Understanding SCATTERED SPIDER: Tactics, Targets, and Defence Strategies

In recent months, a wave of disruptive cyberattacks has swept across high-profile organisations in both the UK and the US, affecting sectors ranging from hospitality and telecommunications to finance and retail. Many of these incidents share a common thread: attribution to a threat actor known as SCATTERED SPIDER, a group now gaining notoriety for its aggressive use of social engineering and its partnership with the DragonForce ransomware-as-a-service (RaaS) operation.

Unlike traditional ransomware gangs that rely heavily on technical exploits or brute-force tactics, SCATTERED SPIDER stands out for its deeply manipulative approach. The group has repeatedly demonstrated its ability to impersonate employees, deceive IT support teams, and bypass multi-factor authentication (MFA) through cunning psychological tactics. Often described as “native English speakers,” they are suspected to operate in or have ties to Western countries, bringing a cultural fluency that makes their phishing and phone-based attacks alarmingly effective.

As law enforcement and cybersecurity professionals scramble to contain the fallout from recent attacks, one thing is clear: SCATTERED SPIDER is not just another ransomware affiliate. They represent a shift toward human-centric intrusion strategies, blending technical skill with social deception in a way that challenges even well-defended organisations.

This article takes a closer look at how SCATTERED SPIDER operates, the tools they use, including DragonForce RaaS and, most importantly, what practical steps individuals and organisations can take to reduce their exposure to this growing threat.

Image Credit: Crowdstrike

Who Is SCATTERED SPIDER?

SCATTERED SPIDER is the name given to a loosely affiliated cybercriminal group that has quickly gained attention for its highly targeted and persistent campaigns against major organisations. Believed to be active since at least 2022, the group is often classified as an Initial Access Broker (IAB) and affiliate actor, working both independently and in partnership with larger ransomware collectives, most notably the ALPHV/BlackCat operation.

What sets SCATTERED SPIDER apart is not just its technical acumen, but its expert use of social engineering, often executed in fluent English and with a level of cultural familiarity that suggests the group is likely based in or has strong ties to the US or UK. Unlike many ransomware actors operating out of Eastern Europe or Russia, SCATTERED SPIDER’s tactics are tailored to Western corporate environments, allowing them to convincingly impersonate staff, manipulate helpdesk personnel, and bypass traditional security barriers with unnerving ease.

The group’s motivation is primarily financial, but their techniques are unusually aggressive. Rather than simply deploying ransomware after gaining access, SCATTERED SPIDER takes the time to navigate internal systems, escalate privileges, and exfiltrate data, ensuring maximum impact and leverage during extortion. This has included threats to publicly leak sensitive data if ransoms aren’t paid, a tactic made easier by their ties to DragonForce RaaS, a ransomware service that offers data leak platforms and other tools to affiliates.

Notable incidents attributed to SCATTERED SPIDER include:

• The 2023 attack on MGM Resorts, which saw large-scale IT disruption across casinos and hotels in the US, was reportedly caused by a simple phone-based social engineering ploy.
  
• Intrusions into telecommunications and managed service providers, where they have targeted identity infrastructure such as Okta and Active Directory to pivot across networks.
  
• Disruption and data theft in the financial and insurance sectors, where highly sensitive customer and operational data were exfiltrated and held to ransom.
  

These campaigns reveal a group that is not only technically capable but strategically manipulative, leveraging trust, urgency, and insider knowledge to achieve access that many automated tools would struggle to obtain.

The Tools of the Trade: DragonForce RaaS

One of the key enablers of SCATTERED SPIDER’s recent success has been their alignment with DragonForce, a relatively new entrant in the expanding Ransomware-as-a-Service (RaaS) ecosystem. RaaS models have radically altered the cybercrime landscape. Much like SaaS (Software-as-a-Service) in the legitimate tech world, RaaS lowers the barrier to entry for less technically capable threat actors by offering turnkey ransomware toolkits, user-friendly dashboards, and profit-sharing agreements between developers and affiliates.

What Is DragonForce?

DragonForce is a commercially operated ransomware platform, complete with a slick user interface, customer “support” channels, and marketing-style updates promoting new features and obfuscation techniques. While it may not yet have the brand recognition of LockBit or BlackCat, it is gaining traction among cybercriminal groups for its reliability, speed, and aggressive encryption routines.

