Scattered Spider: A Deep Dive into One of Today’s Most Notorious Cybercriminal Groups

July 8, 2025

Introduction

Few groups have captured the attention of cybersecurity professionals and industry leaders as forcefully as Scattered Spider. Recently, a wave of cyberattacks rocked several well-known British high street retailers. One particularly high-profile attack has been attributed to this sophisticated group of cybercriminals, sparking widespread concern across the retail sector.



What makes Scattered Spider a formidable adversary is not just their technical skill, but their agility, persistence, and use of sophisticated social engineering tactics. This blog post aims to shed light on their operations, explore a recent ransomware campaign, and most importantly, provide actionable recommendations to help organisations bolster their defences.

Who is Scattered Spider?

The Retail Sector Attack: A Case Study

In April 2025, a prominent British retail brand experienced a devastating ransomware attack that disrupted payment systems and halted online order processing. The attack, later attributed to Scattered Spider, was marked by several chilling characteristics:


  • Theft of Active Directory (AD) databases
  • Deployment of ransomware on VMware ESXi servers
  • Potential infiltration as early as February 2025
  • Final payload: DragonForce ransomware executed on April 24th


Although no data exfiltration has been confirmed, the sheer level of disruption has sent shockwaves through the industry. With such critical systems targeted, the attack highlights the need for robust cybersecurity strategies especially for sectors with large customer footprints and complex IT infrastructures.

Anatomy of an Attack: Scattered Spider's Modus Operandi

Scattered Spider employs a multi-phase intrusion strategy, combining traditional and modern cyber-attack techniques. Below is a breakdown of the typical lifecycle of their attacks:


1. Initial Access: Credential Theft

Their campaigns often begin with the theft of NTDS.dit files from Windows domain controllers. These files contain hashed credentials, which attackers can crack offline to extract plaintext passwords.


This type of credential theft provides an immediate foothold into the victim’s network, often giving them domain-level access early in the attack.


2. Lateral Movement

With administrative credentials in hand, Scattered Spider navigates laterally through networks. They seek out high-value assets such as VMware ESXi hosts, domain controllers, and file servers, using SMB/Windows Admin Shares or RDP for access.


This lateral movement is often stealthy, avoiding malware to reduce detection risks.


3. Persistence and Privilege Escalation

Scattered Spider is skilled at blending into legitimate IT processes. Rather than deploying obvious malware, they prefer using remote management tools and valid credentials to maintain long-term access.


Their persistence mechanisms include:


  • Abuse of Group Policy Objects (GPOs)
  • Use of admin tools like PowerShell
  • Enabling RDP tunneling


Because their activity mimics legitimate administrative behaviour, detection becomes significantly harder for traditional antivirus and EDR systems.


4. Payload Deployment: DragonForce Ransomware

Once positioned, Scattered Spider deploys a ransomware payload—most recently DragonForce, targeting ESXi infrastructure.


By encrypting business-critical virtual machines, they ensure maximum disruption, thereby increasing the likelihood of ransom payment.

MITRE ATT&CK Techniques Utilised

Security professionals mapping Scattered Spider’s activity often reference the MITRE ATT&CK Framework, which identifies the group’s use of the following techniques:


  • Phishing (T1566.002): Spearphishing via trusted services (e.g., fake Microsoft 365 portals)
  • OS Credential Dumping (T1003.003): Theft of NTDS.dit
  • Remote Services (T1021.002): Abuse of Windows Admin Shares
  • Data Encrypted for Impact (T1486): Deployment of ransomware on virtualised environments

Why Scattered Spider is a Significant Threat

Scattered Spider has rapidly emerged as one of the most dangerous and disruptive cybercriminal groups targeting global enterprises today. Their success lies not just in technical sophistication but in a combination of unique traits that differentiate them from more conventional ransomware actors. Understanding why Scattered Spider is so formidable helps organisations better anticipate and defend against their attacks.


1. Social Engineering Mastery

Scattered Spider’s most alarming strength is its exceptional use of social engineering. Unlike many cybercriminal groups that rely on brute-force techniques or mass phishing campaigns, Scattered Spider meticulously crafts highly personalised spear-phishing messages. These are designed to closely mimic internal communications, often impersonating IT support personnel or identity verification services.


