Behind Scattered Spider: Activity, TTPs, and What to Watch For
Ransomware attacks are surging, and Bitsight data shows just how dramatic the rise has been. Our cyber threat intelligence (CTI) researchers observed a nearly 25% increase in unique ransomware victims listed on leak sites in 2024. Even more striking, the number of ransomware group-operated leak sites grew by 53%, underscoring a broader trend: ransomware has remained the favored tactic of financially motivated cybercriminals, offering a fast, high-impact method to extort substantial payouts from targeted organizations.
One group drawing particular attention is Scattered Spider. Known for its aggressive social engineering techniques and targeting of large enterprises, Scattered Spider has quickly gained notoriety as a capable and persistent threat actor. While not always tied directly to ransomware payloads, the group often acts as an initial access broker, enabling ransomware affiliates to deploy attacks. Recent activity suggests that Scattered Spider remains highly active, adaptive, and aligned with financially driven motives.
Scattered Spider: Who are they?
Scattered Spider (aka 0ktapus, Muddled Libra, Roasted 0ktapus, Scatter Swine, UNC3944, Octo Tempest, Storm-0971, DEV-0971, and Starfraud1) is a highly active and increasingly sophisticated attack group. Operational since at least 2022, Scattered Spider has been observed leveraging ALPHV (BlackCat) ransomware. ALPHV’s website was taken down in a coordinated effort with the FBI in December 2023. It is unclear how active ALPHV is currently. The group is believed to consist primarily of native English-speakers, giving them a linguistic and cultural advantage when conducting social engineering attacks against Western targets. They are thought to be primarily based in the US, UK, and Canada.
Scattered Spider is best known for its use of social engineering, especially phishing and impersonation tactics, to gain initial access. From there, it often leverages vulnerabilities for privilege escalation, enabling deeper compromise within victim networks.
Scattered Spider has been linked to high-profile attacks on major companies such as Caesars Entertainment and MGM Resorts International, underscoring both its capabilities and its focus on high-value targets.
What do they do?
Scattered Spider generally establishes initial access through a combination of phishing and smishing, enabling them to compromise user credentials and intercept multi-factor authentication (MFA) codes. They have been observed launching SIM swapping attacks against users that interact with the smishing/phishing attempts. This initial vector allowed the threat actor to bypass authentication controls and gain unauthorized entry into targeted environments. Once inside an environment, Scattered Spider attempts to escalate privileges and conduct reconnaissance before deploying ransomware.
Scattered Spider leverages techniques such as SIM Swapping and Social Engineering which played a major role in the MGM and Caesar's Palace attacks in September 2023. Scattered Spider demonstrates a deep understanding of enterprise cloud platforms, effectively leveraging misconfigurations and native features within Azure, AWS, and Microsoft 365 to escalate privileges and maintain persistence. From June-December 2022 Scattered Spider heavily targeted Business Process Outsourcing (BPOs) Companies.
Once inside, the group moved quickly to escalate privileges and maintain persistence:
- AWS environment: They exploited compromised credentials to leverage Identity and Access Management (IAM) tokens, granting elevated access and enabling the persistence of control across cloud resources.
- Azure environment: The actors demonstrated advanced familiarity with Azure’s structure, specifically by escalating privileges to gain Tenant Root Group management permissions. This level of access allowed them to control policies, access management, and other critical aspects of the Azure tenant environment.
The group has been observed deploying BlackCat/ALPHV ransomware, leveraging it as a primary tool for financial extortion. Scattered Spider engages in the theft of sensitive data, often threatening public disclosure as leverage—even in the absence of ransomware deployment—marking a dual-threat extortion strategy. Scattered Spider has also been reported to use Living off the Land (LotL) Techniques and Post-Exfiltration File Encryption.
Threat researchers have also observed Scattered Spider operating within the Ransomware-as-a-Service (RaaS) ecosystem. The group has been linked to the deployment of ransomware variants affiliated with RansomHub and Qilin, signaling a strategic shift toward monetizing access and capabilities through partnership with established RaaS operators.
Scattered Spider victims: Who do they target?
Scattered Spider has been observed targeting BPOs, Administrative and Support Services, Professional, Scientific, and Technical Services, and Information Services.
Significant attacks
In late April 2025, a ransomware attack on major UK retailers was discovered. While the threat actors were not able to successfully breach at least one retailer, threat researchers attributed the TTPs to Scattered Spider. During the attack the threat group was observed leveraging the DragonForce ransomware platform. These attacks resulted in significant operational disruptions, financial losses, and data breaches, underscoring the evolving threat landscape facing the retail sector. The initial attack began with a social engineering campaign in which an affiliate of the group pretended to be an employee requesting a password reset.
