What you need to know about Scattered Spider: The ransomware gang causing chaos in UK retail
The Origins of Scattered Spider
In 2023 an attack on MGM Resorts was claimed by the ALPHV/Black Cat ransomware gang, but the initial access was gained by a British-speaking hacker who socially engineering MGM’s helpdesk into resetting an employee’s password. The Cohesity Data Security Alliance partner CrowdStrike dubbed this group “Scattered Spider”. Scattered Spider were also responsible for the attack on Caesar’s Entertainment where the company paid at least half of a $30 million ransom to the group to obtain decryption keys and prevent the release of data stolen during the attack.
Scattered Spider’s origins lie in a group known as “The Community”, most frequently shortened to “The Com”. The name comes from the fact that rather being a single homogenous group, The Com is more like a distributed cybercriminal social network whose members can form together into groups to collaborate on particular cyber actions. The Com have also been implicated in a variety of unsavoury activities outside of ransomware, such as cyber bullying, stalking and harassment of vulnerable teenagers, forcing them into filming physically harming themselves, killing their pets and producing child sex exploitation material. The implications of a group with such warped morals moving into the ransomware criminal marketplace should not be underestimated.
One member of Scattered Spider, who went by the moniker Holy, was a British 17 year old arrested by the West Midlands Police for his part in the attack on MGM. As is common with members of cybercriminal groups, Holy had been involved in other groups prior to joining Scattered Spider, most notably LAPSUS, whose leaked chat logs showed they had been involved in attacks on technology companies such as Electronic Arts Games,Microsoft, NVIDIA, Okta, Samsung, and T-Mobile.
Other groups affiliated with The Com were involved in the 2023 theft of large amounts of data from customer accounts of the Snowflake cloud AI data platform. A large number of large enterprises had uploaded huge quantities of sensitive and refulated data to the Snowflake platform, without protecting it with strong authentication. This group trawled cybercrime forums for details of stolen Snowflake credentials and used the technique of credential stuffing to gain access to, and steal data from, from over 160 accounts from high-profile businesses including AT&T, TicketMaster, Lending Tree, Advance Auto Parts, Neiman Marcus and Santander Bank. Cohesity Data Security Alliance Partner Mandiant named this group UNC5537 and reported that these companies had been approached to pay a ransomware to prevent the publication of the stolen data. A member of UNC5537 group was frequently featured on a The Com list of the “100 richest SIM-swappers”, technique used to gain initial access to systems that can be later either leveraged to deploy ransomware, or sold to ransomware operators by organisations known as “Initial Access Brokers”. This user had previously been a member of a cybercriminal group known as Beige. Beige have been implicated in voice phishing attacks (“vishing”) during the Covid-pandemic and an attack on GoDaddy that redirected traffic from tens-of-thousands of its customers to a cryptocurrency scam.
In 2023, overlaps between the activities of the largely English-speaker Scattered Spider and The Com communities and the Russian speaking ransomware gang ALPHV/BlackCat were starting to become clear. In an attack on Reddit, the tools, techniques and procedures for initial access common to Scattered Spider being seen to facilitate access to a ransomware attack later claimed by ALPHV/BlackCat, this would imply that either Scattered Spider was operating as an Initial Access Broker for an ALPHV/BlackCat affiliate, or were operating as an affiliate of the ALPHV/BlackCat Ransomware-as-a-Service platform themselves.
The 2025 reemergence of Scattered Spider
Scattered Spider exists within this context of the broader cybercriminal community, where members from different groups collaborate, migrate or align. After the attacks on MGM and Caesar in May 2022, there was a lull in Scattered Spider’s activity with them instead providing support to other criminal gangs but in April 2025 several British retail companies appear to have had operations disrupted by the group including Harrods and Marks[JB1] & Spencer. In the attack on Marks and Spencers, it appears that initial access was gained in February 2025, after which the contents of the company’s Active Directory was stolen with the adversaries dwelling for months before eventually deploying the DragonForce ransomware encryptor on 24th April.
How Scattered Spider conduct attacks
One of the most notable things about Scattered Spider is their adeptness at social engineering, defence evasion and advanced persistence mechanisms.
Evasion of cybersecurity tools like End-point Detection and Response (EDR) is commonplace in most Ransomware-as-a-Service platforms, rendering organisations blind to new and on-going attacks. A common technique used by the group includes Bring-You-Own-Vulnerable-Device-Drive where a signed device driver that operates at the layer between hardware and the operating system is used to gain SYSTEM level access and to terminate the processes of security solutions.
