How CISOs can defend against Scattered Spider ransomware attacks

The UK’s Marks & Spencer suffered a cyberattack in late April that damaged the high-end retailer’s operations and is expected to cost the company over $400 million.

That attack was quickly followed by similar incidents that struck two other iconic British retailers, Harrods and the Co-op, sparking widespread press coverage and fueling consumer fears across the UK as shelves ran empty and online ordering ceased.  

All three incidents have been attributed to a loose collective of young, native English-speaking hackers called Scattered Spider, also known as UNC3944, Starfraud, Scatter Swine, Muddled Libra, Octo Tempest, and 0katpus.

Earlier this month, Google warned that Scattered Spider will bring its high-profile retail attacks to the US. However, experts say Scattered Spider is already targeting top US organizations, and CISOs should prepare now for how their organizations will deal with the aggressive hacking group.

“You need to have a plan before you get punched in the face,” Kristopher Russo, principal threat researcher at Palo Alto Networks, told CSO. “Make sure you are practicing so that when it happens, you’re ready. You should have your playbook in place, know exactly who to call, and know what to shut down to help isolate and stop the attack.”

Who is Scattered Spider?

Scattered Spider is considered part of a broader community of young cybercriminals known as The Com, although these groups are difficult to pin down. They are best known in the US for their audacious ransomware attacks on two Las Vegas casino owners, MGM Resorts and Caesars Entertainment.

In the recent round of attacks, they have joined forces with a potent ransomware-as-a-service actor, DragonForce. Although it poses as pro-Palestinian hacktivists, DragonForce might be one of the cybercrime groups operating in Russia with the Kremlin’s tacit permission.

DragonForce’s recent rebrand announcement, in which it now calls itself a “cartel,” included a warning not to attack targets in the Commonwealth of Independent States, a 10-nation bloc centered on Russia and former Soviet republics. A rival gang, RansomHub, accused DragonForce of collaborating with Russia’s FSB intel arm.

“They are more than likely leaning into the Russian affiliate model, so they’re just renting out tools and infrastructure,” Mike Hamilton, field CISO at Lumifi Cyber, told CSO. “That gives them a lot of advantages.”

However, the relationship between DragonForce and Scattered Spider is murky, even if it’s clear that Scattered Spider is deploying DragonForce malware. That relationship is “one of the million-dollar questions,” Greg Linares, principal threat intelligence analyst at Huntress, told CSO. “We know that they’re using Dragon Force. But is it affiliated? Is it being paid? Or is it a false flag?”

Whatever the case may be, “I think it is really important to appreciate that DragonForce is a very serious ransomware group,” Zach Edwards, senior threat researcher at Silent Push, told CSO. “They would be considered among the top [ransomware groups] because their software is good; it effectively does what it says it will do.”

Significant shift to social engineering

Over the past two years, many Scattered Spider members have been arrested and even convicted, including one key member known as “King Bob,” who was arrested in early 2024 and later pleaded guilty to the charges against him. Six other significant Scattered Spider members were arrested in late 2024.

Due to these law enforcement actions, by early 2025, the group seemed to have halted its operations. “For us at Silent Push, around November and December of last year, we were seeing a drop off of their infrastructure,” Edwards said. “Their phishing pages stopped being created. But in early 2025, we picked up their phishing kits coming live again and targeting a variety of brands.”

Experts say that besides aligning with DragonForce, Scattered Spider has shifted its preferred mode of infiltration from phishing to socially engineering its way into organizations.

“What’s important about the recent UK campaign is the shift in their tactics,” Edwards said.  “What we’re seeing right now is zero phishing kits live. The new stuff here in the US appears to be exclusively social engineering focused, where they’re reaching out to help desks, trying to do password resets, and reaching out to employees to try and get their credentials.”

The group even uses SIM swapping to pose as legitimate employees seeking password resets. “We know that they have SIM swapping capabilities,” Linares said, with the Harrods attack attributed to SIM swapping. “We know they’re likely working with individuals who work at the ISPs or the providers and helping them get that information.”

“What they’ll do is often they’ll call in pretending to be a legitimate employee of the company,” Austin Larsen, principal threat analyst at Google Mandiant, said during a webinar on defending against UNC3944. “Oftentimes, they come into these calls, into these help desks equipped with a lot of information about their target user.”

