{ "id": "26de099c-45a0-46e5-8074-ce50a398a98e", "created_at": "2026-04-06T00:11:46.37933Z", "updated_at": "2026-04-10T03:35:42.356297Z", "deleted_at": null, "sha1_hash": "54e84f877ecf6fe1002d484bdf32634d394bc293", "title": "Scattered Spider x RansomHub: A New Partnership", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1960747, "plain_text": "Scattered Spider x RansomHub: A New Partnership\r\nBy ReliaQuest Threat Research Team 24 October 2024\r\nPublished: 2024-10-24 · Archived: 2026-04-05 22:07:31 UTC\r\nEditor’s note: James Xiang and Hayden Evans contributed to this blog.\r\nKey Points\r\nIn October 2024, ReliaQuest responded to an intrusion affecting a manufacturing sector customer. We\r\nidentified “Scattered Spider” to be behind the incident. This English-speaking collective previously served\r\nas an affiliate for ransomware group “ALPHV” and now partners with “RansomHub.”\r\nThe attacker gained initial access to two employee accounts by carrying out social engineering attacks on\r\nthe organization’s help desk twice. Within six hours, the attacker began encrypting the organization’s\r\nsystems.\r\nTo maintain persistence, Scattered Spider leveraged the organization’s ESXi environment to create a virtual\r\nmachine (VM). This concealed their attack until the environment was encrypted and backups were\r\nsabotaged.\r\nImplementing comprehensive measures to mitigate social engineering techniques, such as restricting\r\nSharePoint permissions and hardening ESXi environments, can reduce the attack surface and decrease the\r\nlikelihood of threat actors achieving their objectives.\r\nWhat Happened?\r\nIn October 2024, ReliaQuest investigated an intrusion for a customer in the manufacturing sector. We attributed\r\nthe incident with high confidence to “Scattered Spider,” an English-speaking collective acting as an affiliate for\r\nthe ransomware group “RansomHub.”\r\nScattered Spider previously targeted telecommunications firms, likely to support its SIM-swapping activities that\r\nfacilitate account takeovers. Lately, it’s shifted focus to extorting large organizations by collaborating with\r\nransomware groups, aiming for higher financial returns.\r\nOur investigation uncovered Scattered Spider’s tactics, techniques, and procedures (TTPs), including a unique\r\nmethod of gaining initial access to organizations. Leveraging its English proficiency, the collective uses social\r\nengineering for initial access.\r\nIn this incident, the attacker convinced the organization’s help desk to reset the Chief Financial Officer’s (CFO)\r\naccount credentials. After discovering that the CFO’s account lacked the permissions required for further pivoting,\r\nthe attacker repeated the social engineering tactic to compromise a domain administrator account. With this\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 1 of 17\n\nprivileged access, they created a virtual machine (VM) within the ESXi environment, evading security tools like\r\nendpoint detection and response (EDR). They then deployed a RansomHub encryptor to impact a critical ESXi\r\nenvironment in just six hours.\r\nIn this report, we explore Scattered Spider’s evolution from low-level cybercrimes to partnering with ransomware\r\ngroups to target major organizations. We’ll break down the TTPs observed in the incident and offer practical\r\nadvice to help organizations understand, investigate, and mitigate similar threats.\r\nScattered Spider Teams Up with RansomHub\r\nActive since at least May 2022, Scattered Spider (aka “UNC3944,” “Octo Tempest”) is a collective of at least one\r\nthousand English-speaking threat actors linked to the cybercriminal network known as The Community or The\r\nCom. Operating across forums and Telegram groups, The Com engages in attacks that require social engineering\r\nsuch as SIM swapping, swatting, carding, and identity fraud. Members of this community buy and sell social\r\nengineering services to one another to facilitate these illicit activities (see Figure 1).\r\nFigure 1: Telegram user offers social engineering services\r\nScattered Spider members likely refined their social engineering skills through these activities, now using them\r\nalongside Russia-linked ransomware groups to target organizations for financial gain.\r\nSince at least August 2023, Scattered Spider has been collaborating with ransomware-as-a-service (RaaS) groups.\r\nInitially an affiliate for “ALPHV” (aka “BlackCat”), Scattered Spider gained notoriety by attacking multiple US-based casinos. In February 2024, ALPHV conducted an exit scam against its affiliates and disbanded, leaving\r\nthem searching for new partners.\r\nThat same month, a new ransomware group, RansomHub, began recruiting affiliates (see Figure 2). RansomHub\r\noffered an enticing deal, keeping just 10% of attack profits for malware developers and leaving affiliates with\r\n90%. Since June 2024, security researchers have detected intrusions leading to the deployment of the RansomHub\r\nmalware, which featured tactics typical of Scattered Spider, suggesting the group is now a RansomHub affiliate.