Shaking up the Ransomware Game: Introducing Scattered Spider

On the June 2025 episode of the SANS Stay Ahead of Ransomware livestream, we explored the Scattered Spider threat group with special guest John Wood, IR Consulting Director with Palo Alto Networks Unit 42. John brought his 23 years of experience in computer intrusion investigation, split between his time in the FBI and working for IR consulting firms, and his experience working a multitude of Scattered Spider cases to the table, offering amazing insight into the threat group.

Who is Scattered Spider?

The threat group we call “Scattered Spider” is tracked by many names including but not limited to Muddled Libra (Palo Alto Networks), UNC3944 (Google Mandiant), Storm-0875 (Microsoft), Scattered Swine (Okta), Roasted 0ktapus (Group-IB), Starfraud, and more. They are a loosely organized group of technically skilled individuals originating out of a larger group known as The Community (typically referred to as “The Com”). The Com is believed to be composed of younger individuals, with typical member ages suspected to range from 13-25 years old. Yes, you read that correctly: The group includes a bevy of teenagers.

Some key facts about Scattered Spider:

• Characteristics: Mostly English-speaking, very strong technically, and financially motivated
• Geo-location: Believed to be composed primarily of members from the US, Canada, and UK
• Victim Targeting: Employs persistent targeting of high-value targets. They are a “big game hunter” and do not follow the general “crime of opportunity” we see with many other ransomware gangs.
• Social Engineering: Attacks the human element and targets multi-factor authentication (MFA) systems
• They focus on MFA “bypass” methods including social engineering telcos to facilitate SIM swaps, Attacker-in-the-Middle (AitM) credential harvesting, and social engineering help desks to simply change MFA settings and reset account passwords
• Resilient: Even after multiple arrests, including of their suspected leader in June of 2024, the group continues to operate

Who Does Scattered Spider Target?

Scattered Spider has targeted a wide variety of victims since researchers began tracking them in 2022. The group seemingly chooses a given vertical and then “big game hunts” specific organizations aligned with their chosen vertical. For example, some of the larger verticals targeted include:

• 2022: Telecom providers and business process outsourcing (BPO) organizations
• 2023: Financial sector targets including the gaming industry
• 2024: Health and Security-as-a-Service (SaaS) providers
• 2025: UK-based retailers

As for user account targeting, Scattered Spider often focuses on high-level IT users. Their goal is to obtain access to highly privileged accounts that will provide them with the biggest bang for their buck. For example, they will research IT administrators, data center analysts, and other high-profile users that can obtain access to a wide variety of IT systems and services upon gaining access to the victim organization.

How Does Scattered Spider Relate to the Ransomware Realm?

Scattered Spider began with clear financial motives, targeting organizations with crypto currency stores. Then in 2023, the group began aligning with a variety of Ransomware-as-a-Service (Raas) groups. The following is a timeline of Scattered Spider’s RaaS group alignments:

• 2023: ALPHV/Blackcat
• 2024: RansomHub and Qilin
• 2025: Dragon Force

How Has Scattered Spider Shaken up the Ransomware World?

Identification of a ransomware incident may be considered the worst day for any victim organization and their respective employees. However, for those of us working in the incident response consulting realm, ransomware has become a game of slow-pitch softball. We generally see the same or similar tooling and tactics, techniques, and procedures, (TTPs) from case to case.

Responding to Scattered Spider cases requires a broader, more complex incident response strategy due to their wide-ranging operations and sophisticated tactics. Rather than simply getting in, escalating privileges, gathering credentials, moving laterally to domain controllers, exfiltrating data from various endpoints, and then deploying a ransomware payload, Scattered Spider is prone to accessing many more applications, services, and systems during their attack cycle.

As John notes, Scattered Spider will attempt to gain access to a victim organization’s Single Sign-On (SSO) provider access a wide variety of systems and services. Examples of systems that the group targets include, but are not limited to:

• Data and Control Planes
• Do you have an E/XDR system? Scattered Spider will attempt to gain access to your EDR systems. They are known to add their tools to approve lists, remove protection from various endpoints, and more.
• Virtualization Platforms
• Do you use ESXi, vCenter, or other virtualization platforms? The group will try to access these systems, which often provide greater access to your virtualized systems and the ability to create new virtual systems from which they can continue their attack.
• Cloud Environments
• Do you use Azure, GCP, and/or AWS? They will attempt to gain access to these systems, using them to identify data to exfiltrate, spin up virtual machines (which are often unmanaged), and identify additional targets for lateral movement.
• Code Repositories
• Do you use GitHub and/or GitLab? Scattered Spider will attempt to gain access to these systems to exfiltrate data and obtain secrets like API keys to further their lateral movement capabilities.
• Database Management Systems
• Do you use data warehouse systems such as Snowflake to unify and access your databases? Scattered Spider is known to access these types of systems to facilitate data exfiltration in bulk.

