Scattered Spider is a group that’s also been tracked under names like UNC3944 and Octo Tempest. Lately, they’ve been going after companies in the United States, mostly in areas like retail, airlines, and transportation. Instead of breaking in through software bugs, they just trick people. One of their go-to moves is calling up the IT help desk and pretending to be someone who works there to get into the system. These calls are aimed at gaining access to key accounts by triggering password resets.
Once inside, the attackers search for internal guides, admin directories, and access credentials. They frequently extract sensitive data from privileged access management platforms like HashiCorp Vault. Their next move involves targeting the VMware vSphere environment, where they impersonate vSphere administrators to reach the vCenter Server Appliance
Once they’re in, one of the first things they do is turn on SSH on the ESXi machines and reset root passwords. They also get a reverse shell running, usually something encrypted so it slips past security tools. Another trick they pull off is what’s been called a disk swap. Basically, they shut down a domain controller VM, take out its virtual disk, hook it up to a different VM they control, grab the NTDS.dit file from there, and then quietly put everything back like nothing happened.
With backup data eliminated, snapshots, jobs, repositories wiped, they use SCP or SFTP to drop ransomware payloads, encrypting virtual machine files across datastores. This entire sequence can unfold in just a few hours.
Google and Unit 42 have tied Scattered Spider to ransomware group DragonForce. In one breach, over 100 GB of data was exfiltrated in less than 48 hours.
Defenders are advised to harden vSphere setups, avoid joining ESXi to Active Directory, enforce phishing-resistant MFA, isolate Tier 0 assets, and disable unused VMs. As VMware vSphere 7 nears end-of-life in late 2025, organizations must rethink their architecture or risk complete infrastructure compromise.
With this level of control, the group often wipes backup systems by erasing snapshots and job repositories, making recovery difficult. In the final stage, they use their SSH foothold to deploy and launch ransomware, quickly encrypting all virtual machine files. Investigators note that this attack chain, from initial access to full ransomware deployment, can play out within just a few hours.
Google and Palo Alto Networks Unit 42 link Scattered Spider to the DragonForce ransomware group, noting that data theft exceeded 100 GB in under two days during one attack. Organizations facing these fast-moving threats need to tighten security around their vSphere environment. That means turning on lockdown mode, setting strict execInstalledOnly policies, encrypting virtual machines, avoiding ESXi’s integration with Active Directory, and removing any orphaned or unused VMs.
Isolating critical Tier 0 assets and enforcing multi-factor authentication that resists phishing are equally important, as is avoiding authentication loops. Monitoring logs centrally and keeping backups separate and off limits to compromised accounts adds crucial protection. As VMware vSphere 7 approaches its end-of-life in October 2025, now is the time to reevaluate your security approach. The time to act is today, not tomorrow. Ignoring this puts your virtual environment at risk of fast, crippling ransomware attacks that can bring operations to a standstill and cause serious financial damage.
