Scattered Spider: What you need to know about the ransomware gang causing chaos in UK retail

Popular British retailer Marks & Spencer was hit by a costly cyberattack this past Easter weekend. The retailer has been forced to shut down its online operations. According to an April 23 Marks & Spencer press release, “We are working hard to restore our services and minimise disruption and are being supported by industry-leading experts.”  I recently saw mostly empty shelves at the Marks & Spencer at Heathrow Airport.  An online ransomware gang, Scattered Spider, appears to be behind the attack. Below, I outline: 

• The origins of Scattered Spider
• Their attack techniques and tactics
• How to build cyber resilience to these attacks. 

The rising number of cyberattacks—particularly in retail—was among the topics covered recently when Cohesity CEO and President Sanjay Poonen spoke with CNBC Squawk Box Europe. (You can watch that embedded video below.) 

What is Scattered Spider, and what are its origins?

The 2023 MGM Resorts cyberattack was claimed by the ALPHV/Black Cat ransomware gang. However, the initial access was gained by a British-speaking hacker who socially engineered MGM’s helpdesk to reset an employee’s password. The Cohesity Data Security Alliance partner CrowdStrike dubbed this group “Scattered Spider.” Scattered Spider was also responsible for the attack on Caesar’s Entertainment, where the company paid the group at least half of a $30 million ransom to the group to obtain decryption keys and prevent the release of data stolen during the attack.

Scattered Spider’s origins lie in a group known as “The Community,” AKA “The Com.” Rather than a single, homogenous group, The Com is more like a distributed cybercriminal social network whose members can form into groups to collaborate on particular cyber actions. The Com has also been implicated in a variety of unsavoury activities outside of ransomware, such as cyberbullying, stalking, and harassment of vulnerable teenagers—forcing them into filming themselves physically harming themselves, killing their pets, and producing child sex exploitation material. The implications of a group with such warped morals moving into the ransomware criminal marketplace should not be underestimated.

One member of Scattered Spider, who went by the moniker Holy, was a British 17-year-old arrested by the West Midlands Police for his part in the attack on MGM. As is common with members of cybercriminal groups, Holy was involved in other groups before joining Scattered Spider, most notably LAPSUS, whose leaked chat logs showed they had been involved in attacks on technology companies such as Electronic Arts Games, Microsoft, NVIDIA, Okta, Samsung, and T-Mobile.

Other groups affiliated with The Com were involved in the 2023 theft of large amounts of data from customer accounts of the Snowflake cloud AI data platform. Many large enterprises had uploaded huge quantities of sensitive and regulated data to the Snowflake platform, without protecting it with strong authentication. This group trawled cybercrime forums for details of stolen Snowflake credentials. It used the technique of credential stuffing to gain access to and steal data from over 160 accounts from high-profile businesses, including AT&T, TicketMaster, Lending Tree, Advance Auto Parts, Neiman Marcus, and Santander Bank.

Cohesity Data Security Alliance Partner Mandiant named this group UNC5537 and reported that these companies had been approached to pay a ransom to prevent the publication of the stolen data. A member of the UNC5537 group was frequently featured on The Com list of the “100 richest SIM-swappers,” a technique used to gain initial access to systems that can be later either leveraged to deploy ransomware, or sold to ransomware operators by organisations known as “Initial Access Brokers.” This user had previously been a member of a cybercriminal group known as Beige. Beige has been implicated in voice phishing attacks (“vishing”) during the COVID-19 pandemic and an attack on GoDaddy that redirected traffic from tens of thousands of its customers to a cryptocurrency scam.

In 2023, overlaps between the activities of the largely English-speaking Scattered Spider and The Com communities and the Russian speaking ransomware gang ALPHV/BlackCat were starting to become clear. In an attack on Reddit, the tools, techniques, and procedures for initial access common to Scattered Spider were being seen to facilitate access to a ransomware attack later claimed by ALPHV/BlackCat. This would imply that Scattered Spider was operating as an Initial Access Broker for an ALPHV/BlackCat affiliate or as an affiliate of the ALPHV/BlackCat Ransomware-as-a-Service platform itself.

Watch Cohesity CEO and President Sanjay Poonen on CNBC Squawk Box Europe*, below:

2025: Scattered Spider reemerges as a stand-alone entity with a focus on retail

Scattered Spider exists in the broader cybercriminal community, where members from different groups collaborate, migrate, or align. There was a lull in Scattered Spider’s activity after the attacks on MGM and Caesar in May 2022. Instead, they provided support to other criminal gangs. But in April 2025, several British retail companies, including Harrods and Marks & Spencer, appeared to have had their operations disrupted by the group. In the Marks & Spencer’s attack, it appears that initial access was gained in February 2025, after which the contents of the company’s Active Directory were stolen. The adversaries dwelled for months before eventually deploying the DragonForce ransomware encryptor on 24th April.

