FBI Warns of Increased Scattered Spider Attacks in US

The FBI has confirmed that Scattered Spider is now actively targeting the airline industry, using advanced social engineering tactics to bypass multi-factor authentication and gain access to enterprise environments.  

The group often impersonates employees or contractors when contacting IT help desks, tricking them into enrolling unauthorized MFA devices or resetting credentials. This technique sidesteps strong technical controls by exploiting human trust in urgent or convincing scenarios.

Researchers have observed similar tactics used in recent campaigns against aviation and transportation companies, mirroring previous attacks on insurance providers. These operations often involve compromise of third-party IT vendors, allowing the threat actor to infiltrate larger organizations through a trusted supply chain relationship.

Anti-ransomware provider Halcyon describes Scattered Spider as a major evolution in ransomware threats—highly organized, fast-moving, and technically skilled, The Hacker News reports.

Once inside, the group quickly escalates privileges, disables recovery systems, exfiltrates sensitive data, and detonates ransomware, often across hybrid cloud and on-prem infrastructure.  

“In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.”

What sets Scattered Spider apart is its methodical preparation. Operators study their targets closely, using breach data and social media to craft impersonations so realistic that even trained support staff may be fooled. The group is part of a loosely connected collective with ties to other criminal groups and has been active since at least 2021.

Researchers stress that the core weakness isn’t always in technology—it’s in human-driven identity workflows. Organizations must rethink how help desk authentication works, harden identity verification procedures, and ensure that employees are trained to spot and resist these kinds of sophisticated deception tactics.

Takeaway: Scattered Spider is the poster child for how twisted and mature the ransomware economy has become. These guys don’t just run smash-and-grab jobs—they operate like a full-stack criminal enterprise.  

They’re initial access brokers one minute, affiliate operators the next, and they’re pulling levers across multiple RaaS crews like DragonForce, Qilin, Akira, and Play depending on the target, the tooling, or the payout model that suits the job.

This isn’t your old-school ransomware gang locking up grandma’s laptop. Scattered Spider blends deep social engineering with a rotating toolkit of partner payloads, choosing the right ransomware flavor for the occasion.  

That level of modularity and specialization is a sign of how advanced this ecosystem really is. It’s not just one group doing everything; it’s a network of highly skilled operators, each with a role: access, payload, negotiation, laundering.

But what really sets them apart is their ability to hack humans. They don’t need to burn zero-days when they can convince your help desk to reset MFA or impersonate IT to install remote tools.  

Their social engineering playbooks are tight, built from breach data, social media, and sharp timing. It’s not just technical sophistication; it’s psychological warfare. And that’s what makes them so effective.  

The weakest link isn’t your tech stack—it’s your workflow. The Halcyon RISE Team has put together a detailed breakdown of Scattered Spider TTPs, as well as guidance for prevention, mitigation, and response to these attacks here: Scattered Spider Tactics Observed Amid Shift to US Targets.

Halcyon eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.