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 2 of 17\n\nFigure 2: RansomHub advertises affiliate program\r\nThe potent combination of RansomHub’s lucrative incentives and Scattered Spider’s sophisticated social\r\nengineering poses a significant threat. Companies across all sectors must rigorously evaluate their security\r\nmeasures to ensure resilient defenses against such attacks, particularly as we anticipate that other adversaries will\r\nlikely adopt Scattered Spider’s effective techniques.\r\nAttack Analysis\r\nDuring our investigation, we observed the following noteworthy behaviors in this incident:\r\nPersistent Social Engineering: Consistent with Scattered Spider’s typical initial access method, the threat\r\nactor in this incident gained initial access by social engineering the organization’s help desk to compromise\r\nthe CFO’s account. When this account lacked the sufficient permissions, the threat actor used the same\r\nsocial engineering tactic on the help desk again to gain access and compromise a domain admin account.\r\nTelecom Infrastructure Abuse: The threat actor used Verizon IPv6 addresses to access the network,\r\nleveraging telecommunications infrastructure with a clean reputation to bypass security controls.\r\nESXi Defense Evasion: The threat actor spun up their own VM in the victim’s ESXi environment to carry\r\nout a wide range of adversarial actions such as lateral movement, credential dumping, and data exfiltration.\r\nRapid Time to Impact: The adversary compromised two accounts within an hour of calling the help desk,\r\naccessed the virtual environment in under two hours, and encrypted systems in just over six hours. They\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 3 of 17\n\nmaintained access for roughly ten hours by moving from the organization’s identity and cloud solutions to\r\ntheir on-premises environment.\r\nGiven the speed and simultaneous actions in this event, we assess with high confidence that multiple individuals\r\nfacilitated the attack. The following timeline provides a breakdown of each step during the incident.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 4 of 17\n\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 5 of 17\n\nFigure 3: Scattered Spider attack timeline\r\nSocial Engineering: Fool Me Once, Fool Me Twice\r\nTo gain initial access to the target network, the threat actor called the organization’s IT help desk and persuaded\r\nstaff to reset the CFO’s account password. They then made a second call to another help desk employee,\r\nconvincing them to reset the multifactor authentication (MFA) controls on the CFO’s account. This allowed the\r\nattacker to enroll their own SMS device, which was later identified as a voice over IP (VOIP) Google Voice phone\r\nnumber: (971) 444-5872.\r\nThe attacker now had access to the user’s Okta account. Given that Okta is a single sign-on (SSO) solution, the\r\nthreat actor was able to access all Okta applications provisioned to the CFO. The following Okta payload shows\r\nhow the threat actor sent MFA requests to their own SMS device.\r\nNext, the threat actor set their sights on Thycotic—a password vault housing organizational secrets (passwords),\r\nincluding those for privileged accounts. They attempted to access it through its Okta tile but couldn’t progress as\r\nthe CFO’s account lacked the sufficient permissions. Undeterred, they searched across the organization’s\r\nSharePoint, which we will explore further below, and pinpointed a domain administrator account to gain the\r\nelevated privileges they needed. This isn’t the first time we’ve seen Scattered Spider target password managers.\r\nAs previously reported, the collective has previously used the same tactic in other intrusions.\r\nHaving identified a new target account, the threat actor made another call to the help desk and requested a\r\npassword reset for the domain administrator account, which also carried Okta Super Administrator privileges. This\r\naccount had access to Thycotic through Okta and could self-assign any Okta apps due to its privileged role. In\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 6 of 17\n\nboth instances, the help desk failed to follow the firm’s standard operating procedures (SOPs), resulting in the\r\npassword and MFA information for the domain administrator account falling into the hands of the threat actor.\r\nHuman errors are bound to happen, which is why it’s vital to implement technical controls alongside SOPs to\r\nreinforce organizational policies and prevent inadvertent mistakes. For instance, change request controls should\r\nrequire secondary authorization before resetting credentials for privileged or executive accounts.