The financial sector is built on trust, speed, and constant availability. Despite publicly announcing their “retirement,” Scattered Spider has resurfaced with fresh intrusions into U.S. banks and financial services. Their latest ESXi attack on finance proves the threat has sharpened.
Their playbook remains the same: social engineering → identity hijacking → VMware ESXi exploitation. And in banking, credit unions, and fintech, those tactics have an outsized impact.
Social Engineering the Help Desk
Phishing is the most common initial attack vector, responsible for 16% of breaches in 2025. Scattered Spider has repeatedly used vishing (voice phishing) and impersonation to compromise enterprises. In 2023, MGM Resorts suffered $110 million in costs following a help-desk social engineering attack that gave intruders access to ESXi hypervisors. Caesars Entertainment quietly paid a $15 million ransom after a similar intrusion, and recently, the $402M hit on Marks & Spencer.
In September 2025, ReliaQuest uncovered the same tactics at a U.S. bank. Scattered Spider socially engineered an executive into resetting their password through Azure Active Directory’s self-service portal. From that single action, attackers gained entry to sensitive IT and security documents, pivoted laterally through Citrix and VPN, and ultimately seized VMware ESXi infrastructure.
Why finance is uniquely at risk:
- Financial firms rely heavily on large, often outsourced call centers, where staff are under pressure to resolve lockouts quickly. This operational model creates conditions that make impersonation attacks more likely.
- A successful scam can yield privileged access into systems handling wire transfers, loan servicing, or customer portals, bypassing millions in existing security investment.
MFA Bypass and Identity Hijacking
Even when MFA is enforced, Scattered Spider actors have proven adept at bypassing it:
- SIM swapping to steal SMS-based one-time codes.
- Adversary-in-the-middle (AiTM) phishing kits to harvest tokens.
- MFA fatigue (endless push requests until a user clicks approve).
In the 2025 banking attack, the group reset a service account and used it to assign themselves Azure Global Administrator rights. That maneuver effectively bypassed identity safeguards across the enterprise, turning what should have been strong MFA into little more than a speed bump.
Financial sector impact:
- Banks and fintechs depend heavily on single sign-on (SSO) and Virtual Desktop Infrastructure (VDI) to manage high user volumes securely. Research shows that financial services account for ~60% of desktop virtualization deployments.
- A single hijacked identity can unlock trading platforms, SWIFT terminals, and core banking apps, effectively functioning as a master key.
- Once inside, attackers can manipulate transactions, plant persistence, or pivot deeper into infrastructure — all while appearing to be a legitimate user.
Targeting VMware ESXi Hypervisors
After stealing credentials, Scattered Spider often pivots to the hypervisor layer, encrypting entire ESXi estates in one strike.
Why this is catastrophic in finance:
- ESXi hypervisors underpin mission-critical workloads, including:
- Online banking portals and mobile apps
- ATM and card authorization systems
- Fraud detection engines
- Trading systems requiring millisecond uptime
- Virtualization is deeply entrenched in finance: the BFSI sector represented 26.5% of the global virtual machine market in recent years. VMware remains the dominant enterprise hypervisor vendor.
- A single compromised ESXi host can result in institution-wide outages.
The scale of damage is institution-wide. Patelco Credit Union learned this in 2024, when a hypervisor attack took online banking, ATMs, and wire services offline for weeks, costing $39M in losses and $7.25M in legal fallout.
ReliaQuest’s 2025 case crystallizes the danger. By moving from Citrix to VPN and into ESXi at a U.S. bank, Scattered Spider proved that the hypervisor is still the finish line of their campaigns, and in finance, that finish line means institution-wide paralysis.
Living Off the Land in ESXi
Rather than dropping obvious malware, Scattered Spider uses native ESXi tools like esxcli and vim-cmd to enumerate, move laterally, and encrypt workloads.
Finance-specific consequences:
- EDR and SIEM tools don’t monitor hypervisors—activity appears as routine admin behavior.
- Attacks may go unnoticed until payment queues stall or trading desks lose access to their virtual servers.
- In capital markets, even minutes of delay can erase millions in transaction volume.
The Fallout for Financial Institutions
When these tactics converge, the damage is severe:
- Gartner projects global security spend will climb from $213B in 2025 to $240B in 2026, but without hypervisor-layer protection, even record budgets can’t stop a single Scattered Spider campaign from freezing operations.
- Critical payment or trading system downtime can cost $5–9M per hour, quickly outpacing average breach costs in the sector.
- Under GLBA and FFIEC expectations for cyber resilience, ransomware downtime can trigger regulatory review. Under the SEC’s new cyber disclosure rules, inadequate response or failure to disclose material ransomware events can expose CISOs and boards to liability.
- Customer trust erodes rapidly during outages, as Patelco’s prolonged downtime and litigation demonstrated in 2024.
This isn’t just ransomware. It’s a regulatory, reputational, and continuity crisis.
Countering Scattered Spider in Finance
Most defenses stop at endpoints. But Scattered Spider has shown that, in finance, the real target is the hypervisor—and that’s where protections are weakest.
ZeroLock® was engineered specifically for VMware ESXi, addressing 100% of MITRE’s ESXi TTPs and blocking the techniques Scattered Spider depends on:
- Enforce SSH MFA: prevents stolen credentials from granting hypervisor access.
- Lockdown Rules: blocks unauthorized commands and config changes.
- Application Filtering: halts abuse of ESXi tools for ransomware.
- AI Behavioral Detection: flags pre-encryption anomalies before systems fail.
Final Thoughts
Scattered Spider’s tactics are uniquely dangerous to finance because they turn the sector’s strengths into vulnerabilities:
- High-touch customer service → social engineering entry point
- Strict identity controls → MFA bypass targets
- Dependence on ESXi → mass-encryption blast radius
- Critical uptime demands → stealth exploitation = maximum damage
For financial institutions, Scattered Spider’s playbook translates into regulatory exposure, customer disruption, and personal liability for CISOs and boards under SEC and FFIEC oversight. For banks, credit unions, and fintechs, Scattered Spider has proven the hypervisor is no longer an invisible layer. It’s the bullseye. Protecting it is the only way to break the ESXi playbook and prevent the next industry-wide shutdown.
If you’d like to explore practical ways to strengthen resilience at the hypervisor layer, our team is here to help. Book a demo of ZeroLock to see how it could fit into your environment.