Scattered Spider: The Group Behind Major ESXi Ransomware Attacks

Originally published by Vali Cyber.

Written by Nathan Montierth.

A new wave of ransomware actors is rewriting the rulebook—and their sights are set on the foundation of enterprise infrastructure: VMware ESXi.

Scattered Spider—also tracked as UNC3944, 0ktapus, and Muddled Libra—is one of the most agile and dangerous threat clusters in operation today. They’re not a traditional ransomware gang. Instead, they form a loosely connected network of English-speaking cybercriminals, some as young as 16, who organize on Telegram, Discord, and underground forums to launch real-time, coordinated attacks.

Two of their most damaging operations? Both targeted ESXi.

From Social Engineering to System-Wide Shutdowns

The 2023 MGM Resorts ESXi breach marked a turning point in infrastructure-layer ransomware. After conducting reconnaissance and executing a SIM swap, Scattered Spider impersonated an employee to bypass identity verification and trick MGM’s IT help desk into resetting credentials. Within days, more than 100 ESXi hypervisors were encrypted with BlackCat ransomware—causing a 36-hour outage, $100M in losses, and a $45M class-action settlement.

Their tactics have been linked to over 100 targeted attacks, including Caesars Entertainment, which reportedly paid $15M, and most recently, Marks & Spencer, whose ESXi compromise took down apps and stores and exposed customer data. The fallout may exceed $400M—nearly half of M&S’s annual profit.

Since 2022, Scattered Spider has refined this playbook, breaching companies like Twilio, Riot Games, and DoorDash using voice phishing to bypass MFA and seize admin access. Their attacks are calculated and evolving—with ESXi now a primary objective.

Why ESXi?

ESXi hypervisors are an ideal target: they’re centralized, under-monitored, and host critical enterprise workloads. A single compromise can disrupt dozens—or hundreds—of virtual machines.

Scattered Spider and affiliated actors know this. Their ESXi-focused operations align with a broader industry trend: MITRE ATT&CK v17 now includes a dedicated ESXi matrix, recognizing hypervisors as high-value targets.

Their tactics blend identity-centric intrusion with infrastructure abuse. Notably, attackers are:

• Exploiting misconfigured SSH and SSO to gain remote access or execute commands.
• Encrypting virtual machines at the hypervisor level to maximize operational disruption.
• Using built-in ESXi utilities to evade detection through “living off the land” techniques.

These are not hypothetical threats. This ransomware playbook is active—and effective.

How to Strengthen Your Defenses Against Scattered Spider

Scattered Spider isn’t just exploiting software—they’re exploiting people, process gaps, and visibility blind spots. Their attacks often bypass perimeter defenses entirely, targeting soft spots in identity, configuration, and virtualization layers.

To defend against this class of threat, organizations must shift from endpoint-centric defenses to hypervisor-aware security strategies, including:

• Securing Remote Access Paths: Enforce multi-factor authentication for SSH and other privileged access points. Limit remote entry using role-based access controls and session logging.
• Implementing Configuration Lockdown Policies: Establish hardened baseline configurations for ESXi. Limit administrative access, disable unused services, and restrict modification of system-critical files.
• Controlling Built-In Utility Abuse: Apply command execution restrictions and validate use of administrative tools. Behavior monitoring can help identify lateral movement or suspicious enumeration.
• Detecting Early-Stage Intrusion Behavior: Use anomaly detection to flag abnormal activity—such as unauthorized privilege escalation, unusual file system access, or unusual login patterns.
• Preparing for Containment and Recovery: Ensure recovery plans include snapshot-based rollback, isolated restore environments, and tested backup integrity to minimize downtime.

These strategies—when combined—help mitigate the identity, privilege, and persistence techniques now central to Scattered Spider's approach.

Final Thoughts

Scattered Spider isn’t going away. If anything, their decentralized, fast-moving structure—and collaboration with established ransomware affiliates—makes them increasingly dangerous.

Their attacks on ESXi highlight a shift in adversary focus: away from user devices and toward the virtualization backbone of the enterprise. They target the layers where visibility is low and controls are often weakest.

Hypervisor-layer resilience is now essential to reducing enterprise-wide ransomware risk.

Scattered Spider is already spinning its web across your infrastructure. Strengthen your defenses now—before your organization gets caught in the next breach.