Its offerings typically include:

• Highly customisable payloads: Affiliates like SCATTERED SPIDER can tweak encryption settings, file extensions, and ransom notes to suit their targets.
  
• Data exfiltration modules: These facilitate double extortion, where files are stolen before encryption and used as additional leverage during ransom negotiations.
  
• Dark Web leak portals: Victim data is published or threatened with publication unless payment is made.
  
• Access to a central control panel: Affiliates can monitor infected machines, initiate encryption manually, and track ransom payments via cryptocurrency wallets.

These features allow threat actors to operate more like cybercrime startups than ad-hoc hacking collectives.

Why SCATTERED SPIDER Uses DragonForce

SCATTERED SPIDER’s strength lies in gaining initial access, often via phone-based social engineering or SIM-swapping tactics, rather than building their own ransomware from scratch. By outsourcing encryption and extortion capabilities to a RaaS provider like DragonForce, they focus on what they do best: manipulating people, navigating corporate networks, and extracting sensitive data.

In this partnership, DragonForce gains a capable affiliate who can deliver high-value access, and SCATTERED SPIDER gains a ready-made suite of tools to monetise their intrusions. This division of labour reflects a broader shift in cybercrime, one where specialisation and scalability are the name of the game.

DragonForce and the RaaS Economy

It’s important to understand that DragonForce is not an isolated actor. It is part of a wider criminal ecosystem where:

• Access brokers sell stolen credentials or remote access.
  
• Malware developers lease out payloads to trusted affiliates.
  
• Negotiators and money launderers offer “aftercare” services.

This ecosystem enables threat actors to operate like businesses, complete with hierarchical roles, profit-sharing models, and even internal dispute resolution mechanisms. In this context, SCATTERED SPIDER is not just a lone wolf but a well-placed operator within a highly coordinated cybercrime supply chain.

Why This Matters

The use of DragonForce by SCATTERED SPIDER highlights two alarming trends:

1. Professionalisation of ransomware: You no longer need deep technical knowledge to execute devastating attacks; just access, confidence, and a few phone calls.
   
2. Faster time-to-impact: With everything from encryption to extortion automated and streamlined, the time between compromise and ransom demand is shrinking rapidly, leaving organisations with little time to detect and respond.
   

As DragonForce continues to evolve and attract new affiliates, we are likely to see more actors adopt this model of rapid-access, rapid-extortion ransomware operations.

Image Credit: Kaspersky

Anatomy of an Attack: How SCATTERED SPIDER Operates

Understanding how SCATTERED SPIDER executes its attacks is crucial for organisations looking to strengthen their defences. Unlike many ransomware operators who rely on brute-force tactics or mass phishing campaigns, SCATTERED SPIDER favours precision, patience, and psychological manipulation.

Here’s a typical flow of operations observed in their campaigns:

1. Reconnaissance and Target Selection

The group begins by identifying high-value targets, often large enterprises in sectors such as telecommunications, financial services, and IT. They may purchase access to credentials or endpoint telemetry from Initial Access Brokers (IABs) or scrape publicly available information from LinkedIn, press releases, and social media to build detailed profiles of staff and infrastructure.

What makes this phase effective:

• Use of OSINT to identify staff names, departments, and third-party vendors.
  
• Focus on companies with complex IT environments and high tolerance for operational risk—prime candidates for extortion.

2. Initial Access via Social Engineering

Once they’ve identified the right entry point, SCATTERED SPIDER often deploys vishing (voice phishing) or phishing techniques to impersonate internal staff. In some cases, they call help desks pretending to be employees locked out of their accounts, requesting MFA resets or password changes.

This is where their native English and cultural familiarity give them a dangerous edge; they sound credible, confident, and urgent.

Common tactics:

• Impersonating IT staff or executives to pressure support teams.
  
• SIM-swapping or MFA fatigue attacks to intercept or bypass two-factor authentication.
  
• Spoofed email domains or compromised inboxes used for internal-style phishing.