Their phishing techniques are highly believable complete with cloned login pages, forged emails from trusted sources, and even voice-based social engineering (vishing) calls. Employees who are otherwise trained to detect phishing attempts may fall for these sophisticated scams because of how convincingly they replicate legitimate business operations.


In many instances, Scattered Spider has been known to call help desks pretending to be employees who are locked out of their accounts, leveraging publicly available data from LinkedIn or compromised email inboxes to back up their claims. Once help desk staff reset credentials or issue new multi-factor authentication (MFA) tokens, the attackers gain access to high-privilege accounts without deploying a single piece of malware.


This high-level psychological manipulation enables Scattered Spider to gain initial access without triggering many of the traditional red flags that automated security systems rely on. It also highlights a critical vulnerability in human behaviour, making security awareness training and response protocols more vital than ever.


2. Partnerships with Ransomware Operators

Another factor that elevates the threat level of Scattered Spider is their collaboration with established ransomware-as-a-service (RaaS) groups, including the notorious DragonForce operation. These partnerships enable Scattered Spider to outsource the encryption and extortion phase of their attacks, allowing them to focus entirely on gaining access, maintaining persistence, and staging environments for maximum damage.

The relationship is symbiotic: Scattered Spider breaches enterprise networks and delivers access to ransomware groups, who then execute the encryption and manage ransom negotiations. This approach reflects a broader trend in cybercrime where threat actors specialise and collaborate, creating cybercrime supply chains that operate with alarming efficiency.


With these partnerships, Scattered Spider can:


  • Rapidly scale operations across industries and geographies
  • Increase their financial gain through profit-sharing agreements
  • Focus on bypassing sophisticated defences while others handle payload development and extortion


These alliances also mean that Scattered Spider is not constrained by technical limitations. If they need a new variant of ransomware to bypass defences or exploit new vulnerabilities, their partners are likely to provide it. This makes them highly adaptable and far more dangerous than a lone hacking crew.


3. Sector-Specific Targeting

While many ransomware groups cast a wide net, Scattered Spider demonstrates a targeted approach one that aligns closely with economic disruption and maximum leverage. They have shown a clear preference for industries that are time-sensitive, customer-facing, and operationally dependent on IT availability. Among these, retail, hospitality, and logistics have been hit the hardest.


In retail, for instance, even short disruptions can lead to massive financial losses, especially when payment systems and online orders are impacted. Similarly, logistics companies that rely on real-time data for delivery tracking and inventory control can be brought to a standstill. In hospitality, downtime affects customer reservations, bookings, and loyalty programs, leading to brand reputation damage and financial liability.


By choosing these targets, Scattered Spider ensures that victims feel immense pressure to pay ransoms quickly to restore operations. These sectors are also more likely to have complex third-party integrations, such as supply chain vendors or booking platforms that attackers can exploit to expand their reach or pivot to other victims.


Moreover, the customer trust factor plays a big role. A successful attack on a retailer or hotel chain not only causes operational chaos but also risks reputational harm, especially if customer data is believed to be at risk. This leverage further enhances the effectiveness of ransomware demands.

What Can Retailers and Enterprises Do?

As threat actors continue to evolve, so must enterprise defences. Here are several key recommendations to mitigate risks from groups like Scattered Spider:


1. Enhance Logging and Monitoring

  • Deploy SIEM solutions to correlate authentication logs, domain controller activity, and network access
  • Implement behavioural analytics to detect anomalies


2. Multi-Factor Authentication (MFA)

• Enforce MFA across all critical applications and administrative access

• Use phishing-resistant MFA methods like FIDO2 keys


3. Principle of Least Privilege

• Limit user privileges to only what’s necessary

• Rotate and monitor admin credentials frequently


4. Security Awareness Campaigns

• Train employees to recognise spearphishing tactics

• Simulate attacks regularly to improve resilience

Reducing Supply Chain Risk

A key concern in modern cybersecurity is supply chain compromise. If a vendor or partner is compromised by Scattered Spider, your systems may be next.


Immediate Actions to Take:


  • Revoke and rotate credentials associated with the affected vendor
  • Enable MFA and review audit logs for any abnormal activity
  • If the compromised entity had access to your systems, revoke their access and reassess permissions immediately

Building a Long-Term Defence Strategy

Long-term cybersecurity resilience against advanced threat actors like Scattered Spider requires strategic planning, investment, and vigilance.