On September 13, 2023, MGM Resorts and Caesars Palace publicly disclosed ransomware attacks that were later attributed to the threat actor group Scattered Spider. The incident targeting MGM Resorts was particularly sophisticated, involving a blend of social engineering and technical exploitation. The attackers conducted extensive open-source intelligence (OSINT) to impersonate internal IT support staff. They contacted employees via phone calls and SMS, leveraging this social engineering to gain trust.
By masquerading as IT personnel, the attackers tricked employees into divulging their network credentials. This enabled them to bypass multi-factor authentication (MFA) controls, demonstrating a key weakness in the human layer of defense. Once inside the network, the attackers used the Windows Command Shell to execute commands and deploy the ALPHV/BlackCat ransomware. The attackers showed a strong capability to pivot across environments—from cloud to on-premise—by exploiting services like Okta, Citrix, Azure, and SharePoint.
Impact
The impact of Scattered Spider’s operations was vast. MGM suffered a 10-day disruption of critical IT systems. Significant volumes of customer data and personally identifiable information (PII) were exfiltrated. Additionally, it is estimated that damages reached approximately $100 million. The attack highlighted the effectiveness of adversary-in-the-middle tactics and the ability of threat actors to circumvent modern security controls by targeting human behavior.
Mitigation and prevention
- Immediate containment: Isolate any systems confirmed or suspected to be compromised to prevent lateral movement and limit the spread of malware or unauthorized access.
- IOC monitoring: Leverage threat intelligence to continuously monitor for known Indicators of Compromise (IOCs). This includes inspecting network traffic, system logs, and endpoint telemetry to detect ongoing or residual malicious activity.
- Incident response activation: Launch a comprehensive incident response process. Assess the scope of the intrusion, identify affected assets, contain the threat, and initiate forensic investigation and remediation steps.
- User education: Conduct targeted training sessions to reinforce awareness of phishing and social engineering techniques. Emphasize the role of users in identifying and reporting suspicious activity promptly.
- Security enhancements: Strengthen defenses by deploying or expanding multi-factor authentication (MFA), hardening identity and access controls, and ensuring robust endpoint detection and response (EDR) solutions are in place across the organization.
- Zero-trust architecture to limit access and reduce the attack surface
- Implement physical security keys to help prevent phishing
MITRE Table
T-Code |
Description |
| T1087 | Account discovery |
| T1098 | Account Manipulation |
| T1217 | Browser Information Discovery |
| T1580 | Cloud Infrastructure Discovery |
| T1538 | Cloud Service Dashboard |
| T1136 | Create Account |
| T1486 | Data Encrypted for Impact |
| T1530 | Data from Cloud Storage |
| T1213 | Data from Information Repositories |
| T1074 | Data Staged |
| T1006 | Direct Volume Access |
| T1484 | Domain or Tenant Policy Modification |
| T1114 | Email Collection |
| T1567 | Exfiltration Over Web Service |
| T1190 | Exploit Public Facing Application |
| T1068 | Exploitation for Privilege Escalation |
| T1133 | External Remote Services |
| T1083 | File and Directory Discovery |
| T1657 | Financial Theft |
| T1589 | Gather Victim Identity Information |
| T1564 | Hide Artifacts |
| T1656 | Impersonation |
| T1105 | Ingress Tool Transfer |
| T1556 | Modify Authentication Process |
| T1578 | Modify Cloud Compute Infrastructure |
| T1621 | Multi-Factor Authentication Request Generation |
| T1046 | Network Service Discovery |
| T1588 | Obtain Capabilities: Tool |
| T1003 | OS Credential Dumping |
| T1069 | Permission Groups Discovery: Cloud Groups |
| T1566 | Phishing: Spearphishing Voice |
| T1598 | Phishing for Information |
| T1572 | Protocol Tunneling |
| T1090 | Proxy |
| T1219 | Remote Access Tools |
| T1021 | Remote Services: Cloud Services |
| T1018 | Remote System Discovery |
| T1539 | Steal Web Session Cookies |
| T1553 | Subvert Trust Controls: Code Signing |
| T1552 | Unsecured Credentials |
| T1078 | Valid Accounts |
| T1102 | Web Service |
| T1047 | Windows Management Instrumentation |
| T1660 | Phishing |
| T1451 | Sim Swapping |
1Can Microsoft and Crowdstrike get everyone else to just agree on how to name these folks?