Significant shift to social engineering: Over the past two years, many Scattered Spider members have been arrested and even convicted, including one key member known as “King Bob,” who was arrested in early 2024 and later pleaded guilty to the charges against him. Six other significant Scattered Spider members were arrested in late 2024.Due to these law enforcement actions, by early 2025, the group seemed to have halted its operations. “For us at Silent Push, around November and December of last year, we were seeing a drop off of their infrastructure,” Edwards said. “Their phishing pages stopped being created. But in early 2025, we picked up their phishing kits coming live again and targeting a variety of brands.”Experts say that besides aligning with DragonForce, Scattered Spider has shifted its preferred mode of infiltration from phishing to socially engineering its way into organizations.”What’s important about the recent UK campaign is the shift in their tactics,” Edwards said. “What we’re seeing right now is zero phishing kits live. The new stuff here in the US appears to be exclusively social engineering focused, where they’re reaching out to help desks, trying to do password resets, and reaching out to employees to try and get their credentials.”The group even uses SIM swapping to pose as legitimate employees seeking password resets. “We know that they have SIM swapping capabilities,” Linares said, with the Harrods attack attributed to SIM swapping. “We know they’re likely working with individuals who work at the ISPs or the providers and helping them get that information.””What they’ll do is often they’ll call in pretending to be a legitimate employee of the company,” Austin Larsen, principal threat analyst at Google Mandiant, said during a webinar on defending against UNC3944. “Oftentimes, they come into these calls, into these help desks equipped with a lot of information about their target user.”He added, “They’re able to provide the Social Security number, for example, of their target user, their address, or other personal information. It is a challenge for help desks to detect some of these attacks, given how much research and information the actor typically has going into these phone calls.”
Focus on the human factors as a first line of defense: Given Scattered Spider’s impressive success with social engineering in the UK, experts say CISOs should first focus on their organizations’ softest targets, namely the help desk workers and employees the hackers seek to manipulate.”They know how help desks work,” Hamilton said. “They do a bunch of research, and they’ll get enough information on a user to be able to impersonate them at the help desk for a password reset, and then they’re in.””What sets this group apart is that their attack styles are not technically complex,” Palo Alto’s Russo said. “These aren’t zero-day exploits of vulnerabilities. They target people, so they’re going after the human element.”CISOs should provide help desk personnel with procedures for reporting suspicious password reset calls and guide them on getting out of those conversations as quickly as possible.”What CISOs need to do is make sure that their humans are prepared for this kind of attack, that they have these red flags in place so that when a line is crossed in a call or a conversation, it ends,” Russo said. “If there is ever a question of identity when they’re talking to somebody, if there’s any slip-up, if anything is missing, that’s a red flag to say, you know what? I need to contact your manager and get verification.”But the help desk is not the only one that needs education. Experts say all employees should be aware of the group’s social engineering tactics.”They act like the employee to the help desk, but they also act as the help desk when calling employees,” Huntress’ Linares said. “It works both ways. I have seen that attack occur where they call the employee and say, ‘Hey, we saw that alert happen on your machine; we need to log in or get access to that. Please run this script and this tool so we can remote in.”Speed is of the essence in these situations. “Don’t give them a chance to keep manipulating your people because the longer you can keep somebody on the phone or online, the more likely you are to have success getting them to violate their processes and procedures,” Russo said.
Tracking the hackers is a must: Unfortunately, adept Scattered Spider hackers can bamboozle even the most prepared help desk workers. Experts say that CISOs should, therefore, have detection and tracking mechanisms to follow the intruders once they have gained access.”What do they do with these legitimate user credentials?” Google’s Larsen asked. “They usually start by looking at internal documentation for their victim organization. We see them, for example, in SharePoint searching for keywords such as VPN, MFA, or network map, trying to better understand what their victim environment looks like and how they can further expand their access into the environment. We also see them, for example, searching through chat platforms like Slack or Teams for any plain text secrets or credentials, especially for VMware or vCenter.”But after this phase, they move extremely quickly to fan out through the organization’s assets. “Once they move laterally using whatever valid credentials they have or they can find, we see them establish persistence quickly and pretty extensively, which makes remediation far more difficult for victims,” Larsen said attackers often use legitimate remote access utilities that antivirus solutions won’t pick up. “So, an investigation using EDR utilities or solutions is needed.””If we can stop it, it’s ideal, but detection is a must,” Russo said. “If they’ve gotten in there, we need to detect them. Look for users who are doing stuff they don’t normally do. So, for example, they’re in as this user, they’ve authenticated the network, and then they start looking at different data stores all in a big sequence. Well, that’s not normal for that user to do. We need to detect that.”
Don’t pay the ransom: In the case of Scattered Spider’s hacking of the two casino operators in 2023, Caesars emerged relatively unscathed because it paid the demanded ransom of $15 million, while MGM Resorts, which didn’t pay the ransom, got hosed for $145 million in expenses and class-action lawsuit payments, among other costs.However, experts say that despite these examples, it’s a bad idea to pay Scattered Spider a ransom if they successfully encrypt files and steal valuable data.”We know that paying that ransom just incentivizes them,” Lumifi’s Hamilton said. “It gives them money to keep doing what they’re doing.”Moreover, “It is often faster to restore from backups,” he added. “If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.””If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.””If you pay that ransom, they could still absolutely put all of your data on the internet because these are children and they are outrageous individuals,” Silent Push’s Edwards said. “The decryption keys may not work. And paying definitely doesn’t guarantee that the data won’t leak. It’s not a guarantee in any way.”
Don’t pay the ransom: In the case of Scattered Spider’s hacking of the two casino operators in 2023, Caesars emerged relatively unscathed because it paid the demanded ransom of $15 million, while MGM Resorts, which didn’t pay the ransom, got hosed for $145 million in expenses and class-action lawsuit payments, among other costs.However, experts say that despite these examples, it’s a bad idea to pay Scattered Spider a ransom if they successfully encrypt files and steal valuable data.”We know that paying that ransom just incentivizes them,” Lumifi’s Hamilton said. “It gives them money to keep doing what they’re doing.”Moreover, “It is often faster to restore from backups,” he added. “If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.””If you have good controls in place, you have immutable backups, and you have processes, and you know exactly what the order of things to come back up is, you can do that faster than you can apply a decryption key, which many times doesn’t work very well.””If you pay that ransom, they could still absolutely put all of your data on the internet because these are children and they are outrageous individuals,” Silent Push’s Edwards said. “The decryption keys may not work. And paying definitely doesn’t guarantee that the data won’t leak. It’s not a guarantee in any way.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/3994369/how-cisos-can-defend-against-scattered-spider-ransomware-attacks.html