\r\nAttacker Infrastructure\r\nDuring this early access phase of the intrusion, we uncovered some intriguing aspects of the attacker’s\r\ninfrastructure. These insights not only helped us identify the threat actor but also provided valuable intelligence\r\nabout their operations.\r\nVerizon IPv4 for Okta Access: These IP addresses appeared in the organization’s logs as Verizon IPv4\r\naddresses with a clean reputation, meaning they would not trigger any suspicious IP detections. Later in the\r\nattack, the attacker’s activity was associated with Verizon IPv6 addresses. While it’s unclear why the IPv4\r\nshowed up initially, we do know that Okta doesn’t currently support IPv6. Therefore, this could be IPv6\r\nreverting to IPv4 when it isn’t supported. Notably, we’ve seen Scattered Spider using Verizon IP addresses\r\nin several other intrusions.\r\nVerizon IPv6 for EntraID and O365 Access: When pivoting to EntraID and O365, the attacker’s activity\r\nwas associated with IPv6 addresses on Verizon’s network. Most threat intelligence sources that feed into\r\nSIEM correlations don’t support IPv6 addresses, making this a clever method to bypass detections.\r\nAdditionally, IPv6 addresses under certain conditions can circumvent risky sign-in and location-based\r\nconditional access policies.\r\nTwo Attackers, One Compromised Account (High Confidence): We observed authentications from two\r\ndifferent Verizon IP addresses just minutes after the initial account compromise, each requesting MFA\r\nseparately for the same account. Different user agents were used and separate actions were simultaneously\r\nperformed within the compromised account. Parsing these user agents shows two different browsers were\r\nused: a Chrome browser was tied to one IP address and a Firefox browser was tied to the other IP address,\r\nindicating that two threat actors accessed the same compromised account from two different hosts.\r\nScattered Spider’s Use of Cellular Hotspots (Medium Confidence): In nearly every intrusion we’ve\r\ninvestigated and attributed to Scattered Spider, we’ve identified mobile providers as their primary\r\ninfrastructure. The constant shift between IPv4 and IPv6 is a known fallback capability of hotspot devices,\r\nsuggesting that such devices were used in this incident.\r\nAccessing SharePoint Secrets and Breaking into SentinelOne\r\nIn this incident, the threat actor accessed several SharePoint files via the CFO’s account to gather information for\r\nlateral movement. Notably, in a previous attack carried out by Scattered Spider, we observed the collective abuse\r\nSharePoint access and knowledge article repositories. In the current incident, the following files were accessed:\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 7 of 17\n\nGuide to Working from Home.jpg Remote Access to Your Computer.jpg\r\nCitrix Login.docx What Requires an Access Request.pdf\r\nVPN and Multifactor Authentication Guide.pdf New VPN Setup Instructions.docx\r\nLogmein Prerequisites.pdf IT Administrative Access.docx\r\nInstall Cisco AnyConnect Client.pdf ESXi Server Refresh Project.xslx\r\nChange Password via Okta.pdf Engineering Password Vault Utility.pdf\r\nAmong all the files, those detailing the IT organization structure almost certainly facilitated in targeting the\r\ndomain administrator account.\r\nOnce the threat actor had access to the domain administrator account, they retrieved additional files relating to\r\nbackups and key network infrastructure. Since this domain administrator was also an Okta Super Admin, the\r\nattacker was also able to access several additional IT applications through Okta SSO, including:\r\nOkta Admin Console SentinelOne\r\nThycotic Prod Cohesity Helios\r\nMicrosoft Office 365 Solarwinds\r\nLogMeIn\r\nThe following Okta payload shows the threat actor impersonated a user with SentinelOne access (more details\r\nbelow):\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 8 of 17\n\nFigure 4: SentinelOne access gained by threat actor\r\nAuthentication Manipulation\r\nWith access to the Okta Super Admin account, the threat actor manipulated the authentication process in several\r\nways:\r\n**Removing Secondary MFA:**The attacker disabled secondary MFA for several critical applications\r\nthrough Okta. Despite having already registered their own MFA device, this step was likely intended to\r\nsimplify and ensure continuous access to the applications.\r\n**Targeting SentinelOne:**The attacker specifically targeted SentinelOne, an EDR application, but\r\ninitially lacked access. By impersonating a user with SentinelOne permissions, they granted access to the\r\ndomain administrator account, allowing them to access the SentinelOne console with view permissions.