Scattered Spider’s capabilities in evasion extend beyond those common to other ransomware gangs and include targeting weak implementations of Identity & Access Management and Single-Sign On solutions, including Okta. Scattered Spider have been known socially engineer mobile phone helpdesk or SIM replacement portals so they can conduct a “SIM Swapping” attack by taking control of the target’s phone number. This enables them to access the target’s SMS messages including Two-Factor Authentications codes. Scattered Spider are known to send bulk phishing links via SMS posing as SSO login portals to capture valid credentials.
Once inside of a victim’s infrastructure, Scattered Spider have highly proficient skills in “living-of-the-land” in enterprise Windows environments, all major cloud providers and virtualized infrastructure, using the organisation’s own IT capabilities to mask the progression of the attack and ensure they maintain persistence if an organisation reverts to a backup snapshot without sufficient investigation and remediation of the threats found.
Scattered Spider attack tactics and techniques
Initial Access (TA0001)
SMS Phishing (T1660) and Spearphishing Voice (T1566.004) posing as the victim organisation’s IT support staff to convince employees to execute Remote Access Software (T1219) or to get the user to execute an application (T1204).
This software has included common legitimate IT remote access and management tooling such as Fleetdeck.io, Level.io, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale and Teamviewer.
Scattered Spider has also been observed to use common malware varients, such as AveMaria/WarZone (S0670), Racoon Stealer (S1148) and Vidar Stealer Remote Access Trojans (RATs) capable of steal data including login credentials [TA0006], browser history [T1217] and cookies [T1539].
Multi-Factor Authentication (MFA) fatigue attack method, where they send multiple authentication requests to the end user for approval prompting the user to eventually approve one to stop the barrage of authentication requests to their mobile device or computer.
SMS Phishing (T1660) techniques to get the user to follow links to especially crafted fake domains that resemble the real orgnaisation in order to capture credentials, these include:
[VICTIM ORGANISATION NAME]-sso.com[VICTIM ORGANISATION NAME]-servicedesk.com[VICTIM ORGANISATION NAME]-okta.com
SIM Swapping (T1451) attacks against users in the victim organisation that responded to the smishing/vishing attack, using Open Source intelligence to target the most valuable users. Gathering information likely to be used in password reset questions.
Defense Evasion (TA0005)
Impersonation (T1656) to contact the victim organisation’s IT help desk to reset passwords and/or Multi-Factor Authentication tokens.
Disable or Modify Tools (T1562.001) such as End-point Detection and Response (EDR) and anti-virus by deploying a vulnerable, signed device driver. Operating at a layer below the operating system, the vulnerable device driver provides SYSTEM level access and allows the adversary to blind the security and IT tooling to malicious activities.
Credential Access (T0006)
As mentioned in Intial Access above, Scattered Spider use SMS Phishing (T1660) and Spearphishing Voice (T1566.004) techniques to capture valid credentials.
Scattered Spider use Mimikatz for OS Credential Dumping of LSASS Memory (T1003.001), which dumps credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS) including any cached credentials of domain administrators.
Persistence (TA0003)
At this point of the attack, Scattered Spider will have registered their own Multi-Factor Authentication tokens (T1556.006 and T1606), They then add a federated identity provider to the victim’s Single Sign-On tenant and activate automatic account linking through modifying domain trust (T1484.002), allowing Scattered Spider to now sign into any matching SSO account. At this stage, the threat actors already control the identity provider, allowing the attackers to be able to continue to login even if passwords are changed (T1556.006).
Privilege Escalation (T0004)
As mentioned in Defense Evasion above, Scattered Spider use a vulnerable, signed device drivers (T1068) to gain SYSTEM privileges.
As a federated identity provider under the control of the adversary has been added, they are able to log into any SSO account, including those with administrative privileges.
Scattered Spider have been observed to use the victim’s now-blinded End-Point Detection & Response (EDR) tools remote shell capabilities to execute commands on an end-point to further escalate privileges.
The remote access and management tooling and Remote Access Trojans that were installed during Initial Access stage of the attack also continue to provide Scattered Spider persistence into the victim infrastructure.
Discovery (T0007)
Scattered Spider systematically search for backup servers to target to Inhibit System Recovery (T1490), SharePoint servers (T1213.002), credentials left in files (T1552.001), any VMware vCenter hypervisors (T1018) and instructions for setting up or authentication into Virtual Private Networks (VPN) used by the organisation.
Active Directory (AD) is enumerated (T1482).
