Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
Membership
Membership Benefits
Our Member Community
Get Involved
Become a Member
Member-Exclusive Programs
STAR Enabled Solutions
Trusted Cloud Consultant
Trusted Cloud Provider
Certified STAR Auditors
CSA Startup Showcase
Member Portal
STAR Program
STAR Home
STAR Registry
STAR for AI
Submit to Registry
Provide Feedback
Certified STAR Auditors
STAR Enabled Solutions
Stay compliant in the cloud
CCAK Training
STAR Lead Auditor Training
Training for Government Agencies
Governance, Risk & Compliance Tools
Cloud Controls Matrix (CCM)
Consensus Assessment Initiative Questionnaire (CAIQ)
EU Cloud Code of Conduct
STAR Level 1
At level one organizations submit a self-assessment.
View companies at level one
Learn about level one
STAR Level 2
At level two organizations earn a certification or third-party attestation.
View companies at level two
Learn about level two
Education
Online Education Platforms
CSA Training
CSA Exams
Events
Learn and network while you earn CPE credits.
Virtual Events & Webinars
Event Sponsorships
Certificates
Trusted AI Safety Expert (TAISE)
Certificate of Cloud Security Knowledge (CCSK)
Certificate of Cloud Auditing Knowledge (CCAK)
Certificate of Competence in Zero Trust (CCZT)
Digital Badges
Trainings
Cloud Infrastructure Security Training
STAR Lead Auditor Training
Advanced Cloud Security Practitioner (ACSP) Training
CCSK Train the Trainer
Training Network
Become an Instructor
Become a Training Partner
Specialized Training Options
Train my entire team
Training for Government Agencies
Research
CSA Research
Latest Research
Working Groups
Chapters
Open Peer Reviews
Research Topics
Thought Leadership
CloudBytes Webinars
Blog
Getting Started with CSA Research
Cloud security best practices
Assess your cloud compliance
Security questionnaire for vendors
Top threats to cloud computing
Cloud Security Glossary
Awards & Recognition
Juanita Koilpillai Awards
Research Fellows
Critical Topics
AI Controls
AI Safety
Enterprise Architecture
Blockchain
Zero Trust
Top Threats
Strategic Initiatives
Explore CSA's Strategic Initiatives
AI Safety Initiative
Compliance Automation Revolution
Zero Trust Advancement Center
CxO Trust
FinCloud Security
Trusted Cloud Consultant
ChaptersEventsBlog

Scattered Spider and the Finance Sector: Ransomware Tactics Banks Can’t Afford to Ignore

Published 11/10/2025

Home
Industry Insights
Scattered Spider and the Finance Sector: Ransomware Tactics Banks Can’t Afford to Ignore
Written by Chris Goodman.

Originally published by Vali Cyber.

The financial sector is built on trust, speed, and constant availability. But one of today’s most aggressive cyber groups, Scattered Spider, has developed tactics that put those foundations at risk.

Their playbook is precise: social engineering → identity hijacking → VMware ESXi exploitation. And in banking, credit unions, and fintech, those tactics have an outsized impact.

Here’s how Scattered Spider’s methods translate into risk for finance.

 

Social Engineering the Help Desk

Phishing is the most common initial attack vector, responsible for 16% of breaches in 2025. Scattered Spider has repeatedly used vishing (voice phishing) and impersonation to compromise enterprises. In 2023, MGM Resorts suffered $110 million in costs following a help-desk social engineering attack that gave intruders access to ESXi hypervisors. Caesars Entertainment quietly paid a $15 million ransom after a similar intrusion, and most recently, the $402M hit on Marks & Spencer.

 

Why finance is uniquely at risk:
  • Financial firms rely heavily on large, often outsourced call centers, where staff are under pressure to resolve lockouts quickly. This operational model creates conditions that make impersonation attacks more likely.
  • A successful scam can yield privileged access into systems handling wire transfers, loan servicing, or customer portals, bypassing millions in existing security investment.

 

MFA Bypass and Identity Hijacking

Even when MFA is enforced, Scattered Spider actors have proven adept at bypassing it:

 

Financial sector impact:
  • Banks and fintechs depend heavily on single sign-on (SSO) and Virtual Desktop Infrastructure (VDI) to manage high user volumes securely. Research shows that financial services account for ~60% of desktop virtualization deployments.
  • A single hijacked identity can unlock trading platforms, SWIFT terminals, and core banking apps, effectively functioning as a master key.
  • Once inside, attackers can manipulate transactions, plant persistence, or pivot deeper into infrastructure — all while appearing to be a legitimate user.

 

Targeting VMware ESXi Hypervisors

After stealing credentials, Scattered Spider often pivots to the hypervisor layer, encrypting entire ESXi estates in one strike.

