Scattered Spider: A Deep Dive into One of Today’s Most Notorious Cybercriminal Groups

Cyber Security News • July 8, 2025

Introduction

Few groups have captured the attention of cybersecurity professionals and industry leaders as forcefully as Scattered Spider. Recently, a wave of cyberattacks rocked several well-known British high street retailers. One particularly high-profile attack has been attributed to this sophisticated group of cybercriminals, sparking widespread concern across the retail sector.



What makes Scattered Spider a formidable adversary is not just their technical skill, but their agility, persistence, and use of sophisticated social engineering tactics. This blog post aims to shed light on their operations, explore a recent ransomware campaign, and most importantly, provide actionable recommendations to help organisations bolster their defences.

Who is Scattered Spider?

The Retail Sector Attack: A Case Study

In April 2025, a prominent British retail brand experienced a devastating ransomware attack that disrupted payment systems and halted online order processing. The attack, later attributed to Scattered Spider, was marked by several chilling characteristics:


  • Theft of Active Directory (AD) databases
  • Deployment of ransomware on VMware ESXi servers
  • Potential infiltration as early as February 2025
  • Final payload: DragonForce ransomware executed on April 24th


Although no data exfiltration has been confirmed, the sheer level of disruption has sent shockwaves through the industry. With such critical systems targeted, the attack highlights the need for robust cybersecurity strategies especially for sectors with large customer footprints and complex IT infrastructures.

Anatomy of an Attack: Scattered Spider's Modus Operandi

Scattered Spider employs a multi-phase intrusion strategy, combining traditional and modern cyber-attack techniques. Below is a breakdown of the typical lifecycle of their attacks:


1. Initial Access: Credential Theft

Their campaigns often begin with the theft of NTDS.dit files from Windows domain controllers. These files contain hashed credentials, which attackers can crack offline to extract plaintext passwords.


This type of credential theft provides an immediate foothold into the victim’s network, often giving them domain-level access early in the attack.


2. Lateral Movement

With administrative credentials in hand, Scattered Spider navigates laterally through networks. They seek out high-value assets such as VMware ESXi hosts, domain controllers, and file servers, using SMB/Windows Admin Shares or RDP for access.


This lateral movement is often stealthy, avoiding malware to reduce detection risks.


3. Persistence and Privilege Escalation

Scattered Spider is skilled at blending into legitimate IT processes. Rather than deploying obvious malware, they prefer using remote management tools and valid credentials to maintain long-term access.


Their persistence mechanisms include:


  • Abuse of Group Policy Objects (GPOs)
  • Use of admin tools like PowerShell
  • Enabling RDP tunneling


Because their activity mimics legitimate administrative behaviour, detection becomes significantly harder for traditional antivirus and EDR systems.


4. Payload Deployment: DragonForce Ransomware

Once positioned, Scattered Spider deploys a ransomware payload—most recently DragonForce, targeting ESXi infrastructure.


By encrypting business-critical virtual machines, they ensure maximum disruption, thereby increasing the likelihood of ransom payment.

MITRE ATT&CK Techniques Utilised

Security professionals mapping Scattered Spider’s activity often reference the MITRE ATT&CK Framework, which identifies the group’s use of the following techniques:


  • Phishing (T1566.002): Spearphishing via trusted services (e.g., fake Microsoft 365 portals)
  • OS Credential Dumping (T1003.003): Theft of NTDS.dit
  • Remote Services (T1021.002): Abuse of Windows Admin Shares
  • Data Encrypted for Impact (T1486): Deployment of ransomware on virtualised environments

Why Scattered Spider is a Significant Threat

Scattered Spider has rapidly emerged as one of the most dangerous and disruptive cybercriminal groups targeting global enterprises today. Their success lies not just in technical sophistication but in a combination of unique traits that differentiate them from more conventional ransomware actors. Understanding why Scattered Spider is so formidable helps organisations better anticipate and defend against their attacks.


1. Social Engineering Mastery

Scattered Spider’s most alarming strength is its exceptional use of social engineering. Unlike many cybercriminal groups that rely on brute-force techniques or mass phishing campaigns, Scattered Spider meticulously crafts highly personalised spear-phishing messages. These are designed to closely mimic internal communications, often impersonating IT support personnel or identity verification services.


