In recent weeks, several prominent UK retailers have reportedly experienced cybersecurity incidents including ransomware attacks, leading to operational disruptions and data compromises.
While the exact circumstances are not publicly known, reports indicate that the attacks can be attributed to Scattered Spider with DragonForce ransomware being deployed to encrypt data and disrupt operations. As is common with 'double extortion' attacks, there are also indications that the cybercriminals have stolen data from the victim organisations, likely intending to use it as leverage to extort a ransom payment.
So, who are Scattered Spider and DragonForce?
Scattered Spider
Scattered Spider is a loosely affiliated collective of cybercriminals that first emerged in mid to late 2022. The group is characterised by its fluid structure, operating more as an informal network of individuals rather than a rigid, centralised organisation. Its members are believed to include native English-speaking threat actors, primarily based in the United States and the United Kingdom.
Though relatively new compared to more established cybercrime groups, Scattered Spider quickly distinguished itself through high-impact social engineering attacks and has been a persistent threat into 2024 and 2025.
They are known for employing social engineering tactics, such as phishing, employee impersonation and SIM swapping, to gain unauthorised access to corporate systems. Their operations have targeted various sectors, including Telecommunications, Retail and Entertainment.
As is often the case in threat actor tracking, Scattered Spider's activities have been attributed under multiple names by different cybersecurity organisations. Each vendor uses its own naming conventions to classify and report on the group’s operations. Notable aliases include:
- 0ktapus (Group-IB)
- G1015 (MITRE ATT&CK)
- Muddled Libra (Unit 42 – Palo Alto Networks)
- Octo Tempest / Storm-0875 (Microsoft)
- Scattered Spider (CrowdStrike)
- Scatter Swine (Okta)
- Star Fraud
- UNC3944 (Mandiant)
Despite the variety of names, these designations refer to the same or overlapping clusters of activity linked with this prolific group.
DragonForce
DragonForce is a cybercriminal group that originated as a hacktivist collective but has since evolved into a more financially motivated cybercrime operation. Emerging from the Malaysian hacktivist scene, DragonForce initially gained notoriety through politically motivated distributed denial-of-service (DDoS) attacks, website defacements and data leaks against organizations they deemed ideologically opposed.
Over time, the group’s focus has shifted from purely hacktivist causes to include profit-driven activities, such as ransomware attacks and data extortion. This pivot reflects a growing trend of hacktivist groups adopting cybercriminal tactics, blurring the lines between activism and organized cybercrime.
Since mid-2024, DragonForce has been observed collaborating with ransomware affiliates in a traditional ransomware-as-a-service (RaaS) model. On their TOR hosted blog, they refer to themselves as the “DragonForce Ransomware Cartel” and they advertise their service to “Partners” looking for “The best tools, the best conditions and above all the reliability of the partner.” Through their “Projects” offering they advertise an option to ‘White Label’ their malware and infrastructure allowing affiliates to employ their own branding.
As is common with many emerging RaaS operations, DragonForce ransomware tools have historically been based on leaked code associated with other large groups. Their first variant was based on a fork of the leaked LockBit 3.0/Black malware, and more recently they appear to use a customised version based on the Conti V3 source code.
Who does Scattered Spider and DragonForce Target?
While recent headlines relating to Scattered Spider and DragonForce have been associated with the Retail sector, it should be noted that both have been associated with attacks against organisations in diverse industry sectors.
Scattered Spider have been known to perform waves of attacks against high profile targets in specific sectors. In 2022, they were associated with compromises of Telecommunications and Technology companies, in late 2023, it was Hospitality and Gaming, and then in early 2024, they were linked to a spate of attacks on Financial Institutions.
This approach has served to garner significant media attention as high-profile brands in related industries are hit in quick succession, but before long, the group moves on to other targets.
Given the Ransomware as a Service model employed by DragonForce, their victims are selected by their Affiliates. As a result, targets come from a diverse range of industries. A review of the victims listed on their Blog includes entities in almost every sector, Manufacturing, Real Estate and Transportation feature heavily but there are also instances of Government Departments, Law Enforcement and Financial Services. But there are some exceptions, as reported by Group-IB [reference], their rules prohibit “Attacks on hospitals, critical infrastructure, non-profit organisations, CIS countries, and former USSR countries.”
As such, the lessons learned from these recent incidents are certainly not confined to the Retail sector.
What can organisations do to protect against these threats?
The threat of Ransomware is considered one of the top cybersecurity threats worldwide and has been a growing concern for 10+ years.
DragonForce is certainly not unique, the steps required to defend against the initial access brokers and affiliates associated with this Ransomware as a Service operation are the same that apply to most similar Ransomware groups. Similarly, while Scattered Spider are particularly adept at Social Engineering, it would be unwise to focus too heavily on these elements. Any security controls should form part of a broader strategy that addresses the full ransomware attack chain, from initial access through to data exfiltration and extortion.
Recommendations can therefore be categorised into Generic Recommendations for Ransomware Resilience/ Defence and Specific Recommendations to address the techniques which have seen Scattered Spider be so successful.