How Scattered Spider conducts attacks

One of the most notable things about Scattered Spider is their adeptness at social engineering, defence evasion, and advanced persistence mechanisms.

Evasion of cybersecurity tools like Endpoint Detection and Response (EDR) is commonplace in most Ransomware-as-a-Service platforms, rendering organisations blind to new and ongoing attacks. A common technique used by the group includes Bring-Your-Own-Vulnerable-Device-Driver (BYOVD), where a signed device driver that operates at the layer between hardware and the operating system is used to gain SYSTEM-level access and to terminate the processes of security solutions.

Scattered Spider’s capabilities in evasion extend beyond those common to other ransomware gangs and include targeting weak implementations of Identity & Access Management and Single-Sign On solutions, including Okta. Scattered Spider has been known to socially engineer mobile phone helpdesks or SIM replacement portals so they can conduct a “SIM Swapping” attack by taking control of the target’s phone number. This enables them to access the target’s SMS messages, including Two-Factor Authentications codes. Scattered Spider is known to send bulk phishing links via SMS posing as SSO login portals to capture valid credentials.

Once inside a victim’s infrastructure, Scattered Spider has highly proficient skills in “living off the land” in enterprise Windows environments, all major cloud providers, and virtualized infrastructure. They use the organisation’s own IT capabilities to mask the progression of the attack and ensure they maintain persistence if an organisation reverts to a backup snapshot without sufficient investigation and remediation of the threats found.

Overview of Scattered Spider attack tactics and techniques

The graphic above shows MITRE ATT&CK stages and techniques used by Scattered Spider.

• Initial Access (TA0001)
  • SMS Phishing (T1660) and Spearphishing Voice (T1566.004) posing as the victim organisation’s IT support staff to convince employees to execute Remote Access Software (T1219) or to get the user to execute an application (T1204).
    • This software has included common legitimate IT remote access and management tooling such as Fleetdeck.io, Level.io, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale and Teamviewer.
    • Scattered Spider has also been observed to use common malware variants, such as AveMaria/WarZone (S0670), Racoon Stealer (S1148), and Vidar Stealer Remote Access Trojans (RATs) capable of stealing data, including login credentials [TA0006], browser history [T1217], and cookies [T1539].
  • Multifactor Authentication (MFA) fatigue attack method, where they send multiple authentication requests to the end user for approval, prompting the user to eventually approve one to stop the barrage of authentication requests to their mobile device or computer.
  • SMS Phishing (T1660) techniques to get the user to follow links to especially crafted fake domains that resemble the real organisation to capture credentials, these include [VICTIM ORGANISATION NAME]-sso.com, [VICTIM ORGANISATION NAME]-servicedesk.com, and [VICTIM ORGANISATION NAME]-okta.com.
  • SIM Swapping (T1451) attacks against users in the victim organisation that responded to the smishing/vishing attack, using open-source intelligence to target the most valuable users and gathering information likely to be used in password reset questions.
• Defense Evasion (TA0005)
  • Impersonation (T1656) to contact the victim organisation’s IT help desk to reset passwords and/or Multi-Factor Authentication tokens.
  • Disable or Modify Tools (T1562.001) such as Endpoint Detection and Response (EDR) and anti-virus by deploying a vulnerable, signed device driver. Operating at a layer below the operating system, the vulnerable device driver provides SYSTEM level access and allows the adversary to blind the security and IT tooling to malicious activities.
• Credential Access (T0006)
  • As mentioned in Initial Access above, Scattered Spider uses SMS Phishing (T1660) and Spearphishing Voice (T1566.004) techniques to capture valid credentials.
  • Scattered Spider uses Mimikatz for OS Credential Dumping of LSASS Memory (T1003.001), which dumps credential material stored in the process memory of the Local Security Authority Subsystem Service (LSASS), including any cached credentials of domain administrators.

• Persistence (TA0003)
  • At this point of the attack, T1556.006 and T1606, They then add a federated identity provider to the victim’s Single Sign-On tenant and activate automatic account linking through modifying domain trust (T1484.002), allowing Scattered Spider to now sign into any matching SSO account. At this stage, the threat actors already control the identity provider, allowing the attackers to be able to continue to log in even if passwords are changed (T1556.006).