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 9 of 17\n\n**Resetting MFA:**The attacker reset MFA on three additional accounts in the environment to perform\r\nspecific functions associated with each one. All these accounts had administrative access to different\r\napplications due to their roles (e.g., the Database Administrator had access to Snowflake). We also noticed\r\nthe same phone number being reused for MFA. The following Thycotic log shows the VMWare ESXi host\r\nsecret being accessed by the compromised domain admin.\r\nTo gain credentialed access, the actor enumerated several “secrets” (passwords) in the Thycotic password vault. A\r\nsecret containing ESXi admin credentials allowed them to gain access to the on-premises environment.\r\nExploiting VPN and ESXi for Undercover Operations\r\nAt this stage of the attack, visibility was lost as unmanaged devices were used. However, by working closely with\r\na partner forensics team, we recovered several key events:\r\n**AnyConnect VPN Session:**The attacker initiated an AnyConnect virtual private network (VPN)\r\nsession using the CFO’s account from the Verizon IP address 174.204.132[.]60, gaining access to the on-premises environment.\r\n**ESXi Host Access:**From the VPN device, the attacker checked out the VMware ESXi host credentials\r\nfrom Thycotic and logged into the ESXi server. They then created a new VM on the ESXi host, likely to\r\nevade endpoint-based detection, as the new VM wouldn’t have any logging available.\r\n**Network Connections:**From the attacker’s VM, several network connections were made to on-premises domain controllers. Further investigation revealed that the attacker used Remote Desktop\r\nProtocol (RDP) to access multiple servers, including domain controllers, SQL servers, and backup servers.\r\nOur investigation uncovered an NTDS.dit file on the attacker’s VM. This file is the “crown jewel of the domain,”\r\ncontaining the core elements of Windows Active Directory and enabling the extraction of password hashes for any\r\ndomain user. Despite having full EDR coverage on all domain controllers and SQL servers, no EDR alerts fired\r\nduring the intrusion. We theorize that this is because the events occurred at the hypervisor level. Logging and\r\nEDR telemetry are collected at the operating system (OS) layer, where we observed very little activity. Based on\r\nthe available facts, we formed the following concrete narrative around the events surrounding the NTDS.dit file\r\nwrite:\r\nThe domain controllers were registered in SentinelOne as being virtualized through VMware ESXi.\r\nWith access to the ESXi host, the attacker could mount or copy the virtual hard drive of the virtual domain\r\ncontroller.\r\nAfter mounting the virtual hard drive onto their VM, the attacker copied over the NTDS.dit file.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 10 of 17\n\nForensics pinpointed the exact time the NTDS.dit file was written to the threat actor’s VM. Endpoint logs show\r\nthat just seconds earlier, the virtualized domain controller had been shut down via a default command from the\r\ncompromised ESXi server. This shutdown command was identified through the parent process vmtoolsd.exe,\r\nwhich is used to delegate commands from the vCenter/ESXi server to individual VMs.\r\nThe shutdown was a critical step for the attacker, allowing them to mount the virtual hard drive. Once mounted,\r\ncopying the NTDS.dit file and dumping hashes is straightforward and can be executed on the attacker’s VM host\r\nwithout raising any suspicion. The following log shows the shutdown process being initiated on the domain\r\ncontroller.\r\nThe hypothesized sequence of events is important, especially if domain controllers in an enterprise environment\r\nare virtualized. Infosec teams may have a false sense of security when critical servers are equipped with EDR\r\ntechnology and redundant logging. However, if an attacker gains access to the underlying hypervisor or cloud\r\nservice hosting the virtual server, OS-level visibility cannot be relied upon, and teams must have other defense\r\nmeasures in place to prevent further damaging consequences.\r\nNew Tactic: Demanding Ransom Through Teams\r\nThe threat actor carried out a double extortion attack: they encrypted the ESXi environment and exfiltrated data.\r\nThey further targeted the organization’s backup solutions, encrypting on-premises backups and deleting cloud\r\nbackups.\r\nFor the local data backup server, the attacker used the open-source disk encryption tool VeraCrypt. For the cloud-based backup solution, they used Okta to access Cohesity, an enterprise data backup and security solution, and\r\ndeleted associated storage accounts.\r\nWith their extensive access, the threat actor exfiltrated several gigabytes of data, transferring it from their VM to\r\nan IP address owned by Mega Cloud, a frequently abused cloud storage service.