Segregation: Isolate critical assets such as domain controllers, PAM systems, and backup repositories. These should not reside on the same nodes as the infrastructure they safeguard.
3. Monitoring and Logging: Establish centralized logging, configure alerts for suspicious actions (e.g., SSH activation, vCenter logins, admin group changes), utilize immutable air-gapped backups, and conduct regular disaster recovery drills specific to virtualization breaches.

Scattered Spider—also known as UNC3944, Octo Tempest, or 0ktapus—is regarded as one of the world’s most formidable threat groups. Distinguished by their refined social mimicry, the attackers replicate not only employees’ speech patterns but also their vocabulary, pronunciation, and conversational style. Despite the recent arrests of four alleged members in the United Kingdom, the group remains highly active. In fact, their campaigns have grown increasingly audacious and far-reaching in recent months.