Scattered Spider Takes Advantage of VMware vSphere

A group of adolescent cybercriminals known as Scattered Spider has recently targeted VMware hypervisors, successfully infiltrating corporate environments through Active Directory. This emerging threat landscape has led to a concerning trend in data theft and ransomware attacks, particularly directed at the retail, airline, and insurance sectors. Unlike more conventional Windows ransomware schemes, the group employs a “living off the land” strategy that boasts increased speed and stealth, as highlighted in a recent blog post by Mandiant, a Google-backed intelligence firm.

“Critical workloads can be shut down, and ransomware can be deployed across an entire virtual environment. Sensitive data stored in virtual machines, including databases and proprietary code, may be cloned and exfiltrated,” stated Christiaan Beek, senior director of threat intelligence at Rapid7, emphasizing the risks inherent to these attacks.

Proficient in social engineering, Scattered Spider has demonstrated the ability to manipulate help desk personnel into granting access to high-value credentials. Their modus operandi has evolved to specifically target Active Directory environments, exploiting the tight integration with VMware vSphere, which is often favored by organizations for its operational efficiency.

Historically, vSphere has been a frequent target for attackers. Its ESXi hypervisors support mission-critical operations that often lack comprehensive security defenses. Mandiant notes that ransomware aimed specifically at ESXi systems has surged, growing from approximately 2% in 2020 to over 10% in 2024. The data indicates that variants such as Redbike, Ransomhub, and Lockbit.Black have been the most frequently deployed by threat actors.

The motivations behind targeting vSphere largely stem from the chaos that an ESXi breach can instigate and the systemic security vulnerabilities present in its architecture. Some organizations have begun moving essential workloads from the cloud back to on-premises vSphere environments, seeking greater operational control. However, upgrading these hypervisors can be both complex and costly, presenting attackers with opportunities to exploit known, yet unpatched, vulnerabilities.

Mandiant has specifically warned against directly integrating ESXi hosts with Active Directory, underscoring the absence of multifactor authentication for AD users accessing ESXi. This allows for single-factor password-based authentication, thereby exposing critical hypervisor access. Scattered Spider’s tactics have highlighted how social engineering can facilitate rapid deployment of ransomware directly from the hypervisor layer.

Once inside, Scattered Spider targets Active Directory security groups with administrative privileges, seeking to gain further access through impersonation tactics. A successful impersonation can lead to password resets, enabling them to secure root access amid a lack of multifactor authentication controls.

Differentiating itself from traditional cyber threats, Scattered Spider’s shift toward VMware vSphere represents a broader trend within the cybersecurity landscape, compelling organizations to reassess their protective measures. Experts advocate that virtualization environments should avoid direct domain membership, recommending access management through roles and permissions within vCenter to mitigate risks.

Mandiant advises companies to adopt stronger security protocols, such as implementing phishing-resistant multifactor authentication and enabling remote logging for ESXi and vCenter systems. The evolution of cyber threats targeting hypervisors necessitates a profound reconsideration of vSphere security strategies, as attackers increasingly bypass traditional defenses.