We digress here, but the overall idea is that when it comes to determining which systems need to be protected against a Scattered Spider attack, you should initially review any system accessible via your SSO system. This greatly expands the scope of these cases and will result in the need to create workstreams for each of these systems for your response teams.

Scattered Spider Prevention

As John notes, preventing Scattered Spider attacks can be a major effort for your organization. However, your goal should be to focus on initial access.

The following is a list of some of the tips that John and Ryan covered in this episode regarding prevention:

Security Awareness Training: A Key Component to Keep the Spider OUT of Your House!

• Help Desk: As a key component of current day Scattered Spider tactics involves socially engineering your help desk, you should ensure to provide security awareness training to your help desk team(s), be they internal, external, or a combination of the two.
• End Users: Users cannot simply rely on visuals or “poor” language/grammar when it comes to spotting potential phishing. They need to pay careful attention to the domains they are accessing.
• Pro tip: If a user’s password manager does not auto-fill a given site’s credentials, this may be a sign they are not accessing the real, legitimate site.

Help Desk Processes

• Verification: What is your current help desk user verification process?
• Scattered Spider does their research on targeted accounts. You should avoid using verification details that can be found easily via background checks, social media, etc.
• For example, a user’s full name, email, employee ID, and previous phone number are not sufficient.
• Video verification may be helpful, but it requires a database of user photographs. Also, be careful: We now live in the era of AI-powered attacks. Asking individuals to perform activities such as making specific hand and/or head gestures may help detect AI-produced video and/or avatars. This may sound silly, but it could be the difference required to save your organization.
• Oversight: Requiring a secondary review before performing adjustments to MFA settings or password resets may be useful. This may also assist when the threat actor attempts to “pay off” an internal employee.
• Intra-Team Communication: Scattered Spider is known to call a victim organization’s help desk multiple times to obtain pieces of the puzzle that they can then use to carry out their social engineering attack. The more your help desk employees communicate with one another, especially in reference to MFA changes and password resets, the better.

Brand Protection

• As noted in the livestream, Scattered Spider likes to register domain names that include your organization’s trade/brand name(s) and may include prefixes or suffixes such as *-sso, *-vpn, *-okta, etc.
• Do you currently implement brand protection services and/or open-source intelligence (OSINT) techniques to detect domain name registrations that might include your brand or trade names? If not, you may want to begin monitoring these registrations such that you can block them immediately upon registration.

Hardware Security Tokens

• Since Scattered Spider employs the use of AitM phishing kits, you might want to turn to hardware security tokens like FIDO2-compliant keys to avoid falling victim.

Visibility: Logging

• Does your security team have unified access to logging from critical systems?
• Cloud, code repositories, virtualization platforms, SSO, control and data planes, and more may come into play.

Endpoint Protection

• Do you use E/XDR? Do you have such agents installed on all endpoints?
• How about Linux and/or macOS?
• We in the incident response consulting/threat hunting world often learn, typically mid-response, that a client organization does not have full deployment of their endpoint security agents. This makes response much more difficult and introduces visibility issues.
• Speaking of logging and endpoint protection, are you monitoring authentication and login events to your E/XDR? If not, you may want to begin doing so.

Conditional Access Policies

• Are you only using and enforcing conditional access policies in your systems? Do you limit access to given geo-locations, user accounts, etc.? If not, you’ll want to start doing so.

Restricting Access

• Do you have a list of cloud-sharing sites that are approved within your organization? If not, you should.
• Are you blocking, and perhaps even alerting on attempted access to, any file sharing sites that are not approved?
• Do you have a list of approved Remote Monitoring & Maintenance (RMM) tools?
• Same as above. Are you blocking, and perhaps even alerting on attempted use of, RMM tools that are not approved?

Wrap-Up

While ransomware incidents can be a huge blow to your organization, an incident involving Scattered Spider can require even more time, put additional stress on your response team, and lead to even greater exposure to your organization’s data.

Learning More and Looking Forward

To learn more, we recommend that you watch the June 2025 episode of the SANS Stay Ahead of Ransomware livestream.

• You can also review the SANS Stay Ahead of Ransomware livestream playlist.

Join us on the first Tuesday of each month at 1:00 PM Eastern to take part in the SANS Stay Ahead of Ransomware show. Also, mark your calendars for our upcoming SANS DFIR Summit 2025 starting on July 24, 2025 (which includes online FOR528 training with Ryan following the Summit).

To learn more about preventing, detecting, and responding to ransomware, please check out our SANS FOR528: Ransomware and Cyber Extortion course.