Scattered Spider: Social Engineering and Ransomware Extortion

Scattered Spider is a financially motivated cybercriminal group that targets large companies and their contracted IT help desks. The group uses layered social engineering techniques — including vishing, spearphishing, push bombing, and SIM swaps — to obtain credentials, bypass MFA, and gain initial access to corporate networks.

Once inside, the threat actors register their own MFA tokens, deploy remote monitoring and management (RMM) tools for persistence, and add federated identity providers to SSO tenants to maintain access even when passwords are changed. They escalate privileges through social engineering of IT help desk personnel, convincing them to reset passwords and transfer MFA tokens.

For discovery and lateral movement, Scattered Spider enumerates Active Directory, searches SharePoint sites and code repositories, activates AWS Systems Manager Inventory, and moves across both pre-existing and actor-created EC2 instances. They search Slack, Microsoft Teams, and Exchange for evidence of detection and join incident response calls to stay ahead of defenders.

Data exfiltration targets include Snowflake data warehouses, MEGA.NZ, and Amazon S3 buckets. The group uses ETL tools to centralize data before extraction. In recent campaigns, they have deployed DragonForce ransomware to encrypt VMware ESXi servers after exfiltrating data, communicating ransom demands via TOR, Tox, email, or encrypted messaging. They consistently use proxy networks and rotate machine names to evade detection.