Generic Recommendations
Incident Response Preparedness
With the best will in the world, it isn’t possible to prevent all incidents. Accepting this and ensuring you have an established, tested and practised Incident Response Plan is key to minimising the impact of an incident when it occurs.
Incident response plans should be reviewed and updated on a regular schedule (at least annually), following each incident where it is used, or after any significant change in the business environment or IT infrastructure. Incident response runbooks should be updated to address the evolving threat landscape to include Tactics, Techniques, and Procedures (TTPs) employed by threat actors.
Regular exercises and practice scenarios should be conducted to ensure that the team is prepared and that the plan remains effective and relevant. These can range from simple tabletop exercises to complex, full-scale simulations, ideally occurring at least annually.
Robust Backups & Disaster Recovery Plans
Ransomware attacks are designed to impact both the availability and confidentiality of an organisation’s data. By encrypting critical systems and threatening to leak stolen information, attackers apply maximum pressure to force payment.
Maintaining offline, immutable backups and having well-rehearsed recovery plans ensures that organisations can restore operations without succumbing to ransom demands.
Security of these backups is essential to ensure that they are available when they are needed. Threat actors often target backups, both to prevent them from being used to recover and as a convenient means to steal the organisation’s most prized data before threatening to leak it.
Employ Defence in Depth
No single security control can prevent all cyberattacks. Defence in Depth is the principle of applying multiple, complementary layers of security to protect against a wide range of threats. This layered approach reduces the chance of a successful attack and limits the damage if an attacker breaches the outer defences.
Each layer in a Defence in Depth strategy is designed to detect, delay, or disrupt an attacker’s progress. From perimeter security to identity management, endpoint protection, and data recovery, these layers work together to increase resilience and provide multiple opportunities to stop or contain an attack.
Patch and Vulnerability Management
Many ransomware groups capitalise on unpatched perimeter systems for initial access. A structured and proactive patch management process is essential to close these gaps before attackers can exploit them. This includes operating systems, applications and firmware.
Effective vulnerability management goes beyond just applying patches. It requires continuous asset discovery, risk-based prioritisation, and timely remediation of known vulnerabilities. Security teams should focus on vulnerabilities actively exploited in the wild and critical systems exposed to the internet.
Network Segmentation & Least Privilege
Ransomware groups rely on moving laterally through networks to escalate privileges and access high-value systems. Network segmentation limits this movement by dividing networks into controlled zones, reducing the attacker’s ability to reach critical assets if initial access is gained.
Least privilege access ensures users, systems, and applications only have the minimum permissions necessary to perform their functions. By restricting access rights, organisations reduce the potential damage an attacker can inflict using compromised credentials or accounts.
Identify Third Parties in Advance
Incident Response is resource intensive, and most organisations are not staffed to be able to respond to a major incident without outside assistance. Depending on the nature of an incident, you may need assistance from any or all of the following:
- External Legal Counsel;
- Specialist Digital Forensics Experts;
- PR/Crisis Communication Professionals;
- Ransom negotiators
- Notification and Call Centre service providers.
During a major incident is not when you want to be hunting out the best provider to assist you, working through redlines and jumping your procurement hurdles, having these providers identified in advance and integrated into your IR strategy is key to expedient response.
Specific Recommendations (Scattered Spider Focused)
The success of Scattered Spider stems largely from advanced social engineering, SIM swapping, and helpdesk impersonation tactics. Their methods exploit identity verification weaknesses and abuse trusted access mechanisms. Specific recommendations to address these concerns include:
Strengthen Identity Verification for Helpdesk & Support Teams
Scattered Spider frequently targets IT helpdesks by impersonating employees and requesting password resets or MFA bypasses. Support staff should be educated about these threats, trained to recognise social engineering red flags and advised of the appropriate actions to take if such an attack is suspected.
Implementing identity verification protocols for all support interactions can help to combat these techniques. The use of call-back verification to known contacts, line manager approvals and limiting sensitive actions like password resets or account recovery to pre-approved, verifiable processes are all steps which can be taken.
Implement Phishing-Resistant MFA
Implementing and enforcing MFA, especially for privileged accounts and remote access, is a key control in defending against unauthorised access to systems. It helps to mitigate the risks associated with credential compromise by ensuring that a lost password is not enough to allow a threat actor to gain access to systems.
Scattered Spider has been known to circumvent traditional MFA using SIM swaps and social engineering. Phishing-resistant MFA methods such as FIDO2 hardware security keys or passkey authentication are preferable to SMS or phone-based MFA, which can be intercepted via SIM swaps.
Monitor for SIM Swap & Account Takeover Attempts
Scattered Spider have been observed to use SIM swapping and account takeover techniques to bypass multi-factor authentication (MFA). Monitoring for these types of attacks is critical to protecting high-risk accounts and sensitive systems.
Organisations should work closely with mobile carriers to enable proactive controls to make SIM swap attacks harder to conduct and more quickly detected. The controls available will vary from provider to provider, but Account PIN/Passwords, SIM Lock and Port Freeze capabilities make it more difficult for a SIM Swap to be executed while Port-Out Notification Services, where available, offer the opportunity for early detection if they are being monitored.