3. Credential Harvesting and Privilege Escalation

Once inside, the group moves quickly to extract further credentials. Tools such as Mimikatz, Cobalt Strike, and legitimate Windows administration tools (e.g. PowerShell, PsExec) are used to escalate privileges and move laterally across the network.

They specifically look for access to:

• Identity infrastructure (Active Directory, Okta, Azure AD)
  
• Remote access tools (VPNs, RDP gateways, Citrix)
  
• Data repositories containing sensitive customer or business data

This phase may last hours or days, depending on the target’s size and the level of access achieved.

4. Data Exfiltration and Pre-Ransom Preparation

Before deploying ransomware, SCATTERED SPIDER usually exfiltrates a trove of sensitive data. This forms the basis of their double extortion strategy; even if a victim can restore from backups, they may still pay to prevent the public release of confidential files.

Common methods:

• Compressing and uploading files to cloud storage services or attacker-controlled servers
  
• Encrypting and staging data to avoid detection by DLP or antivirus tools

In some cases, the group leaves behind backdoors or admin accounts to retain long-term access or re-extort victims in the future.

5. Ransomware Deployment via DragonForce

Once exfiltration is complete and the environment is primed, SCATTERED SPIDER deploys DragonForce ransomware across the compromised network. The ransomware is configured to encrypt files rapidly and disrupt operations, sometimes including domain controllers and backup servers, to maximise impact.

Victims then receive a ransom note directing them to a Tor-based portal for negotiations. If payment isn’t made within a specified timeframe, stolen data is posted on a leak site associated with DragonForce.

Key Takeaways:

• SCATTERED SPIDER relies on human error as much as technical vulnerabilities.
  
• The group’s knowledge of Western IT environments makes it easier for them to blend in and manipulate systems and staff.
  
• Their multi-stage attack chain: access, escalation, exfiltration, encryption, is methodical and difficult to detect in real time.

Image Credit – Reeds Solicitors

Why SCATTERED SPIDER’s Approach Is Especially Dangerous

SCATTERED SPIDER doesn’t operate like a traditional ransomware crew. Their campaigns combine social engineering finesse with technical aggression, resulting in a hybrid threat model that blends cybercrime with tactics more often associated with espionage groups. Here’s why they stand out and why they’re so difficult to defend against.

1. Deep Impersonation and Real-Time Manipulation

Unlike typical phishing groups that rely on mass email blasts, SCATTERED SPIDER employs live, targeted deception. Their operators speak fluent, unaccented English and are adept at impersonating IT personnel, executives, or employees in distress.

They frequently call help desks or IT support lines, using:

• Personalised information gathered through OSINT
  
• Spoofed phone numbers and internal-sounding email addresses
  
• Calm, confident delivery to manipulate support staff in real time

This level of human-centred deception is rarely seen in conventional cybercrime campaigns and poses a serious challenge for security teams.

2. Precision Targeting of Identity Infrastructure

SCATTERED SPIDER understands that identity is the new perimeter. Rather than merely compromising a system, they aim to take control of identity and access management tools like:

• Okta
  
• Active Directory
  
• Azure AD
  
• SSO and MFA services

By doing so, they’re not just accessing individual endpoints, they’re taking over the core trust fabric of the organisation. Once they own your identity systems, lateral movement and persistence become trivially easy.

3. Speed and Aggression Outpacing Detection

While many attackers spend weeks in a network quietly collecting data, SCATTERED SPIDER moves with urgency and intent. In many cases:

• Initial access to ransomware deployment can take place in less than 48 hours.
  
• They bypass traditional controls using legitimate tools (Living off the Land), leaving minimal forensic traces.
  
• They often disable security tools, delete logs, or backdoor admin accounts to stay one step ahead.

Traditional defences based on known signatures, blacklists, or passive monitoring are often too slow or too blind to respond in time.

4. Blurring the Line Between Cybercrime and Nation-State Tactics

Although motivated by financial gain rather than geopolitics, SCATTERED SPIDER’s tradecraft exhibits a level of maturity and adaptation more typical of state-sponsored APT groups. This includes:

• Tailored intrusion techniques for specific industries and environments
  
• Multi-stage attacks with operational patience
  
• Use of multiple extortion channels, including PR pressure and data leak sites

This hybrid operational model: part ransomware gang, part APT, means traditional classifications don’t fully capture the scope of their threat. For defenders, this creates both strategic confusion and escalating risk.