\r\nNotably, we also observed a novel ransom note technique. Traditionally, threat actors leave a message named\r\nREADME on every host after a successful encryption event. However, in this attack, after encrypting hosts and\r\nexfiltrating data, the attacker sent a Microsoft Teams message from the compromised domain admin account,\r\ncontaining an Onion link for the ransom demand. They also sent an email titled “Urgent Update on Cyber Attack”\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 11 of 17\n\nfrom the same account. Below is the payload of the Microsoft Teams message sent from the compromised domain\r\nadmin.\r\nFigure 5: Ransom negotiation portal sent to customer\r\nWhat Lies Ahead\r\nThis incident sheds light on the ongoing partnership between Scattered Spider and RansomHub and offers several\r\nother insights into the future threat landscape.\r\nFirst, the involvement of threat actors skilled in social engineering demonstrates a demand for fluent English\r\nspeakers to collaborate with ransomware affiliates. Second, RansomHub is attracting talented adversaries,\r\nsuggesting it will continue to be the most dominant ransomware group, after recently surpassing former leading\r\ngroup “LockBit.” Third, financially motivated attackers are getting much better at pressuring organizations into\r\npaying ransoms by targeting critical virtual infrastructure, such as ESXi and backups, while successfully evading\r\ndetection.\r\nThese projections, supported by our observations and thorough investigations, emphasize the evolving tactics and\r\ngrowing sophistication of ransomware affiliates, highlighting the increasingly complex cyber risks that\r\norganizations face.\r\nCross-Language Collaboration\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 12 of 17\n\nPreviously, Russia-aligned threat actors have been reluctant to collaborate with English-speaking counterparts due\r\nto language and cultural barriers, law enforcement concerns, and trust issues. They often enjoy greater operational\r\nfreedom within Russia, provided they don’t target organizations in the Commonwealth of Independent States\r\n(CIS), China, and North Korea. They also perceive English-speaking counterparts as having poorer operational\r\nsecurity practices and being less capable of executing sophisticated attacks, which could increase the risk of\r\nexposure and possible arrest for all parties involved.\r\nDespite the arrests of three alleged Scattered Spider members in 2024, Russia-aligned adversaries continue to see\r\nthe value of partnering with English speakers. For example, in June 2024, a user on the Russian-language forum\r\nXSS commented on the arrests: “One example of why it’s still worth working with English speakers, but also\r\nimportant to keep in mind how quickly they can be caught.” This sentiment is echoed by the many forum posts\r\nand replies requesting or offering calling services in English. For example, in July 2024, an XSS post was created\r\nadvertising English calling services (see Figure 6) to Russia-linked threat actors and recruiting more English\r\nspeakers due to growing demand: “As a result of the expansion of my business, I am actively searching for a\r\ncompetent English-language caller. I’m prepared to take them on permanently or for project work for %.” The\r\npost continues, “Apart from English-language calling, we also offer calling services in Spanish, French, and\r\nGerman.”\r\nFigure 6: XSS user advertises calling services\r\nIn September 2024, the same user emphasized the importance of targeting specific employees within an\r\norganization, stating, “A reminder that for more effective corporate calls, you need the contact details for C-suite\r\nmanagement level, legal, or finance departments.” Forum users responded to the advertisement, some with\r\nspecific requests, such as, “Hello, I need a native speaker, strictly American Floridian accent. Can you help?”\r\nThese listings highlight the high demand for calling services and social engineering in multiple languages,\r\nparticularly English.\r\nLikely due to its effectiveness, affiliates of ransomware groups, including those beyond RansomHub, have also\r\nbeen using English-speaking callers to target organizations. For example, in May 2024, we identified an ongoing\r\nsocial engineering campaign in which affiliates of the “Black Basta” ransomware group made calls as IT\r\npersonnel to target employees.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 13 of 17\n\nWe forecast with high confidence that ransomware affiliates will almost certainly continue using English speakers\r\nfor social engineering attacks in the long term (beyond one year). To mitigate this risk, organizations should\r\nimplement stringent help desk procedures and standard IT interaction processes. Additionally, investing in regular\r\nemployee training is critically important to raise awareness about the significant risk of social engineering and\r\nmaintain high levels of vigilance.