Scattered Spider: A Deep Dive into One of Today’s Most Notorious Cybercriminal Groups

Few groups have captured the attention of cybersecurity professionals and industry leaders as forcefully as Scattered Spider. Recently, a wave of cyberattacks rocked several well-known British high street retailers. One particularly high-profile attack has been attributed to this sophisticated group of cybercriminals, sparking widespread concern across the retail sector.

What makes Scattered Spider a formidable adversary is not just their technical skill, but their agility, persistence, and use of sophisticated social engineering tactics. This blog post aims to shed light on their operations, explore a recent ransomware campaign, and most importantly, provide actionable recommendations to help organisations bolster their defences.

In April 2025, a prominent British retail brand experienced a devastating ransomware attack that disrupted payment systems and halted online order processing. The attack, later attributed to Scattered Spider, was marked by several chilling characteristics:

Theft of Active Directory (AD) databases
Deployment of ransomware on VMware ESXi servers
Potential infiltration as early as February 2025
Final payload: DragonForce ransomware executed on April 24th

Although no data exfiltration has been confirmed, the sheer level of disruption has sent shockwaves through the industry. With such critical systems targeted, the attack highlights the need for robust cybersecurity strategies especially for sectors with large customer footprints and complex IT infrastructures.

Scattered Spider employs a multi-phase intrusion strategy, combining traditional and modern cyber-attack techniques. Below is a breakdown of the typical lifecycle of their attacks:

1. Initial Access: Credential Theft

Their campaigns often begin with the theft of NTDS.dit files from Windows domain controllers. These files contain hashed credentials, which attackers can crack offline to extract plaintext passwords.

This type of credential theft provides an immediate foothold into the victim’s network, often giving them domain-level access early in the attack.

2. Lateral Movement

With administrative credentials in hand, Scattered Spider navigates laterally through networks. They seek out high-value assets such as VMware ESXi hosts, domain controllers, and file servers, using SMB/Windows Admin Shares or RDP for access.

This lateral movement is often stealthy, avoiding malware to reduce detection risks.

3. Persistence and Privilege Escalation

Scattered Spider is skilled at blending into legitimate IT processes. Rather than deploying obvious malware, they prefer using remote management tools and valid credentials to maintain long-term access.

Their persistence mechanisms include:

Abuse of Group Policy Objects (GPOs)
Use of admin tools like PowerShell
Enabling RDP tunneling

Because their activity mimics legitimate administrative behaviour, detection becomes significantly harder for traditional antivirus and EDR systems.

4. Payload Deployment: DragonForce Ransomware

Once positioned, Scattered Spider deploys a ransomware payload—most recently DragonForce, targeting ESXi infrastructure.

By encrypting business-critical virtual machines, they ensure maximum disruption, thereby increasing the likelihood of ransom payment.

Scattered Spider has rapidly emerged as one of the most dangerous and disruptive cybercriminal groups targeting global enterprises today. Their success lies not just in technical sophistication but in a combination of unique traits that differentiate them from more conventional ransomware actors. Understanding why Scattered Spider is so formidable helps organisations better anticipate and defend against their attacks.

1. Social Engineering Mastery

Scattered Spider’s most alarming strength is its exceptional use of social engineering. Unlike many cybercriminal groups that rely on brute-force techniques or mass phishing campaigns, Scattered Spider meticulously crafts highly personalised spear-phishing messages. These are designed to closely mimic internal communications, often impersonating IT support personnel or identity verification services.

Their phishing techniques are highly believable complete with cloned login pages, forged emails from trusted sources, and even voice-based social engineering (vishing) calls. Employees who are otherwise trained to detect phishing attempts may fall for these sophisticated scams because of how convincingly they replicate legitimate business operations.

In many instances, Scattered Spider has been known to call help desks pretending to be employees who are locked out of their accounts, leveraging publicly available data from LinkedIn or compromised email inboxes to back up their claims. Once help desk staff reset credentials or issue new multi-factor authentication (MFA) tokens, the attackers gain access to high-privilege accounts without deploying a single piece of malware.

This high-level psychological manipulation enables Scattered Spider to gain initial access without triggering many of the traditional red flags that automated security systems rely on. It also highlights a critical vulnerability in human behaviour, making security awareness training and response protocols more vital than ever.

2. Partnerships with Ransomware Operators

Another factor that elevates the threat level of Scattered Spider is their collaboration with established ransomware-as-a-service (RaaS) groups, including the notorious DragonForce operation. These partnerships enable Scattered Spider to outsource the encryption and extortion phase of their attacks, allowing them to focus entirely on gaining access, maintaining persistence, and staging environments for maximum damage.