In short, SCATTERED SPIDER is dangerous not just because of what they do, but how they do it. Their blend of psychological manipulation, identity compromise, and rapid escalation makes them one of the most formidable threats facing organisations today.

Defending Against SCATTERED SPIDER: Practical Guidance

While SCATTERED SPIDER’s tactics are sophisticated, they often exploit basic lapses in process, communication, and identity management. That means there are precautions organisations can take to harden themselves against this type of threat, without needing to reinvent their entire security stack.

1. Reinforce Help Desk Security Protocols

Since SCATTERED SPIDER frequently targets help desks and support teams, ensure those teams are trained to:

• Never reset MFA or passwords without high-assurance identity verification.
  
• Use call-back procedures or out-of-band verification for unusual requests.
  
• Flag repeated or urgent requests as potential social engineering.

Adding simple checklists and mandatory escalation paths for sensitive account changes can drastically reduce social engineering success rates.

2. Harden Identity and Access Management

Identity remains a prime attack surface. To reduce risk:

• Enforce phishing-resistant MFA, such as hardware tokens or app-based push authentication with device binding (rather than SMS or email codes).
  
• Implement just-in-time access and least privilege policies for administrative accounts.
  
• Regularly audit inactive accounts, especially third-party vendors and former employees.

Integrate identity telemetry into your detection stack: suspicious logins, MFA resets, or logins from new devices should trigger alerts.

3. Monitor for Signs of Lateral Movement

Once SCATTERED SPIDER is inside a network, time is of the essence. Deploy tools and strategies to detect:

• Unusual use of remote admin tools (e.g. PowerShell, PsExec)
  
• Use of credential dumping tools or abnormal privilege escalation
  
• Lateral movement attempts, especially to identity infrastructure like Active Directory or Okta

EDR/XDR platforms with good behavioural analytics can be critical here, especially when coupled with 24/7 monitoring or MDR services.

4. Protect Your Data, and Know Where It Is

Given the group’s focus on data theft prior to encryption, prevention isn’t just about backups:

• Map your critical data locations, especially customer, financial, and IP-related data.
  
• Use Data Loss Prevention (DLP) tools to monitor exfiltration patterns.
  
• Segment sensitive environments and restrict data access to only those who need it.

Ensure that backups are not just secure and segmented from your main network, but also tested regularly.

5. Prepare for the Human Side of a Crisis

Even strong technical controls can be undone by panic or poor decision-making in the moment. Prepare:

• A ransomware playbook with clear response roles, legal guidance, and communications plans.
  
• Crisis simulations or tabletop exercises that include scenarios involving data leaks and public extortion.
  
• Training for executives and PR teams on how to manage the reputational and regulatory impact.

Remember: SCATTERED SPIDER succeeds by catching organisations off guard, so make sure your teams know exactly how to respond under pressure.

Security Culture Is Your Best Defence

At the end of the day, SCATTERED SPIDER’s tactics work because they exploit human trust, urgency, and complexity. Investing in detection tools is important, but fostering a culture of scepticism, verification, and shared responsibility across the organisation is what truly builds resilience.

Stay Vigilant, Stay Informed

SCATTERED SPIDER has proven that ransomware is no longer just about encrypted files and ransom notes — it’s about controlling identities, deceiving people, and outpacing traditional defences. Their campaigns demonstrate just how effective a threat actor can be when they combine technical proficiency with social engineering and real-time manipulation.

What makes them especially dangerous is not just the tools they use, but the tactics and mindset behind their operations. This is a group that studies its targets, adapts rapidly, and blends psychological and technical attacks with striking efficiency.

For organisations in the UK, the US, and beyond, the message is clear: security isn’t just a technology problem — it’s a people and process problem too. Preventing the next SCATTERED SPIDER-style breach means:

• Educating and empowering support staff
  
• Hardening identity infrastructure
  
• Monitoring for the unexpected
  
• And rehearsing how you’ll respond under pressure
  

Cybercriminals evolve constantly. So must we.

Header image > Photo by Егор Камелев on Unsplash.