\r\nThe Rise of RansomHub\r\nAlthough RansomHub only became active in Q1 2024, it quickly gained dominance—surpassing previously\r\nprominent groups like LockBit and “Play” by mid-year (see Figure 7), just as we forecasted in Q1 2024. This\r\nrapid rise is attributed to law enforcement action taken against LockBit and the disbandment of ALPHV, which led\r\naffiliates to gravitate towards RansomHub, enticed particularly by their lucrative 90/10 profit split.\r\nThis profit-sharing structure has also attracted more advanced adversaries, including members of Scattered Spider,\r\nwho are likely working together with Russia-linked threat actors. Scattered Spider’s social engineering skills\r\ncomplement the network-compromising expertise of their Russia-linked counterparts, making their collaboration\r\nparticularly effective. The 90/10 profit split results in higher income for both Scattered Spider and Russia-linked\r\ngroups, attracting them to RansomHub for sustained collaboration.\r\nGiven RansomHub’s favorable positioning and its expert affiliates, we forecast with high confidence that\r\nRansomHub will remain the dominant ransomware group in the mid-term (between three months and one year).\r\nFigure 7: Victims named by most active ransomware groups, July 1, 2024 to October 18, 2024\r\nWhy ESXi Will Remain a Prime Target\r\nAdversaries have targeted ESXi servers since at least 2021, as demonstrated by the “Defray777” and “Darkside”\r\nransomware variants deployed by “Sprite Spider” and “Carbon Spider,” respectively. This trend is likely due to\r\ntwo main reasons. First, VMware is a leading vendor in virtualization, which means that developing a specific\r\nransomware variant provides many targeting opportunities. Second, ESXi servers host multiple VMs on a single\r\nserver that commonly run critical applications and services. This creates a single point of failure that disrupts\r\nessential business operations and heightens organizations’ urgency to resolve the issue. This enables attackers to\r\nquickly achieve maximum impact and apply pressure on victims to, as a result, increase the likelihood of a ransom\r\npayment.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 14 of 17\n\nAdditionally, as observed in this incident, attackers are becoming increasingly aware of security controls such as\r\nEDR. This indicates that adversaries are likely to evade detection by limiting interaction with physical systems,\r\nthereby avoiding detection or log generation. The growing mentions of “ESXi” on the Russian-language\r\nransomware-focused forum RAMP (see Figure 8) also reflects threat actors’ heightened focus on ESXi servers due\r\nto their potential profitable returns.\r\nFigure 8: ESXi mentions on RAMP from January 2021 to October 2024\r\nWe anticipate with high confidence that, in the long term, ransomware developers will continue to create variants\r\ntargeting ESXi servers in response to increased demand from affiliates. Additionally, affiliates will persist in\r\ntargeting ESXi servers by deploying ransomware to halt business operations and maximize potential profits from\r\nransom payments. Furthermore, these virtual systems will continue to be abused for evasion as they offer an\r\nalternative for directly targeting physical systems that are likely to generate detections and log malicious activity.\r\nWhat ReliaQuest Is Doing\r\nFor the fastest remediation, organizations should implement automated incident response, such as enabling\r\nGreyMatter Automated Response Playbooks, to automatically contain threats, reducing mean time to contain\r\n(MTTC) and halting the adversary’s progress. Alternatively, organizations can set GreyMatter Response\r\nPlaybooks to “RQ Approved” to allow our analyst team to handle remediation actions. This speeds up\r\ncontainment while requiring a ReliaQuest analyst’s discretion to execute the Response Playbook. Note that certain\r\nPlaybooks, such as “Isolate Host,” can be set to require phone approval to avoid business disruption.\r\nTerminate Active Sessions and Reset Passwords: Scattered Spider gains initial access through social\r\nengineering attacks, deceiving help desks into resetting a targeted user’s password. Enabling these Playbooks can\r\nrevoke any established malicious sessions and force a password reset, effectively cutting off the attacker’s access.\r\nDisable User: If an account is suspected to be compromised, this GreyMatter Response Playbook will disable the\r\naffected account, revoking the adversary’s access and preventing further advancement toward gaining sensitive\r\ninformation and deploying encryption.\r\nBlock IP: This Playbook blocks IP addresses using associated technologies like EDR or a firewall. While not a\r\nlong-term solution, this Playbook should be executed alongside the account remediation plays to revoke the\r\nattacker’s access, as IP addresses can easily be changed.