Scattered Spider Hijacks VMware ESXi to Deploy Ransomware on Critical U.S. Infrastructure

The Scattered Spider cybercrime group is conducting sophisticated attacks against VMware ESXi hypervisors in North America’s retail, airline, and transportation sectors through social engineering phone calls to IT help desks. According to Google’s Mandiant team, the threat actors impersonate administrators to reset passwords, then pivot to VMware vSphere environments where they execute “disk-swap” attacks to extract Active Directory databases, delete backups, and deploy custom ransomware directly from hypervisors. The group’s “living-off-the-land” approach leverages trusted administrative systems to achieve complete infrastructure compromise within hours while bypassing endpoint security tools and leaving minimal forensic traces. Google emphasizes that hypervisor-targeted ransomware poses severe risks due to its capacity for immediate infrastructure paralysis, urging organizations to implement vSphere lockdown mode, phishing-resistant multi-factor authentication, and centralized logging as VMware vSphere 7 approaches end-of-life in October 2025.​​​​​​​​​​​​​​​​