Their phishing techniques are highly believable complete with cloned login pages, forged emails from trusted sources, and even voice-based social engineering (vishing) calls. Employees who are otherwise trained to detect phishing attempts may fall for these sophisticated scams because of how convincingly they replicate legitimate business operations.


In many instances, Scattered Spider has been known to call help desks pretending to be employees who are locked out of their accounts, leveraging publicly available data from LinkedIn or compromised email inboxes to back up their claims. Once help desk staff reset credentials or issue new multi-factor authentication (MFA) tokens, the attackers gain access to high-privilege accounts without deploying a single piece of malware.


This high-level psychological manipulation enables Scattered Spider to gain initial access without triggering many of the traditional red flags that automated security systems rely on. It also highlights a critical vulnerability in human behaviour, making security awareness training and response protocols more vital than ever.


2. Partnerships with Ransomware Operators

Another factor that elevates the threat level of Scattered Spider is their collaboration with established ransomware-as-a-service (RaaS) groups, including the notorious DragonForce operation. These partnerships enable Scattered Spider to outsource the encryption and extortion phase of their attacks, allowing them to focus entirely on gaining access, maintaining persistence, and staging environments for maximum damage.

The relationship is symbiotic: Scattered Spider breaches enterprise networks and delivers access to ransomware groups, who then execute the encryption and manage ransom negotiations. This approach reflects a broader trend in cybercrime where threat actors specialise and collaborate, creating cybercrime supply chains that operate with alarming efficiency.


With these partnerships, Scattered Spider can:


  • Rapidly scale operations across industries and geographies
  • Increase their financial gain through profit-sharing agreements
  • Focus on bypassing sophisticated defences while others handle payload development and extortion


These alliances also mean that Scattered Spider is not constrained by technical limitations. If they need a new variant of ransomware to bypass defences or exploit new vulnerabilities, their partners are likely to provide it. This makes them highly adaptable and far more dangerous than a lone hacking crew.


3. Sector-Specific Targeting

While many ransomware groups cast a wide net, Scattered Spider demonstrates a targeted approach one that aligns closely with economic disruption and maximum leverage. They have shown a clear preference for industries that are time-sensitive, customer-facing, and operationally dependent on IT availability. Among these, retail, hospitality, and logistics have been hit the hardest.


In retail, for instance, even short disruptions can lead to massive financial losses, especially when payment systems and online orders are impacted. Similarly, logistics companies that rely on real-time data for delivery tracking and inventory control can be brought to a standstill. In hospitality, downtime affects customer reservations, bookings, and loyalty programs, leading to brand reputation damage and financial liability.


By choosing these targets, Scattered Spider ensures that victims feel immense pressure to pay ransoms quickly to restore operations. These sectors are also more likely to have complex third-party integrations, such as supply chain vendors or booking platforms that attackers can exploit to expand their reach or pivot to other victims.


Moreover, the customer trust factor plays a big role. A successful attack on a retailer or hotel chain not only causes operational chaos but also risks reputational harm, especially if customer data is believed to be at risk. This leverage further enhances the effectiveness of ransomware demands.

What Can Retailers and Enterprises Do?

As threat actors continue to evolve, so must enterprise defences. Here are several key recommendations to mitigate risks from groups like Scattered Spider:


1. Enhance Logging and Monitoring

  • Deploy SIEM solutions to correlate authentication logs, domain controller activity, and network access
  • Implement behavioural analytics to detect anomalies


2. Multi-Factor Authentication (MFA)

• Enforce MFA across all critical applications and administrative access

• Use phishing-resistant MFA methods like FIDO2 keys


3. Principle of Least Privilege

• Limit user privileges to only what’s necessary

• Rotate and monitor admin credentials frequently


4. Security Awareness Campaigns

• Train employees to recognise spearphishing tactics

• Simulate attacks regularly to improve resilience

Reducing Supply Chain Risk

A key concern in modern cybersecurity is supply chain compromise. If a vendor or partner is compromised by Scattered Spider, your systems may be next.


Immediate Actions to Take:


  • Revoke and rotate credentials associated with the affected vendor
  • Enable MFA and review audit logs for any abnormal activity
  • If the compromised entity had access to your systems, revoke their access and reassess permissions immediately

Building a Long-Term Defence Strategy

Long-term cybersecurity resilience against advanced threat actors like Scattered Spider requires strategic planning, investment, and vigilance.


