A new wave of ransomware actors is rewriting the rulebook, and their sights are set on the foundation of enterprise infrastructure: VMware ESXi.
Scattered Spider—also tracked as UNC3944, 0ktapus, and Muddled Libra among others—is one of the most agile and dangerous threat clusters in operation today. They’re not a traditional ransomware gang. They’re a loosely connected web of English-speaking cybercriminals, some as young as 16, who organize in Telegram channels, Discord servers, and forums to launch real-time, highly coordinated attacks.
And two of the most damaging incidents they’ve pulled off? Both targeted ESXi.
From Social Engineering to System-Wide Shutdowns
The MGM Resorts ESXi attack in late 2023 marked a turning point in infrastructure-layer ransomware. After conducting detailed reconnaissance and executing SIM swap, Scattered Spider impersonated an employee to bypass identity verification and manipulate MGM’s IT help desk into handing over access credentials. Within days, over 100 ESXi hypervisors were encrypted using BlackCat ransomware, resulting in a 36-hour outage, a $100M hit, and a class-action lawsuit settled for $45M.
Scattered Spider’s tactics have been tied to over 100 targeted attacks across industries—including Caesars Entertainment, which reportedly paid $15 million following a similar ESXi intrusion. More recently, the affiliated actors struck Marks & Spencer, one of the UK’s most well-known retail brands. The ransomware deployment—linked to the DragonForce operation—forced the company’s website and apps offline, disrupted store operations, and exposed customer data. Analysts estimate the financial fallout could exceed $400 million, roughly half of M&S’s annual profits.
Scattered Spider has been refining these tactics since 2022. Long before the M&S and MGM headlines, they were breaching companies like Twilio, Riot Games, and DoorDash using voice-based social engineering to bypass MFA and take over admin accounts. Their approach isn’t smash-and-grab; it’s methodical, calculated, and evolving—now with VMware ESXi squarely in their sights.
Why ESXi?
ESXi hosts are a goldmine. They’re often under-monitored, centralized, and run critical workloads across entire enterprises. Breaching one hypervisor doesn’t just encrypt a single server—it can paralyze an entire organization.
Scattered Spider actors, or affiliates, are acutely aware of this. Their ESXi-specific attacks are part of a broader trend, recognized in the latest MITRE ATT&CK v17 update, which added new techniques explicitly for VMware ESXi. Scattered Spider has refined its identity-first approach, focusing on account takeover via help desk scams, SIM swaps, and adversary-in-the-middle (AiTM) phishing kits before pivoting to infrastructure access and ESXi-based ransomware deployment.
Attackers are:
- Leveraging SSH and SSO misconfigurations to gain foothold or enable remote code execution.
- Encrypting virtual machines directly at the hypervisor level, disrupting multiple workloads at once.
- Bypassing traditional signature-based detection through “living off the land” techniques using native ESXi utilities.
These aren’t theoretical risks. The ESXi ransomware playbook is real… and it’s working.
How to Strengthen Your Defenses Against Scattered Spider
Scattered Spider isn’t just exploiting vulnerabilities—they’re exploiting people, identity gaps, and blind spots in infrastructure. Their tactics are aggressive, fast, and hard to stop with traditional defenses.
To reduce risk and strengthen infrastructure resilience, organizations need controls designed for the hypervisor layer—not retrofitted around it. That’s where ZeroLock® comes in. It’s the only solution engineered specifically to protect VMware ESXi from modern ransomware threats—including the exact tactics Scattered Spider has used in headline-making attacks like MGM and Marks & Spencer.
Here’s how ZeroLock breaks their playbook.
Secure SSH Entry Points with Enforced Multi-Factor Authentication
Scattered Spider often gains initial access through weak or misconfigured remote access. ZeroLock hardens the ESXi host by enforcing SSH-based MFA at the hypervisor layer, eliminating one of the most abused access paths for credentialed intrusions.
Prevent Unauthorized Changes with Hypervisor Lockdown Rules
Once inside, Scattered Spider actors are known to disable protections and manipulate system configurations. ZeroLock enforces pre-defined lockdown rules that block unauthorized or dangerous hypervisor actions, cutting off privilege escalation and ransomware staging attempts.
Block Living-off-the-Land Abuse with Application Filtering
Scattered Spider frequently leverages built-in ESXi tools to move laterally, enumerate assets, or prepare systems for encryption. ZeroLock’s application filtering blocks or restricts these tools based on behavioral context and lockdown rules, stopping attackers from blending in with legitimate admin activity.
Detect and Interrupt Early-Stage Attack Behaviors with AI Detection
Before deploying ransomware, Scattered Spider often installs malicious tools, sets persistence, and begins data exfiltration. ZeroLock uses AI-Behavioral Detection to identify abnormal command sequences, privilege use, or file system access patterns—alerting defenders to pre-encryption activity in real time.
Scattered Spider has mastered the art of bypassing traditional defenses. ZeroLock is how you fight back—by securing the hypervisor layer they now rely on.
Final Thoughts
Scattered Spider isn’t going away. If anything, their decentralized model, youth-led audacity, and growing affiliations with seasoned ransomware groups make them more dangerous by the day. They’ve already proven they can take down global retail and hospitality brands with little more than a phone call and a well-timed script.
Their attacks on ESXi aren’t slowing down, and unless defenders adapt quickly, more organizations will fall victim. Scattered Spider’s strategy deliberately avoids EDR, firewalls, and traditional network defenses—focusing instead on identity, SaaS, and hypervisors where visibility is weakest and controls are thinnest.
Resilience at the hypervisor layer is now critical to enterprise-wide risk reduction.
Scattered Spider is already spinning its web across the enterprise. Strengthen your hypervisor now—before your organization becomes the next victim tangled in the silk.