• Privilege Escalation (T0004)
  • As mentioned in Defense Evasion above, Scattered Spider uses a vulnerable, signed device drivers (T1068) to gain SYSTEM privileges.
  • As a federated identity provider under the control of the adversary has been added, they are able to log into any SSO account, including those with administrative privileges.
  • Scattered Spider has been observed to use the victim’s now-blinded EndPoint Detection & Response (EDR) tools remote shell capabilities to execute commands on an endpoint to further escalate privileges.
  • The remote access and management tooling and Remote Access Trojans that were installed during the Initial Access stage of the attack also continue to provide Scattered Spider persistence into the victim infrastructure.
• Discovery (T0007)
  

• Scattered Spider systematically searches for backup servers to target to Inhibit System Recovery (T1490), SharePoint servers (T1213.002), credentials left in files (T1552.001), any VMware vCenter hypervisors (T1018), and instructions for setting up or authentication into Virtual Private Networks (VPN) used by the organisation.
• Active Directory (AD) is enumerated (T1482).  
• Systems are searched for code repositories and code-signing certificates (T1083).
• Scattered Spider then activates Amazon Web Services (AWS) Systems Manager Inventory (T1538) to discover additional targets for lateral movement. 

• Lateral Movement (T0008)
  • • The threat actor will then move to pre-existing (T1021.007) and Scattered Spider created (T1578.002) Amazon Elastic Compute Cloud (EC2) instances.
• Collection (T0009)
  • Scattered Spider threat actors deploy extract, transform, and load (ETL) tools to collect data from the multiple sources to a system identified for staging (T1074) inside the victim’s infrastructure.
• Exfiltration (T0010)
  • Data from cloud storage is extracted (T1530).
  • They conduct Exfiltration to Cloud Storage (T1567.002) of stolen data, including to popular file sharing services like Mega.nz.

• Impact (TA0040)
  • T1486)
    • Scattered Spider deploys and detonates the DragonForce encryptor, encrypting the victim’s systems.

One striking thing about Scattered Spider that is worth calling out is the degree to which they go to hamper incident response and recovery efforts. They will often search the victim organisations, Exchange (T1114), Teams, and Slack conversations (T1213.005) looking for evidence of the discovery of their intrusion and the steps the victim organisation is taking to investigate and evict them. They have even been known to eavesdrop on calls and teleconferences conducted by the incident response and recovery teams, allowing them to gain insight into how security teams are progressing in their investigation and allowing them to proactively develop new avenues of intrusion in response.

How to build cyber resilience to Scattered Spider attacks

Ensure your organisation has backed up critical data and protected that backup with multiple layers of defence to mitigate the risk from advanced and adaptive criminal adversaries, such as Scattered Spider, that have the capabilities to compromise administrative accounts. This includes the immutability, separation of duties, least privilege, strong authentication and vaulting capabilities of modern data management platforms like Cohesity DataProtect.

• Implement phishing-resistant MFA to mitigate the risk of identity-based attacks such as SMS smishing, SIM swapping, and other forms of social engineering used by Scattered Spider.
• Conduct proactive threat hunting looking for Indicators of Compromise of the early stages of a Scattered Spider attack using a capability that cannot be evaded by the techniques used by the group, such as Cohesity’s DataHawk.
• Implement the Microsoft-recommended driver block list to mitigate the risk of the Bring Your Own Vulnerable Device Driver attacks used by Scattered Spider to evade endpoint security controls and escalate privileges.
• Follow best practices to mitigate risk related to your organisation’s remote access solutions, such as remote desktop and virtual private networks.
• Ask executives from your organisation to participate in a realistic ransomware simulation, such as the Cohesity Ransomware Resilience Workshop,  to understand the realities of building a resilient organisation through effective and efficient incident response and secure recovery.
• Make sure that you have classified your data to ensure that you are aware of our regulatory obligations. Solutions like Cohesity DataHawk can classify that unstructured data scattered across the organisation that threat actors like Scattered Spider proactively look for. In addition, the Cohesity Digital Jump Bag makes sure that your organisation can restore a trusted communication capability and provides rapid access to notification templates so your public relations and compliance teams can conduct regulators, the press, and impacted data subjects.
• Ensure that the tooling and resources needed to respond and recover from an incident conducted by an adversary, such as Scattered Spider, determined to maintain persistence and disrupt attempts to evict them, are rapidly available to your teams. The Cohesity Digital Jump Bag provides such a capability.

Learn more

• Register for a clean room webinar
• Get the clean room infographic
• Get the white paper: Your roadmap to ransomware resilience
• Get the eBook: The 5 critical steps to improve your organization’s cyber resilience

*©2025 CNBC, All rights reserved, used with permission