Scattered Spider, a cybercriminal group, has recently targeted VMware ESXi hypervisors, encrypting entire virtual machine infrastructures using DragonForce ransomware. This attack cripples critical infrastructure, rendering virtual machines inoperable. The group gained initial access through sophisticated social engineering tactics, escalated privileges to gain administrative control, and deployed remote monitoring tools before executing the ransomware. The attack has led to significant financial damages and operational disruptions.
Source: https://cybersecuritynews.com/scattered-spider-esxi-ransomware-attacks/
TPRM report: https://www.rankiteo.com/company/vmware
"id": "vmw410073025",
"linkid": "vmware",
"type": "Ransomware",
"date": "7/2025",
"severity": "100",
"impact": "",
"explanation": "Attack threatening the organization’s existence"{'affected_entities': [{'size': 'Large enterprises',
'type': 'Commercial facilities, Critical '
'infrastructure'}],
'attack_vector': ['Phishing',
'Spearphishing',
'Vishing',
'SIM Swap Attacks',
'Push Bombing'],
'data_breach': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'type_of_data_compromised': ['Credentials',
'Browser data',
'Cookies',
'Sensitive information']},
'date_detected': 'June 2025',
'date_publicly_disclosed': 'July 29, 2025',
'description': 'A collaboration of international cybersecurity agencies '
'issued an urgent updated advisory on July 29, 2025, '
'highlighting the escalating threat posed by the Scattered '
'Spider cybercriminal group, which has intensified attacks '
'against critical infrastructure and commercial facilities '
'sectors with increasingly sophisticated tactics and new '
'ransomware variants.',
'impact': {'data_compromised': 'Credentials, browser data, cookies, sensitive '
'information',
'financial_loss': 'Hundreds of millions in damages',
'operational_impact': 'Crippling virtual machine infrastructures',
'systems_affected': ['VMware ESXi hypervisors',
'Snowflake cloud environments',
'Slack',
'Microsoft Teams',
'Exchange Online']},
'initial_access_broker': {'entry_point': 'Social engineering',
'high_value_targets': ['VMware ESXi hypervisors',
'Snowflake cloud '
'environments',
'Slack',
'Microsoft Teams',
'Exchange Online']},
'investigation_status': 'Ongoing',
'motivation': 'Data theft for extortion, financial gain',
'ransomware': {'data_encryption': 'Yes',
'data_exfiltration': 'Yes',
'ransomware_strain': 'DragonForce'},
'recommendations': ['Implement phishing-resistant multifactor authentication',
'Maintain offline backups stored separately from source '
'systems',
'Deploy application controls to manage software execution',
'Enhance monitoring for risky logins and unauthorized '
'account misuse'],
'references': [{'date_accessed': 'July 29, 2025',
'source': 'Federal Bureau of Investigation (FBI)'},
{'date_accessed': 'July 29, 2025',
'source': 'Cybersecurity and Infrastructure Security Agency '
'(CISA)'},
{'date_accessed': 'July 29, 2025',
'source': 'Royal Canadian Mounted Police (RCMP)'},
{'date_accessed': 'July 29, 2025',
'source': 'Australian Signals Directorate’s Australian Cyber '
'Security Centre (ACSC)'},
{'date_accessed': 'July 29, 2025',
'source': 'Australian Federal Police (AFP)'},
{'date_accessed': 'July 29, 2025',
'source': 'Canadian Centre for Cyber Security (CCCS)'},
{'date_accessed': 'July 29, 2025',
'source': 'United Kingdom’s National Cyber Security Centre '
'(NCSC-UK)'}],
'response': {'enhanced_monitoring': 'Monitoring for risky logins and '
'unauthorized account misuse',
'law_enforcement_notified': 'Yes'},
'threat_actor': 'Scattered Spider (UNC3944, Scatter Swine, Oktapus, Octo '
'Tempest, Storm-0875, Muddled Libra)',
'title': 'Evolving Social Engineering Tactics and New DragonForce Ransomware '
'Deployment by Scattered Spider',
'type': 'Ransomware, Social Engineering'}