\r\nNext Steps: Enhancing Your Defense\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 15 of 17\n\nThis incident offers important lessons that organizations should review in accordance with their own existing\r\nprocesses and technical controls to harden their defensive measures against similar attacks. The threat actor\r\nbypassed MFA and help desk policies by social engineering the help desk twice to access high-priority accounts.\r\nThey were aware of the organization’s security controls, leading them to minimize endpoint interactions and\r\ngenerate minimal logs, evading EDR detection as activities occurred at the hypervisor layer.\r\nOrganizations across all sectors should consider the following recommendations to strengthen their security\r\nposture against these techniques, which are likely to remain prevalent and be adopted by other adversaries.\r\nShield Your Network from Initial Access Threats\r\nAvoid Using SMS Messaging for MFA: This method is vulnerable to SIM-swapping attacks, which allow\r\nadversaries to intercept one-time password codes and gain unauthorized access to accounts. Instead,\r\nconsider using more secure MFA methods such as authenticator apps or hardware tokens.\r\nMitigating Social Engineering Attacks: Implement video calls with ID verification and callbacks to\r\nverified phone numbers from the employee directory. However, be aware that callbacks are not resistant to\r\nSIM-swapping attacks. Attackers often use publicly available information or information obtained via a\r\ndata breach, such as addresses, social security numbers, and answers to common security questions, to\r\ndeceive verification processes. These extra steps create a robust multistep verification process and help\r\ndeter attackers.\r\nConduct Social Engineering Assessments: These assessments should focus on testing help desk policies,\r\neducating employees on recognizing social engineering attacks, and evaluating established procedures.\r\nRegular testing ensures that controls are adequate and prepares staff to effectively identify and respond to\r\nsocial engineering attempts.\r\nImplement Client-Based Conditional Access Policies: These policies should require a certificate on the\r\nhost machine performing the VPN authentication. This control restricts an attacker’s ability to authenticate\r\nto the network, even if credentials are compromised.\r\nRestrict SharePoint Permissions: In this event, the adversary used the CFO’s account to access sensitive\r\nresources on SharePoint, including network diagrams, ESXi documentation, and IT organization charts.\r\nThis information likely provided insights for further attacks, such as targeting the domain administrator\r\naccount and the virtual environment. To counter this, reduce permissions of sensitive files in SharePoint so\r\nonly employees who require access can view them.\r\nReinforce Your VMware ESXi Defenses\r\nEnsure Virtualization Systems are Up to Date: Vulnerable systems can be exploited to escalate\r\nprivileges, allowing attackers greater access to deploy malicious software like ransomware.\r\nImplement vCenter Network Access Control: Create a network allowlist using the vCenter Server\r\nAppliance Firewall. The allowlist permits only trusted traffic to access the VSphere environment,\r\npreventing an attacker from accessing the virtual environment if their traffic originates from an untrusted\r\nhost.\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 16 of 17\n\nImplement ESXi Smart-Card Authentication: This authentication control restricts access to the ESXi\r\nenvironment even if an administrator’s credentials and MFA are compromised, and it replaces the VSphere\r\nauthentication process with a smart card and PIN. This prevents adversaries from using a compromised\r\nprivileged account to create, modify, or shut down ESXi hosts.\r\nResilient Protection from ReliaQuest\r\nThis incident highlights the rapid pace at which advanced attackers like Scattered Spider can move through\r\nenvironments, taking just six hours from initial access to impact in this event. They are also increasingly targeting\r\nsystems that are essential for business operations, as this allows for quicker and more lucrative financial gains.\r\nTo counter the increased speed and precision achieved by these adversaries, defenders must minimize their MTTC\r\nthreats during incident response. Reducing MTTC is crucial for preventing a full-blown attack, as it decreases\r\ndwell time and halts the attack before further damage can occur. For more resilient protection, ReliaQuest’s\r\nsecurity operations platform, GreyMatter, leverages advanced AI to reduce threat response times and lower MTTC\r\nto under 5 minutes, helping you to improve your overall security posture.