1. Zero Trust Architecture

  • Treat every access request as untrusted
  • Require continuous authentication and authorisation


2. Incident Response Planning

  • Test your IR plan regularly with tabletop exercises
  • Ensure roles and responsibilities are clear for internal and external stakeholders


3. Third-Party Risk Management

  • Conduct security assessments of vendors and partners
  • Enforce contractual cybersecurity standards


4. Patch Management and Vulnerability Scanning

  • Prioritise and patch known exploited vulnerabilities
  • Automate vulnerability scanning and correlate with threat intelligence feeds

Summary

Scattered Spider represents the next generation of cybercriminal groups: technically proficient, highly motivated, and alarmingly effective. Their recent ransomware attack on a major UK retailer is a stark reminder of the ever-present threat to enterprise environments.


Organisations across all sectors, not just retail, must adopt a proactive and layered security approach. From implementing robust identity protections to building resilient supply chains, the need for comprehensive defence mechanisms has never been greater.


As attackers become more skilled and daring, defenders must evolve just as quickly. In this ongoing cyber arms race, preparation and agility are the keys to survival.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.


Let's get protecting your business

Bibliography


UK Government (2023). Cyber Security Breaches Survey 2023. Available at: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023


CREST (2025). What is CREST? Available at: https://www.crest-approved.org/


National Cyber Security Centre (NCSC) (2025). Cyber Essentials Scheme. Available at: https://www.ncsc.gov.uk/cyberessentials/overview



Cityscape at night with the glowing 5G symbol overhead, connected by blue lines.

Securing 5G Networks. A New Frontier for Cyber Defence

August 24, 2025
Explore the importance of 5G network security. Learn about 5G cybersecurity threats, risks, best practices, and how Cybergen strengthens cyber defence in 5G.
Modern apartment building with balconies under a bright blue sky.

Cybersecurity in the Real Estate Industry, What are the Threats to Real Estate Tech

August 23, 2025
Explore how cybersecurity protects the real estate industry. Learn about threats to real estate technology, practical solutions, and how Cybergen strengthens digital property security.
Skyscrapers of Canary Wharf, London, including Citibank, HSBC, and Barclays, tinted blue.

How Banks Are Battling Fraud with Cybersecurity AI

August 19, 2025
Explore how banks are fighting fraud with cybersecurity AI. Learn about risks, challenges, AI-driven solutions, and how Cybergen helps financial institutions stay secure.
Laptop with educational icons overlaid, representing online learning.

Cybersecurity in Online Learning Platforms: Keeping Students Safe

August 16, 2025
Learn how to protect students and educators from online threats in e-learning. Practical steps, tools, and policies for stronger cybersecurity in education.
A doctor walks down a futuristic hospital hallway with patients in beds, overlaid with digital data.

How Hospitals Are Combating Ransomware Attacks

August 13, 2025
Hospitals are strengthening defences against ransomware through prevention, rapid response, and advanced healthcare cybersecurity. Learn how to protect patient data and maintain care delivery.
Blue abstract digital design featuring interconnected dots and lines, with circuit board elements.

Why AI Models Need Better Cybersecurity Controls

August 11, 2025
Learn why AI models are vulnerable to cyber threats, the risks of weak protection, and practical steps to secure them. Cybergen explains how to safeguard AI for business and personal use.

Cybersecurity in Oil Rigs: Defending Against Digital Sabotage

August 7, 2025
Learn how oil rigs are being targeted by cyberattacks and what practical steps energy professionals can take to strengthen their digital defences.
Blue graphic with

Securing Smart Factories: Cyber Threats in IoT Environments

August 4, 2025
Learn how to protect your smart factory from rising IoT cyber threats. Cybergen offers expert strategies for operational technology (OT) security.
An aeroplane taking off from an airport is seen through a window, with a blue-toned colour scheme.

How Airlines Are Protecting Passenger Data from Cyber Threats

August 3, 2025
Discover how airlines protect sensitive passenger data from modern cyber threats. Learn about real-world risks, best practices, and how Cybergen can support aviation cybersecurity