{"id":3340,"date":"2025-05-27T06:00:00","date_gmt":"2025-05-27T06:00:00","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=3340"},"modified":"2025-05-27T06:00:00","modified_gmt":"2025-05-27T06:00:00","slug":"how-cisos-can-defend-against-scattered-spider-ransomware-attacks","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=3340","title":{"rendered":"How CISOs can defend against Scattered Spider ransomware attacks"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The UK\u2019s Marks & Spencer suffered a cyberattack<\/a> in late April that damaged the high-end retailer\u2019s operations and is expected to cost<\/a> the company over $400 million.<\/p>\n

That attack was quickly followed by similar incidents that struck two other iconic British retailers, Harrods<\/a> and the Co-op<\/a>, sparking widespread press coverage and fueling consumer fears across the UK as shelves ran empty and online ordering ceased. \u00a0<\/p>\n

All three incidents have been attributed to a loose collective of young, native English-speaking hackers called Scattered Spider, also known as UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.<\/p>\n

Earlier this month, Google warned that Scattered Spider will bring its high-profile retail<\/a> attacks to the US. However, experts say Scattered Spider is already targeting top US organizations, and CISOs should prepare now for how their organizations will deal with the aggressive hacking group.<\/p>\n

\u201cYou need to have a plan before you get punched in the face,\u201d Kristopher Russo, principal threat researcher at Palo Alto Networks, told CSO. \u201cMake sure you are practicing so that when it happens, you\u2019re ready. You should have your playbook in place, know exactly who to call, and know what to shut down to help isolate and stop the attack.\u201d<\/p>\n

Who is Scattered Spider?<\/h2>\n

Scattered Spider is considered part of a broader community of young cybercriminals known as The Com<\/a>, although these groups are difficult to pin down. They are best known in the US for their audacious ransomware attacks on two Las Vegas casino owners<\/a><\/a>, MGM Resorts<\/a> and Caesars Entertainment.<\/p>\n

In the recent round of attacks, they have joined forces with a potent ransomware-as-a-service actor, DragonForce<\/a>. Although it poses as pro-Palestinian hacktivists, DragonForce might be one of the cybercrime groups operating in Russia with the Kremlin\u2019s tacit permission.<\/p>\n

DragonForce\u2019s recent rebrand announcement, in which it now calls itself<\/a> a \u201ccartel,\u201d included<\/a> a warning not to attack targets in the Commonwealth of Independent States, a 10-nation bloc centered on Russia and former Soviet republics. A rival gang, RansomHub, accused DragonForce of collaborating with Russia\u2019s FSB intel arm.<\/p>\n

\u201cThey are more than likely leaning into the Russian affiliate model, so they\u2019re just renting out tools and infrastructure,\u201d Mike Hamilton, field CISO at Lumifi Cyber, told CSO. \u201cThat gives them a lot of advantages.\u201d<\/p>\n

However, the relationship between DragonForce and Scattered Spider is murky, even if it\u2019s clear that Scattered Spider is deploying DragonForce malware. That relationship is \u201cone of the million-dollar questions,\u201d Greg Linares, principal threat intelligence analyst at Huntress, told CSO. \u201cWe know that they\u2019re using Dragon Force. But is it affiliated? Is it being paid? Or is it a false flag?\u201d<\/p>\n

Whatever the case may be, \u201cI think it is really important to appreciate that DragonForce is a very serious ransomware group,\u201d Zach Edwards, senior threat researcher at Silent Push, told CSO. \u201cThey would be considered among the top [ransomware groups] because their software is good; it effectively does what it says it will do.\u201d<\/p>\n

Significant shift to social engineering<\/h2>\n

Over the past two years, many Scattered Spider members have been arrested and even convicted, including one key member known as \u201cKing Bob,\u201d who was arrested in early 2024<\/a> and later pleaded guilty to the charges against him. Six<\/a> other<\/a> significant Scattered Spider members were arrested in late 2024.<\/p>\n

Due to these law enforcement actions, by early 2025, the group seemed to have halted its operations. \u201cFor us at Silent Push, around November and December of last year, we were seeing a drop off of their infrastructure,\u201d Edwards said. \u201cTheir phishing pages stopped being created. But in early 2025, we picked up their phishing kits coming live again and targeting<\/a> a variety of brands.\u201d<\/p>\n

Experts say that besides aligning with DragonForce, Scattered Spider has shifted its preferred mode of infiltration from phishing to socially engineering its way into organizations.<\/p>\n

\u201cWhat\u2019s important about the recent UK campaign is the shift in their tactics,\u201d Edwards said. \u00a0\u201cWhat we\u2019re seeing right now is zero phishing kits live. The new stuff here in the US appears to be exclusively social engineering focused, where they\u2019re reaching out to help desks, trying to do password resets, and reaching out to employees to try and get their credentials.\u201d<\/p>\n

The group even uses SIM swapping to pose as legitimate employees seeking password resets. \u201cWe know that they have SIM swapping capabilities,\u201d Linares said, with the Harrods attack attributed to SIM swapping. \u201cWe know they\u2019re likely working with individuals who work at the ISPs or the providers and helping them get that information.\u201d<\/p>\n

\u201cWhat they\u2019ll do is often they\u2019ll call in pretending to be a legitimate employee of the company,\u201d Austin Larsen, principal threat analyst at Google Mandiant, said during a webinar<\/a> on defending against UNC3944. \u201cOftentimes, they come into these calls, into these help desks equipped with a lot of information about their target user.\u201d<\/p>\n

He added, \u201cThey\u2019re able to provide the Social Security number, for example, of their target user, their address, or other personal information. It is a challenge for help desks to detect some of these attacks, given how much research and information the actor typically has going into these phone calls.\u201d<\/p>\n