\r\nSource: https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nhttps://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/\r\nPage 17 of 17", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.reliaquest.com/blog/scattered-spider-x-ransomhub-a-new-partnership/" ], "report_names": [ "scattered-spider-x-ransomhub-a-new-partnership" ], "threat_actors": [ { "id": "1b1271d2-e9a2-4fc5-820b-69c9e4cfb312", "created_at": "2024-06-07T02:00:03.998431Z", "updated_at": "2026-04-10T02:00:03.64336Z", "deleted_at": null, "main_name": "RansomHub", "aliases": [], "source_name": "MISPGALAXY:RansomHub", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "9de1979b-40fc-44dc-855d-193edda4f3b8", "created_at": "2025-08-07T02:03:24.92723Z", "updated_at": "2026-04-10T02:00:03.755516Z", "deleted_at": null, "main_name": "GOLD LOCUST", "aliases": [ "Anunak", "Carbanak", "Carbon Spider ", "FIN7 ", "Silicon " ], "source_name": "Secureworks:GOLD LOCUST", "tools": [ "Carbanak" ], "source_id": "Secureworks", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "27e51b73-410e-4a33-93a1-49cf8a743cf7", "created_at": "2023-01-06T13:46:39.210675Z", "updated_at": "2026-04-10T02:00:03.247656Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "SPRITE SPIDER" ], "source_name": "MISPGALAXY:GOLD DUPONT", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "bb8702c5-52ac-4359-8409-998a7cc3eeaf", "created_at": "2023-01-06T13:46:38.405479Z", "updated_at": "2026-04-10T02:00:02.961112Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "ATK32", "G0046", "G0008", "Sangria Tempest", "ELBRUS", "GOLD NIAGARA", "Coreid", "Carbanak", "Carbon Spider", "JokerStash", "CARBON SPIDER" ], "source_name": "MISPGALAXY:FIN7", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "ed3810b7-141a-4ed0-8a01-6a972b80458d", "created_at": "2022-10-25T16:07:23.443259Z", "updated_at": "2026-04-10T02:00:04.602946Z", "deleted_at": null, "main_name": "Carbanak", "aliases": [ "Anunak", "Carbanak", "Carbon Spider", "ELBRUS", "G0008", "Gold Waterfall", "Sangria Tempest" ], "source_name": "ETDA:Carbanak", "tools": [ "AVE_MARIA", "Agentemis", "AmmyyRAT", "Antak", "Anunak", "Ave Maria", "AveMariaRAT", "BABYMETAL", "BIRDDOG", "Backdoor Batel", "Batel", "Bateleur", "BlackMatter", "Boostwrite", "Cain \u0026 Abel", "Carbanak", "Cl0p", "Cobalt Strike", "CobaltStrike", "DNSMessenger", "DNSRat", "DNSbot", "DRIFTPIN", "DarkSide", "FOXGRABBER", "FlawedAmmyy", "HALFBAKED", "JS Flash", "KLRD", "MBR Eraser", "Mimikatz", "Nadrac", "Odinaff", "POWERPIPE", "POWERSOURCE", "PsExec", "SQLRAT", "Sekur", "Sekur RAT", "SocksBot", "SoftPerfect Network Scanner", "Spy.Agent.ORM", "TEXTMATE", "TeamViewer", "TiniMet", "TinyMet", "Toshliph", "VB Flash", "WARPRISM", "avemaria", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "f4f16213-7a22-4527-aecb-b964c64c2c46", "created_at": "2024-06-19T02:03:08.090932Z", "updated_at": "2026-04-10T02:00:03.6289Z", "deleted_at": null, "main_name": "GOLD NIAGARA", "aliases": [ "Calcium ", "Carbanak", "Carbon Spider ", "FIN7 ", "Navigator ", "Sangria Tempest ", "TelePort Crew " ], "source_name": "Secureworks:GOLD NIAGARA", "tools": [ "Bateleur", "Carbanak", "Cobalt Strike", "DICELOADER", "DRIFTPIN", "GGLDR", "GRIFFON", "JSSLoader", "Meterpreter", "OFFTRACK", "PILLOWMINT", "POWERTRASH", "SUPERSOFT", "TAKEOUT", "TinyMet" ], "source_id": "Secureworks", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null }, { "id": "bfded1cf-be73-44f9-a391-0751c9996f9a", "created_at": "2022-10-25T15:50:23.337107Z", "updated_at": "2026-04-10T02:00:05.252413Z", "deleted_at": null, "main_name": "FIN7", "aliases": [ "FIN7", "GOLD NIAGARA", "ITG14", "Carbon Spider", "ELBRUS", "Sangria Tempest" ], "source_name": "MITRE:FIN7", "tools": [ "Mimikatz", "AdFind", "JSS Loader", "HALFBAKED", "REvil", "PowerSploit", "CrackMapExec", "Carbanak", "Pillowmint", "Cobalt Strike", "POWERSOURCE", "RDFSNIFFER", "SQLRat", "Lizar", "TEXTMATE", "BOOSTWRITE" ], "source_id": "MITRE", "reports": null }, { "id": "7268a08d-d4d0-4ebc-bffe-3d35b3ead368", "created_at": "2022-10-25T16:07:24.225216Z", "updated_at": "2026-04-10T02:00:04.904162Z", "deleted_at": null, "main_name": "Sprite Spider", "aliases": [ "Gold Dupont", "Sprite Spider" ], "source_name": "ETDA:Sprite Spider", "tools": [ "Agentemis", "Cobalt Strike", "CobaltStrike", "Coroxy", "Defray 2018", "Defray777", "DroxiDat", "Glushkov", "LaZagne", "Metasploit", "PyXie", "PyXie RAT", "Ransom X", "RansomExx", "SharpHound", "Shifu", "SystemBC", "Target777", "Vatet", "cobeacon" ], "source_id": "ETDA", "reports": null }, { "id": "07775b09-acd9-498e-895f-f10063115629", "created_at": "2024-06-04T02:03:07.817613Z", "updated_at": "2026-04-10T02:00:03.650268Z", "deleted_at": null, "main_name": "GOLD DUPONT", "aliases": [ "Sprite Spider ", "Storm-2460 " ], "source_name": "Secureworks:GOLD DUPONT", "tools": [ "777", "ArtifactExx", "Cobalt Strike", "Defray", "Metasploit", "PipeMagic", "PyXie", "Shifu", "SystemBC", "Vatet" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434306, "ts_updated_at": 1775792142, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/54e84f877ecf6fe1002d484bdf32634d394bc293.pdf", "text": "https://archive.orkl.eu/54e84f877ecf6fe1002d484bdf32634d394bc293.txt", "img": "https://archive.orkl.eu/54e84f877ecf6fe1002d484bdf32634d394bc293.jpg" } }