1. Zero Trust Architecture

  • Treat every access request as untrusted
  • Require continuous authentication and authorisation


2. Incident Response Planning

  • Test your IR plan regularly with tabletop exercises
  • Ensure roles and responsibilities are clear for internal and external stakeholders


3. Third-Party Risk Management

  • Conduct security assessments of vendors and partners
  • Enforce contractual cybersecurity standards


4. Patch Management and Vulnerability Scanning

  • Prioritise and patch known exploited vulnerabilities
  • Automate vulnerability scanning and correlate with threat intelligence feeds

Summary

Scattered Spider represents the next generation of cybercriminal groups: technically proficient, highly motivated, and alarmingly effective. Their recent ransomware attack on a major UK retailer is a stark reminder of the ever-present threat to enterprise environments.


Organisations across all sectors, not just retail, must adopt a proactive and layered security approach. From implementing robust identity protections to building resilient supply chains, the need for comprehensive defence mechanisms has never been greater.


As attackers become more skilled and daring, defenders must evolve just as quickly. In this ongoing cyber arms race, preparation and agility are the keys to survival.

Ready to strengthen your security posture? Contact us today for more information on protecting your business.


Let's get protecting your business

Bibliography


UK Government (2023). Cyber Security Breaches Survey 2023. Available at: https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2023


CREST (2025). What is CREST? Available at: https://www.crest-approved.org/


National Cyber Security Centre (NCSC) (2025). Cyber Essentials Scheme. Available at: https://www.ncsc.gov.uk/cyberessentials/overview

< Click To See Our Older Posts

Click To See Our Newer Posts >

A blue background with a cloud icon and a person using a laptop.

Cloud Pentest Reporting: What to Show Clients and Why

July 11, 2025
Learn how to create powerful cloud penetration testing reports. Discover what clients need to see, how to explain cloud-specific risks, and boost your cybersecurity reporting.
A man is sitting in front of a computer screen in a dark room.

Understanding Lateral Movement in a Corporate Network

July 10, 2025
Learn how to detect and defend against lateral movement in corporate networks using behavioural analytics, SIEM, EDR, and zero-trust security. Explore expert strategies from Cybergen.
A blue background with a cloud and an arrow pointing up.

The Ultimate Guide to Cybersecurity Disaster Recovery and Business Continuity Planning

July 9, 2025
Learn how to protect your business from cyber threats with an effective disaster recovery and business continuity strategy. Explore Cybergen’s guide for actionable insights.
Two men are standing next to each other in an office looking at a laptop.

An Interview with a Pen Tester

July 7, 2025
Discover real-world penetration testing stories, best practices, and advice from cybersecurity experts. Learn how Cybergen Security helps organisations defend against cyber threats.
A group of people are sitting on the floor with their legs crossed and using laptops.

The Role of Cybersecurity in the Educational Sector

July 6, 2025
Discover how cybersecurity is transforming the education sector in 2025. Learn about rising threats, best practices, and how institutions can build digital resilience with advanced protection strategies.
A person is holding a shield with a padlock on it in front of a laptop.

CREST Penetration Testing vs CHECK: Which Is Right for Your Business in the UK

July 3, 2025
Confused between CREST and CHECK penetration testing? Discover the key differences, when each applies, and how Cybergen can help secure your organisation today.
A man is using a laptop computer in a server room.

What Is CREST Penetration Testing? A Complete Guide for UK Organisations

July 2, 2025
Discover everything UK organisations need to know about CREST penetration testing. Learn its benefits, differences, industry standards, and how Cybergen supports secure, accredited testing.

How to Choose a CREST Penetration Testing Provider in the UK

July 1, 2025
Looking for a CREST-approved penetration testing company in the UK? Learn how to choose the right provider, what to ask, red flags to avoid, and why Cybergen is the trusted choice.
A laptop computer is sitting on a desk with a blue background.

The Penetration Tester’s Toolkit | Nmap, Burp Suite and Beyond

June 30, 2025
Discover how penetration testing tools like Nmap and Burp Suite help safeguard digital infrastructure. Explore best practices, tool walkthroughs, and Cybergen solutions.
A woman is looking at a cloud on a computer screen.

Azure Penetration Testing: Top 5 Attack Vectors Every Security Team Should Know

June 28, 2025
Discover the top five Azure penetration testing attack vectors your security team needs to know. Learn mitigation techniques, tools, and best practices.
Show More