Focus on the human factors as a first line of defense<\/h2>\n

Given Scattered Spider\u2019s impressive success with social engineering in the UK, experts say CISOs should first focus on their organizations\u2019 softest targets, namely the help desk workers and employees the hackers seek to manipulate.<\/p>\n

\u201cThey know how help desks work,\u201d Hamilton said. \u201cThey do a bunch of research, and they\u2019ll get enough information on a user to be able to impersonate them at the help desk for a password reset, and then they\u2019re in.\u201d<\/p>\n

\u201cWhat sets this group apart is that their attack styles are not technically complex,\u201d Palo Alto\u2019s Russo said. \u201cThese aren\u2019t zero-day exploits of vulnerabilities. They target people, so they\u2019re going after the human element.\u201d<\/p>\n

CISOs should provide help desk personnel with procedures for reporting suspicious password reset calls and guide them on getting out of those conversations as quickly as possible.<\/p>\n

\u201cWhat CISOs need to do is make sure that their humans are prepared for this kind of attack, that they have these red flags in place so that when a line is crossed in a call or a conversation, it ends,\u201d Russo said. \u201cIf there is ever a question of identity when they\u2019re talking to somebody, if there\u2019s any slip-up, if anything is missing, that\u2019s a red flag to say, you know what? I need to contact your manager and get verification.\u201d<\/p>\n

But the help desk is not the only one that needs education. Experts say all employees should be aware of the group\u2019s social engineering tactics.<\/p>\n

\u201cThey act like the employee to the help desk, but they also act as the help desk when calling employees,\u201d Huntress\u2019 Linares said. \u201cIt works both ways. I have seen that attack occur where they call the employee and say, \u2018Hey, we saw that alert happen on your machine; we need to log in or get access to that. Please run this script and this tool so we can remote in.\u201d<\/p>\n

Speed is of the essence in these situations. \u201cDon\u2019t give them a chance to keep manipulating your people because the longer you can keep somebody on the phone or online, the more likely you are to have success getting them to violate their processes and procedures,\u201d Russo said.<\/p>\n

Tracking the hackers is a must<\/h2>\n

Unfortunately, adept Scattered Spider hackers can bamboozle even the most prepared help desk workers. Experts say that CISOs should, therefore, have detection and tracking mechanisms to follow the intruders once they have gained access.<\/p>\n

\u201cWhat do they do with these legitimate user credentials?\u201d Google\u2019s Larsen asked. \u201cThey usually start by looking at internal documentation for their victim organization. We see them, for example, in SharePoint searching for keywords such as VPN, MFA, or network map, trying to better understand what their victim environment looks like and how they can further expand their access into the environment. We also see them, for example, searching through chat platforms like Slack or Teams for any plain text secrets or credentials, especially for VMware or vCenter.\u201d<\/p>\n

But after this phase, they move extremely quickly to fan out through the organization\u2019s assets. \u201cOnce they move laterally using whatever valid credentials they have or they can find, we see them establish persistence quickly and pretty extensively, which makes remediation far more difficult for victims,\u201d Larsen said.<\/p>\n

One of the group\u2019s hallmarks is using ScreenConnect, AnyDesk, and TeamViewer, legitimate remote access utilities that antivirus solutions won\u2019t pick up \u2014\u00a0and that cybercriminals are increasingly employing<\/a>. \u201cSo, an investigation using EDR utilities or solutions is needed,\u201d Larsen said.<\/p>\n

\u201cIf we can stop it, it\u2019s ideal, but detection is a must,\u201d Russo said. \u201cIf they\u2019ve gotten in there, we need to detect them. Look for users who are doing stuff they don\u2019t normally do. So, for example, they\u2019re in as this user, they\u2019ve authenticated the network, and then they start looking at different data stores all in a big sequence. Well, that\u2019s not normal for that user to do. We need to detect that.\u201d<\/p>\n

Don\u2019t pay the ransom<\/h2>\n

In the case of Scattered Spider\u2019s hacking of the two casino operators in 2023, Caesars emerged relatively unscathed because it paid<\/a> the demanded ransom of $15 million, while MGM Resorts, which didn\u2019t pay the ransom, got hosed<\/a> for $145 million in expenses and class-action lawsuit payments, among other costs.<\/p>\n

However, experts say that despite these examples, it\u2019s a bad idea to pay Scattered Spider a ransom if they successfully encrypt files and steal valuable data.<\/p>\n

\u201cWe know that paying that ransom just incentivizes them,\u201d Lumifi\u2019s Hamilton said. \u201cIt gives them money to keep doing what they\u2019re doing.\u201d<\/p>\n

Moreover, \u201cIt is often faster to restore from backups,\u201d he added. \u201cIf you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn\u2019t work very well.\u201d\u201cIf you have good controls in place, you have immutable backups, and you have processes<\/a>, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn\u2019t work very well.\u201d<\/p>\n

\u201cIf you pay that ransom, they could still absolutely put all of your data on the internet because these are children and they are outrageous individuals,\u201d Silent Push\u2019s Edwards said. \u201cThe decryption keys may not work. And paying definitely doesn\u2019t guarantee that the data won\u2019t leak. It\u2019s not a guarantee in any way.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The UK\u2019s Marks & Spencer suffered a cyberattack in late April that damaged the high-end retailer\u2019s operations and is expected to cost the company over $400 million. That attack was quickly followed by similar incidents that struck two other iconic British retailers, Harrods and the Co-op, sparking widespread press coverage and fueling consumer fears across […]<\/p>\n","protected":false},"author":0,"featured_media":3330,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-3340","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3340"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=3340"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/3340\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/3330"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=3340"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=3340"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=3340"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}