Scattered Spider Expands Its Web of Ransomware Attacks

Scattered Spider and UNC3944 ransomware organizations have moved beyond targeting telecommunication firms and tech companies into targeting hospitality, retail, media, and financial services.

Last week, the threat actors caused massive disruption in several hotels in Las Vegas and drew the attention of both federal law enforcement agencies and even the White House.

Scattered Spider’s Ransomware Impact

In a statement, security sniffers at cybersecurity firm and Google subsidiary Mandiant Spotted a massive change from relatively aimless yet high-profile data theft attacks on major tech firms to sophisticated ransomware attacks on other industries.

Furthermore, the reports show that since 2022, the hackers’ operations were social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and escalate access to victim organizations.

However, by the middle of 2023, the group began to operate ransomware in a high profile means on many victims indicating an expansion in the group’s monetization strategies.

Subsequently, Mandiant has observed their targets broaden beyond telecommunication and business process outsourcer (BPO) firms to a wide range of industries including hospitality, retail, media and entertainment, and financial services.

The threat actors appear to operate in the dark world such as Telegram and other underground forums, which they may leverage to acquire tools, services, and/or other support to augment their operations.

Focus Shift to Data Theft And Manipulation

Mandiant observed the group has shown a stinging focus on stealing large amounts of encrypted data for extortion purposes with many U.S. and European business practices aiding their efforts in siphoning victims’ money.

The threat actors also depend heavily on publicly available tools, legitimate software, and malware that they purchase on underground forums from other relatable hackers.

According to a source, the group operates with an extremely operational high tempo in accessing critical systems and exfiltrating large data over the course of a few days. Their system of operation tempo and volume of data siphoned can overwhelm security response teams, Mandiant explained.