Systems are searched for code repositories and code-signing certificates (T1083).
Scattered Spider then activate Amazon Web Services (AWS) Systems Manager Inventory (T1538) to discover additional targets for lateral movement.
Lateral Movement (T0008)
Collection (T0009)
Scattered Spider threat actors deploy extract, transform and load (ETL) tools to collect data from the multiple sources to a system identified for staging (T1074) inside of the victim’s infrastructure.
Exfiltration (T0010)
Impact (TA0040)
Data Encrypted for Impact (T1486)
Scattered Spide deploy and denotate the DragonForce encryptor, encrypting the victim’s systems.
One striking thing about Scattered Spider that is worth calling out is the degree to which they go to hamper incident response and recovery efforts. They will often search the victim organisations, Exchange (T1114), Teams and Slack conversations (T1213.005) looking for evidence of the discovery of their intrusion and the steps the victim organisation is taking to investigate and evict them. They have even been know to eavesdrop on calls and teleconferences conducted by the incident response and recovery teams, allowing them to gain insight into how security teams are progressing in their investigation and allowing them to proactively develop new avenues of intrusion in response.
How to build resilience to Scattered Spider
Ensure your organisation has backed up critical data and protected that backup with multiple layers of defence to mitigate the risk from advanced and adaptive criminal adversaries such as Scattered Spider that have the capabilities to compromise administrative accounts. This includes the immutability, separation of duties, least privilege, strong authentication and vaulting capabilities of modern data management platforms like Cohesity DataProtect.
Implement phishing-resistant Multi-Factor Authentication to mitigate the risk of identity-based attacks such as SMS smishing, SIM swapping and other forms of social engineering used by Scattered Spider.
Conduct proactive threat hunting looking for Indicators of Compromise of the early stages of a Scattered Spider attack using a capability that cannot be evaded by the techniques used by the group, such as Cohesity’s DataHawk.
Implement the Microsoft recommended driver block list to mitigate the risk of the Bring Your Own Vulnerable Device Driver attacks used by Scattered Spider to evade end-point security controls and escalate privileges.
Follow best practices to mitigate risk related to your organisation’s remote access solutions, such as remote desktop and virtual private networks.
Ask executives from your organisation to particate in a realistic ransomware simulation, such as the Cohesity Ransomware Resiliency Workshop in order to understand the realities of building a resilient organisation through effective and efficient incident response and secure recovery.
Make sure that you have classified your data to ensure that you are aware of our regulatory obligations. Solutions like Cohesity DataHawk can classify that unstructured data scattered across the organisation that threat actors like Scattered Spider to proactively looking for. In addition, the Cohesity Digital Jump Bag makes sure that your organisation can restore a trusted communication capability and provides rapid access to notification templates so your public relations and compliance teams can conduct regulators, the press and impacted data subjects.
Ensure that the tooling and resources needed to respond and recovery from an incident conducted by an adversary such as Scattered Spider that is determined to maintain persistence and disrupt attempts to evict them are rapidly available to your teams. The Cohesity Digital Jump Bag provides such a capability.
Implement an isolated response and recovery environment that allows your incident response and recovery teams the ability to investigate and remediate the advanced attack and persistence techniques used by an adversary group like Scattered Spider without them being able to eavesdrop or disrupt you. The Cohesity Clean Room solution provides this capability.
Microsoft have released a playbook that provides best practices for dealing with a Scattered Spider attack involving cloud infrastructure and Entra ID.
Undertake drills simulating an attack leveraging the same techniques as Scattered Spider documented here to test your complete end-to-end incident response and recovery capability, including people, process and technology. Cohesity customers can use DataProtect to clone production environments, allowing their penetration testers to conduct attacks as close as possible to a Scattered Spider attack, and the Cohesity Clean Room allows customers to conduct the full end-to-end identification, containment and eradication stages, taking a final recovery snapshot ready for clean restoration into production without any disruption to business operations. Use these drills to drive continual improvement in the people, process and technology required to deliver cyber resilience to advanced threat actors like Scattered Spider and build muscle memory so the first time you face an attacker like this, won’t be the first time your teams have deal with an attack like this.
There is no doubt that Scattered Spider represents one of the most capable active ransomware gangs, yet organisations can build the appropriate level of cyber resilience to ensure that an attack from this threat actor causes a minimal amount of impact to operations. To understand how capable your organisation currently is in its ability to deal with attacks from adversaries like Scattered Spider, and how to build a roadmap to cyber resilience, consider undertaking a Destructive Cyberattack Resiliency Assessment.
