Recent cyber-attacks on high-profile high street names, such as Marks & Spencer and the Co-Op, and luxury retailer Harrods show a significant and ongoing shift in ransomware strategy, which security teams across all sectors must urgently adapt to.
Our Cyber Defence Centre has seen firsthand how ransomware operations have evolved, both in terms of technical sophistication and tactical focus. Working with our Incident Response (IR) and Managed Security Services (MSS) clients, we’ve responded to situations where even well-defended businesses with mature cybersecurity capabilities have been caught off-guard.
Strengthening your defences is critical in the face of this escalating threat.
The American Cyber Defence Agency regards Scattered Spider (also known as UNC3944, Octo Tempest, and sometimes associated with the ALPHV/BlackCat ransomware group) as one of the most dangerous threat groups targeting organisations in the West. Unlike many traditional ransomware actors, they’re native English speakers and typically operate out of the UK and USA, giving them an edge in executing sophisticated social engineering attacks.
Their tactics, techniques, and procedures (TTPs) include:
Cybercriminals are turning their attention more and more to hypervisors, the software that enables multiple virtual machines to operate on a single physical system. These attacks may take advantage of weaknesses in the hypervisor itself or use infiltrated virtual machines to seize control of the host system. This creates a major security threat, as a breached hypervisor could jeopardise the entire infrastructure. Traditionally, ransomware operators targeted file-level systems, encrypting critical business data but leaving operating systems and hardware intact. This made it easier to communicate ransom demands and maintain a presence on the network.
However, modern Endpoint Detection and Response (EDR) tools have disrupted that model. With improved detection, tamper protection, and behavioural analytics, attackers have been forced to innovate.
The result? A growing focus on hypervisors, like VMware ESXi (formerly ESX). VMware ESXi is an enterprise-class, type-1 hypervisor developed by VMware, a subsidiary of Broadcom, for deploying and serving virtual computers. As a type-1 hypervisor, ESXi isn’t a software application that’s installed on an operating system (OS); instead, it includes and integrates vital OS components, such as a kernel which is a computer programme at the core of an operating system that always has complete control over everything in the system.
These are often left unmonitored, unprotected, or out of scope for traditional EDR tooling. And when compromised, attackers can cripple an organisation by encrypting or disabling hundreds of virtual machines at once.
In too many cases, we find that hypervisors are treated as secure by default, without proper monitoring, segmentation, or alerting in place. This creates a significant blind spot in many organisations’ defences.
One of the most common themes we see during incident response is that the tools to detect malicious activity are in place, but alerts aren’t actioned swiftly or effectively. Early indicators such as unusual login patterns, admin activity on hypervisors, or tamper attempts are missed or not escalated.
Technology alone can’t replace the need for a trained, empowered response team. Security teams must be prepared to triage, investigate, and respond in real time – especially outside of business hours when attackers often strike.
If your organisation doesn’t have 24/7 monitoring and response, it’s crucial to assess whether you have the ability to respond to high-priority alerts in a timely manner. This is where Managed Security Services can play a vital role.
There are actions organisations can take today to harden their environments against Scattered Spider’s tactics:
1. Protect against SIM swapping and MFA fatigue
2. Secure help desk channels
3. Control remote access tools
4. Mitigate living-off-the-land techniques
5. Detect credential abuse and privilege escalation
6. Secure virtual infrastructure
7. Prevent EDR tampering or bypass
As ransomware groups move beyond endpoints to exploit overlooked infrastructure like hypervisors, organisations must take a zero-trust approach and treat virtual infrastructure as part of the critical threat surface.
If your monitoring doesn’t cover your hypervisors, or if your team isn’t prepared to respond to suspicious activity around them, your business could be one alert away from serious disruption.
Now is the time to review and strengthen your posture, before an attacker forces you to.
Need immediate assistance? Call our Cyber Incident Response (24/7/365):
T: +44 20 7865 2552 or E: CIR@uk.gt.com
For more insight and guidance, get in touch with our team.
The detect, investigate, and respond model is critical for your cyber resilience. Find out how to prepare and implement your strategy.
Grant Thornton's incident responders are available 24/7 to provide you with prompt recommendations to mitigate and contain the incident, operating as an extension of your own cyber security team.
AI in cybersecurity is a powerful tool to keep your firm safe. But are you using it effectively?