He added, “They’re able to provide the Social Security number, for example, of their target user, their address, or other personal information. It is a challenge for help desks to detect some of these attacks, given how much research and information the actor typically has going into these phone calls.”

Focus on the human factors as a first line of defense

Given Scattered Spider’s impressive success with social engineering in the UK, experts say CISOs should first focus on their organizations’ softest targets, namely the help desk workers and employees the hackers seek to manipulate.

“They know how help desks work,” Hamilton said. “They do a bunch of research, and they’ll get enough information on a user to be able to impersonate them at the help desk for a password reset, and then they’re in.”

“What sets this group apart is that their attack styles are not technically complex,” Palo Alto’s Russo said. “These aren’t zero-day exploits of vulnerabilities. They target people, so they’re going after the human element.”

CISOs should provide help desk personnel with procedures for reporting suspicious password reset calls and guide them on getting out of those conversations as quickly as possible.

“What CISOs need to do is make sure that their humans are prepared for this kind of attack, that they have these red flags in place so that when a line is crossed in a call or a conversation, it ends,” Russo said. “If there is ever a question of identity when they’re talking to somebody, if there’s any slip-up, if anything is missing, that’s a red flag to say, you know what? I need to contact your manager and get verification.”

But the help desk is not the only one that needs education. Experts say all employees should be aware of the group’s social engineering tactics.

“They act like the employee to the help desk, but they also act as the help desk when calling employees,” Huntress’ Linares said. “It works both ways. I have seen that attack occur where they call the employee and say, ‘Hey, we saw that alert happen on your machine; we need to log in or get access to that. Please run this script and this tool so we can remote in.”

Speed is of the essence in these situations. “Don’t give them a chance to keep manipulating your people because the longer you can keep somebody on the phone or online, the more likely you are to have success getting them to violate their processes and procedures,” Russo said.

Tracking the hackers is a must

Unfortunately, adept Scattered Spider hackers can bamboozle even the most prepared help desk workers. Experts say that CISOs should, therefore, have detection and tracking mechanisms to follow the intruders once they have gained access.

“What do they do with these legitimate user credentials?” Google’s Larsen asked. “They usually start by looking at internal documentation for their victim organization. We see them, for example, in SharePoint searching for keywords such as VPN, MFA, or network map, trying to better understand what their victim environment looks like and how they can further expand their access into the environment. We also see them, for example, searching through chat platforms like Slack or Teams for any plain text secrets or credentials, especially for VMware or vCenter.”

But after this phase, they move extremely quickly to fan out through the organization’s assets. “Once they move laterally using whatever valid credentials they have or they can find, we see them establish persistence quickly and pretty extensively, which makes remediation far more difficult for victims,” Larsen said attackers often use legitimate remote access utilities that antivirus solutions won’t pick up. “So, an investigation using EDR utilities or solutions is needed.”

“If we can stop it, it’s ideal, but detection is a must,” Russo said. “If they’ve gotten in there, we need to detect them. Look for users who are doing stuff they don’t normally do. So, for example, they’re in as this user, they’ve authenticated the network, and then they start looking at different data stores all in a big sequence. Well, that’s not normal for that user to do. We need to detect that.”

Don’t pay the ransom

In the case of Scattered Spider’s hacking of the two casino operators in 2023, Caesars emerged relatively unscathed because it paid the demanded ransom of $15 million, while MGM Resorts, which didn’t pay the ransom, got hosed for $145 million in expenses and class-action lawsuit payments, among other costs.

However, experts say that despite these examples, it’s a bad idea to pay Scattered Spider a ransom if they successfully encrypt files and steal valuable data.

“We know that paying that ransom just incentivizes them,” Lumifi’s Hamilton said. “It gives them money to keep doing what they’re doing.”

Moreover, “It is often faster to restore from backups,” he added. “If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.”“If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.”

“If you pay that ransom, they could still absolutely put all of your data on the internet because these are children and they are outrageous individuals,” Silent Push’s Edwards said. “The decryption keys may not work. And paying definitely doesn’t guarantee that the data won’t leak. It’s not a guarantee in any way.”