Hacked: Anatomy of a Scattered Spider ransomware attack

Even now, the attacks have caused lingering aftereffects as the stores try to restore normal business operations.

Scattered Spider is no newcomer, though. In 2023, the group was responsible for a similarly disruptive attack on MGM Resorts that disrupted hotel and casino operations across the United States.

At that time, Scattered Spider was taking advantage of the new defunct ALPHV ransomware-as-a-service operation, but the group has found a new partner in DragonForce’s RaaS offering.

Scattered Spider is clearly not going away, so here’s what network defenders need to know about how the threat actor is capable of causing such havoc.

VIEW ALL

Itsy bitsy spider

While many groups in the ransomware ecosystem choose targets based on how vulnerable they are to attack, Scattered Spider prefers bigger fish.

The first step in the group’s attacks is to perform initial reconnaissance of its victims. Stolen credentials are bought on the darknet, while initial access brokers are sought out to acquire endpoint telemetry. The hackers also gather what they can from publicly available sources, such as LinkedIn, which allows Scattered Spider to build detailed profiles of its victims.

According to Daniel Collyer, a researcher with threat intelligence firm SOS Intelligence, Scattered Spider uses this phase to find victims with “complex IT environments and high tolerance for operational risk”, making them particularly vulnerable to threats of extortion.

With an entry point to the victim acquired and profiles of how it operates built, Scattered Spider moves to the next phase of its attack, where it employs sophisticated social engineering techniques to get into a network. Both phishing and voice phishing – or vishing – are employed, with the hackers often impersonating internal staff.

Because Scattered Spider appears to be made up of native English speakers, spotting these initial social engineering attacks is difficult. The group will often pose as an employee claiming to be locked out of their computer, and uses SIM swapping to get around multifactor authentication (MFA) measures, or relies upon MFA fatigue, bombarding a user with so many MFA message requests that they eventually approve one out of frustration.

Once inside a network, further credentials are acquired, and legitimate software tools such as Cobalt Strike and Windows admin tools are used to achieve privilege escalation and lateral movement.

In this phase, Scattered Spider is on the lookout for identity infrastructure such as Okta or Active Directory, remote access tools, and any repositories containing sensitive information. Depending on the size of the victim, this phase could last just hours or several days.

Having mapped out the victim’s network and located its crown jewels of data, exfiltration begins.

“Before deploying ransomware, Scattered Spider usually exfiltrates a trove of sensitive data,” Collyer said in a 4 June blog post.

“This forms the basis of their double extortion strategy; even if a victim can restore from backups, they may still pay to prevent the public release of confidential files.”

Exfiltrated files are compressed and uploaded to either malicious infrastructure or cloud storage providers. The hackers may even leave behind backdoors for further access in the future.

Lastly, the group deploys DragonForce ransomware, which can rapidly encrypt files and sometimes even backup servers. A ransom note is left behind directing victims to a darknet negotiation site. If negotiations break down or a victim refuses to pay, the data is then published to DragonForce’s darknet leak site.

Not so itsy bitsy threat

What makes Scattered Spider particularly dangerous is the targeted and methodical nature of its attacks. It understands IT systems used by companies in the West and is adept at impersonation and manipulation. It is calm and confident when talking to its victims, or appear stressed and in a hurry when impersonating employees with tech support issues.

And while it does deploy ransomware, the group also uses the aggressive and tailored techniques of nation-state threat actors.

“This hybrid operational model: part ransomware gang, part APT, means traditional classifications don’t fully capture the scope of their threat,” Collyer said.

“For defenders, this creates both strategic confusion and escalating risk.

“In short, Scattered Spider is dangerous not just because of what they do, but how they do it. Their blend of psychological manipulation, identity compromise, and rapid escalation makes them one of the most formidable threats facing organisations today.”