Scattered Spider: What You Need to Know

Scattered Spider is the moniker given by CrowdStrike to a loosely connected eCrime group whose membership is transient and vaguely defined. Other vendors track this threat actor group as UNC3944, Storm-0875, LUCR-3, and other designations.  

The group’s motivations are typically financial, and it targets a broad range of industries and countries. Its victims typically fall within Western nations such as the United States, Canada, the United Kingdom, and Switzerland, but it has also been known to target East-Asian nations such as Thailand and South American entities within Brazil. 

Active since 2022, Scattered Spider typically monetizes their attacks through ransomware and data theft extortion, with a focus on big-game targets such as Fortune 500 companies in industries such as Technology, Financial Services, Retail, Aerospace and more. 

Scattered Spider’s recent activity 

Recent headlines credit the group with large-scale attacks on prominent targets, including Transport for London, Caesars, MGM Resorts, DoorDash, CloudFlare, Marks & Spencers, Harrods, and Co-op.  

With their attacks becoming more prevalent, it is important to understand how they typically gain access to an organization and how they operate once inside a network. 

The group's targets tend to shift over time — currently, retail appears to be its main industry victim, but next month, its focus could be somewhere else. It is important that all enterprises understand they could become targets of this group at any moment, especially larger organizations with a global footprint.  

Common TTPs 

Scattered Spider tends to utilize advanced social engineering and deception to gain initial access to an organization, often via SMS (smishing) or voice calls (vishing). They are also known to call external-facing help-desk numbers in an attempt to have passwords or MFA numbers reset for unwitting users, granting the group access to accounts. 

Their activities tend to culminate in mass data theft and ransomware, leading to double extortion of victims, forcing them to pay to both decrypt data and not release the stolen data. The methods they’ve used include: 

• Help desk impersonation: Uses social engineering to convince help desks to reset passwords and MFA material for targeted administrators or other privileged accounts 

• “SIM swapping” to gain initial access to identities 

• Double extortion to monetize their breaches, both encrypting and threatening to release data 

• Active Directory Compromise: Known to extract NTDS.dit from Domain Controllers – the primary credential-holding database for Active Directory 

• Credential phishing: Utilizes look-a-like domains to fool victims into submitting credentials — these often contain terms such as okta, sso, help, corp, internal, sso, etc. 

• Lateral movement: Known to abuse RDP, SSH, PsExec and Scheduled Tasks to move across systems within a network 

• Persistence via RMM tools: Abuses remote monitoring and management platforms like AnyDesk to maintain access 

• Credential dumping: Using tools like Mimikatz, secretsdump.py and DCSync 

• Ransomware deployment: Has been observed using the DragonForce Ransomware-as-a-Service (RaaS) variant to execute attacks 

Defensive recommendations 

Varonis Threat Labs recommends the following defensive measures to keep data secure from threats like Scattered Spider:  

• Strengthen help desk protocols: Implement identity verification procedures to prevent social engineering attacks 

• Deploy phishing-resistant MFA: Use number-matching or hardware tokens instead of basic push notifications for all remote access points 

• Ensure endpoint coverage: Maintain 100% coverage with well-configured endpoint detection and response (EDR) tools and active alert monitoring 

• Filter web traffic: Use web proxies to block access to suspicious or malicious domains 

• Monitor critical data stores: Use tools like Varonis to detect unusual access patterns that may indicate a breach in progress 

• Conduct red-team exercises: Regularly test defenses against simulated attacks, especially targeting Active Directory 

• Restrict server internet access: Apply default-deny rules and allow-list only essential domains and IPs at the firewall level 

• Keep systems updated: Ensure all operating systems and applications are patched and current 

• Maintain secure backups: Store backups offline and test them regularly to ensure recoverability in the event of an attack 

Don't wait for a breach to occur.

Scattered Spider is unique in that its ranks are not well-defined, and association is difficult to attribute when compared to other threat actors.  

As always, key defensive measures target monitoring, backups, and implementing common best-practice procedures across your organization’s network.  

If you need immediate assistance or think your organization has been impacted by threats like Scattered Spider, contact our team.