![\"Deploy](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgsN72I_dig68jgOwgDvQxWOb2WmMGMNoMpQUgE1XYTkbWN5kwQAnLzTeP7E9Iz-P9yO_n5V6NitcgNegiC-NUm9kkl8nwolpY3BNbUOaZaVhFw-UFZbDkxEQ8EH2K-EAIUATc3Rx-l-L_ptgBcqtUywatOaNhMbuzT3DAYc2nnvDWwXHOMdWikyM2POger/s728-rw-e365/ransomware.jpg\" "\\"Deploy")
The infamous cybercrime group known as Scattered Spider is focusing on VMware ESXi hypervisors in attacks aimed at retail, airline, and transportation sectors in North America.
According to an in-depth analysis by Google’s Mandiant team, the group’s primary strategies do not rely on software exploits but instead revolve around phone calls to an IT help desk.
Google stated that the attackers are adept at using social engineering to breach even well-established security systems, targeting an organization’s most critical systems and data with precision.
Also known as 0ktapus, Muddled Libra, Octo Tempest, and UNC3944, these threat actors have a history of leveraging advanced social engineering tactics to gain initial access to victim environments and then using a “living-off-the-land” approach to pivot to the VMware vSphere environment.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjAt7GIResDlB7BN5BCak-xdIo4lKLSP_tpdNCFNtQAGOfaXxlFSPbatyT0NtIK3CSJ8ZLQrld8ibpOGUL7ZepgzznNlpCLxVA-rSzQAk8n2TCAmVDTteQFvRnbdqej246cZZI_N-jamZRzWum3BfLPCRJHCJ6eaQxzgNlxktj_G3EOmGR6-gg20UzSsw8w/s728-e100/bt-d.jpg\")
Google highlighted that the method used by the attackers, allowing data exfiltration and ransomware deployment directly from the hypervisor, is highly effective as it bypasses security measures and leaves minimal traces of compromise.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhb0eL51J-5BaysAyudq8UZKdTGwHZctDAz-9UrXI8h48dIwpTG8g4FPVqT6-xMU2mxN29dwZ6IZE7peoSbAnYhEuPBEkf2qF7_yIUASdznT4YJEPq0XUwqm_RfZqBt4CUdxM9Y7PrTcOAfrNNN0SWRaKaIpduQqX5bE1sKKabVY2MubGgKnRrF_yXh2cHn/s728-rw-e365/2.png\")
The attack unfolds in five distinct phases:
- Initial compromise, reconnaissance, and privilege escalation
- Pivoting to the virtual environment
- Enabling SSH connections on ESXi hosts
- Weaponizing the access
- Pushing custom ransomware binary via SSH access to ESXi hosts
Google emphasized the need for organizations to shift towards proactive, infrastructure-centric defense to counter such threats effectively.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqj4lvYHjB8g7ORWxDQNCBih6YzPkjDkiGZI_5TmyynKMuSsd56NbQdfQYHFPguo_BOwUKd1WL3ifscl0wwDK2NDlPX_ISIlp3PwF24-CotDHEO-yts8qz68_zWefhLAOc8hp8mDpMH31nwjVAsPSX9netC08bbMXn1apGYZiukf9WhxgMcAawGVLXHvdn/s728-rw-e365/1.png\")
According to Palo Alto Networks Unit 42, Scattered Spider actors have partnered with the DragonForce ransomware program and have successfully exfiltrated large amounts of data in a short period.
To mitigate such threats, organizations are advised to implement various protective measures, including enabling vSphere lockdown mode, enforcing multi-factor authentication, and centralizing and monitoring key logs.
![\"Cybersecurity\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi66iObr7p9zy3e8M1N9hqLD4wWGQXIJy4x4CEDn_zYHB9y1kvtZYJTPxqd9Tc1H9Np3aizgeSPJrXtXOhnsIwffNRh0-e2eZlWIaB8Z8p6xeK6xI3g09nTHiQR6OQbuZrLlLpIEdImtSs7kSrXowJcFNqv8o431bcaKPtRT2W3Dzk4aL30W9dVS-Lj03Ww/s728-e100/zz-2-d.jpg\")
As VMware vSphere 7 approaches end-of-life in October 2025, Google recommends organizations to re-architect their systems with security in mind to prevent ransomware attacks that can severely impact infrastructure and operations.
![\"\"](\"https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwvxevPpIWp2qKw5yfZUYxcLAJ_KqEabTxgOEOtA-EzVTR_ZFJuy8Ne-Xw7P_uyTUQ9tikCPUyUqpp0VQBj-e_YFGjdMnw7BjjwFOfypi0SoxGI5mqjMWVAokaow2aODc7LGBB-j9uX-aHJWqcM5EsRErJMa4hdw9zOKS3NmCKyr5Uvz6lq7Ef-l6Nfwtn/s728-rw-e365/3.jpg\")
Google warns that ransomware attacks on vSphere infrastructure can lead to widespread infrastructure paralysis, emphasizing the importance of implementing recommended security measures to prevent operational disruptions and financial losses.