The relationship is symbiotic: Scattered Spider breaches enterprise networks and delivers access to ransomware groups, who then execute the encryption and manage ransom negotiations. This approach reflects a broader trend in cybercrime where threat actors specialise and collaborate, creating cybercrime supply chains that operate with alarming efficiency.

With these partnerships, Scattered Spider can:

Rapidly scale operations across industries and geographies
Increase their financial gain through profit-sharing agreements
Focus on bypassing sophisticated defences while others handle payload development and extortion

These alliances also mean that Scattered Spider is not constrained by technical limitations. If they need a new variant of ransomware to bypass defences or exploit new vulnerabilities, their partners are likely to provide it. This makes them highly adaptable and far more dangerous than a lone hacking crew.

3. Sector-Specific Targeting

While many ransomware groups cast a wide net, Scattered Spider demonstrates a targeted approach one that aligns closely with economic disruption and maximum leverage. They have shown a clear preference for industries that are time-sensitive, customer-facing, and operationally dependent on IT availability. Among these, retail, hospitality, and logistics have been hit the hardest.

In retail, for instance, even short disruptions can lead to massive financial losses, especially when payment systems and online orders are impacted. Similarly, logistics companies that rely on real-time data for delivery tracking and inventory control can be brought to a standstill. In hospitality, downtime affects customer reservations, bookings, and loyalty programs, leading to brand reputation damage and financial liability.

By choosing these targets, Scattered Spider ensures that victims feel immense pressure to pay ransoms quickly to restore operations. These sectors are also more likely to have complex third-party integrations, such as supply chain vendors or booking platforms that attackers can exploit to expand their reach or pivot to other victims.

Moreover, the customer trust factor plays a big role. A successful attack on a retailer or hotel chain not only causes operational chaos but also risks reputational harm, especially if customer data is believed to be at risk. This leverage further enhances the effectiveness of ransomware demands.

As threat actors continue to evolve, so must enterprise defences. Here are several key recommendations to mitigate risks from groups like Scattered Spider:

1. Enhance Logging and Monitoring

Deploy SIEM solutions to correlate authentication logs, domain controller activity, and network access
Implement behavioural analytics to detect anomalies

2. Multi-Factor Authentication (MFA)

• Enforce MFA across all critical applications and administrative access

• Use phishing-resistant MFA methods like FIDO2 keys

3. Principle of Least Privilege

• Limit user privileges to only what’s necessary

• Rotate and monitor admin credentials frequently

4. Security Awareness Campaigns

• Train employees to recognise spearphishing tactics

• Simulate attacks regularly to improve resilience

Long-term cybersecurity resilience against advanced threat actors like Scattered Spider requires strategic planning, investment, and vigilance.

1. Zero Trust Architecture

Treat every access request as untrusted
Require continuous authentication and authorisation

2. Incident Response Planning

Test your IR plan regularly with tabletop exercises
Ensure roles and responsibilities are clear for internal and external stakeholders

3. Third-Party Risk Management

Conduct security assessments of vendors and partners
Enforce contractual cybersecurity standards

4. Patch Management and Vulnerability Scanning

Prioritise and patch known exploited vulnerabilities
Automate vulnerability scanning and correlate with threat intelligence feeds

Scattered Spider represents the next generation of cybercriminal groups: technically proficient, highly motivated, and alarmingly effective. Their recent ransomware attack on a major UK retailer is a stark reminder of the ever-present threat to enterprise environments.

Organisations across all sectors, not just retail, must adopt a proactive and layered security approach. From implementing robust identity protections to building resilient supply chains, the need for comprehensive defence mechanisms has never been greater.

As attackers become more skilled and daring, defenders must evolve just as quickly. In this ongoing cyber arms race, preparation and agility are the keys to survival.

Why LegalTech Platforms Must Invest in Strong Cyber Defences

December 3, 2025

LegalTech platforms face rising threats from advanced cyber groups who target legal data, client records and case information. Attackers focus on legal service providers because legal data holds high value. Attackers search for weak access controls, outdated systems and unprotected cloud platforms. Legal firms and technology providers now depend on digital workflows. This increases pressure from attackers who want to steal data or disrupt operations. This blog supports legal professionals, platform developers, students in technology and IT staff who want a clear view of the risks and the steps needed for a strong defence. LegalTech refers to digital tools that support legal work. These include document management platforms, digital case files, client portals, identity verification tools and automated workflow systems. A simple example appears when a solicitor uploads sensitive documents to a cloud platform that tracks case progress. The platform stores data, manages tasks and sends reminders. This workflow simplifies work. It also introduces risk. If attackers enter the platform through weak credentials, they gain access to client evidence, contracts, court papers and identity records. This risk has grown as more legal work shifts online. LegalTech platforms must respond with strong cyber defences to protect trust and service quality.