 

Why this is catastrophic in finance:
  • ESXi hypervisors underpin mission-critical workloads, including:
    • Online banking portals and mobile apps
    • ATM and card authorization systems
    • Fraud detection engines
    • Trading systems requiring millisecond uptime
  • Virtualization is deeply entrenched in finance: the BFSI sector represented 26.5% of the global virtual machine market in recent years. VMware remains the dominant enterprise hypervisor vendor.
  • A single compromised ESXi host can result in institution-wide outages.

Financial precedent: In July 2024, Patelco Credit Union was forced offline for weeks after a ransomware attack disrupted online banking, ATMs, and wire transfers for 450,000 members. The incident caused $39M in direct losses and a $7.25M class-action settlement.

 

Living Off the Land in ESXi

Rather than dropping obvious malware, Scattered Spider uses native ESXi tools like esxcli and vim-cmd to enumerate, move laterally, and encrypt workloads.

Finance-specific consequences:

  • EDR and SIEM tools don’t monitor hypervisors—activity appears as routine admin behavior.
    • Attacks may go unnoticed until payment queues stall or trading desks lose access to their virtual servers.
  • In capital markets, even minutes of delay can erase millions in transaction volume.

 

The Fallout for Financial Institutions

When these tactics converge, the damage is severe:

  • Gartner projects global security spend will climb from $213B in 2025 to $240B in 2026, but without hypervisor-layer protection, even record budgets can’t stop a single Scattered Spider campaign from freezing operations.
  • Critical payment or trading system downtime can cost $5–9M per hour, quickly outpacing average breach costs in the sector.
  • Under GLBA and FFIEC expectations for cyber resilience, ransomware downtime can trigger regulatory review. Under the SEC’s new cyber disclosure rules, inadequate response or failure to disclose material ransomware events can expose CISOs and boards to liability.
  • Customer trust erodes rapidly during outages, as Patelco’s prolonged downtime and litigation demonstrated in 2024.

This isn’t just ransomware. It’s a regulatory, reputational, and continuity crisis.

 

Countering Scattered Spider in Finance

Most defenses stop at endpoints. But Scattered Spider has shown the real target is the hypervisor—and that’s where protections are weakest.

To reduce risk across virtualized environments, financial institutions should focus on:

  • Enforcing MFA and credential hardening for SSH and administrative access.
  • Applying configuration lockdowns to prevent unauthorized hypervisor commands and API calls.
  • Implementing application control to restrict native ESXi utilities from being abused for lateral movement.
  • Monitoring for behavioral anomalies at the hypervisor layer, not just inside guest VMs.
  • Validating recovery readiness through regular backup integrity and failover testing.

These measures directly align with MITRE ATT&CK ESXi techniques and NIST CSF 2.0 principles for identity, detection, and recovery.

 

Final Thoughts

Scattered Spider’s success comes from exploiting the finance sector’s own strengths:

  • High-touch customer service → social engineering entry point
  • Strict identity controls → MFA fatigue and session hijacking
  • Dependence on ESXi → mass encryption potential
  • Demand for uptime → stealth tactics = maximum impact

For financial institutions, these aren’t just IT concerns—they’re operational, regulatory, and fiduciary risks. The next phase of cyber resilience will depend on visibility and control at the virtualization layer, where attackers now operate unseen.

RansomwareIdentity and Access ManagementVirtualizationFinancial Services

Share this content on your favorite social network today!

Core Cloud
Related Resources
Top Threats to Cloud Computing
The eleven salient threats, risks, and vulnerabilities in the cloud.
Certificate of Cloud Security Knowledge (CCSK)
The industry's standard cloud security credential.
Corporate Membership
Gain knowledge and connections in the cloud industry.
Latest from CSA
Lead in Responsible AI: Enroll Now in the Trusted AI Safety Expert (TAISE)
Register for the AI in the SOC Webinar
Now Includes Mapping to the EU AI Act
Unlock Cloud Security Insights

Unlock Cloud Security Insights

Choose the CSA newsletters that match your interests:

Subscribe to our newsletter for the latest expert trends and updates

Enhance your cloud security skills with CSA's online training options.
Related Articles:
Rethinking AI Security: Every Interaction is About Identity

Published: 11/07/2025

How to Secure Hypervisors for NIST 800-171 Compliance: Addressing the Virtualization Blind Spot

Published: 11/05/2025

VDI, DaaS, or Local Secure Enclaves? A CCM‑Aligned Playbook for BYOD in 2025

Published: 11/04/2025

Prepping for Agentic AI: Why We Created the NHI Management Fundamentals Certification

Published: 11/04/2025