Scattered Spider Tactics Observed Amid Shift to US Targets

Since 2021, the Scattered Spider cybercriminal group has rapidly honed its skill in combining human deception with technical precision. In a landscape where most ransomware attacks unfold over days, the group can execute a full data theft and ransomware campaign within hours, quickly causing significant operational impact.  

As Scattered Spider appears to shift focus from UK retail to US insurance, Halcyon is detailing our recent understanding of the group’s tactics to help protect against this threat. Beyond insurance, all sectors with hybrid on-premises and cloud infrastructure should assume they face heightened risk.

UPDATE 6/26/2025: The Halcyon RISE Team is seeing indications that Scattered Spider is also now targeting the Food, Manufacturing, and Transportation (particularly Aviation) sectors in the US.

Key Findings

• Elite Social Engineering: Uses advanced phishing tactics engineered to penetrate hybrid environments, spanning on‑prem systems, cloud services, and virtual hosts.

• Stealthy Privilege Escalation and Persistence: Abuse Active Directory certificate services, signed vulnerable drivers, credential dumping, and single sign on/service accounts to secure system-level access that survives password resets. Dismantles defenses to evade detection.  

• Double-Extortion and Environment-Wide Disruption: Within hours, exfiltrate sensitive data before deploying DragonForce, Qilin, Akira or Play ransomware.  

• Remote Access via Legitimate Tools: Deploy tools like AnyDesk, Ngrok, and Fleetdeck to maintain covert, persistent connectivity across environments.

If You Believe Your Organization May Have Been Compromised:

• Immediately isolate all impacted systems and affected network segments. Disable any compromised credentials to prevent further unauthorized access.

• Capture volatile system memory, disk images, logs, and cloud audit trails to preserve evidence for post-incident investigation and attribution analysis.

• Locate and remove all remote access tools, web shells, vulnerable drivers, and malicious scheduled tasks deployed during the attack.

• Rotate all domain, service, and administrator credentials. Revoke any unauthorized or malicious certificates that may have been issued during the intrusion.

• Restore affected systems from clean, offline, and immutable backups. Validate restored environments before reintroducing into production.

• Conduct proactive threat hunting to identify and eliminate potential backdoors, persistence mechanisms, or lateral movement artifacts.

Operational Impact

Scattered Spider attacks disrupt entire organizations from top to bottom, creating ripple effects that threaten financial viability, customer trust, and operational continuity. These attacks unfold swiftly and ruthlessly, transforming ordinary systems in just hours.

In one high-profile case, a major casino endured three days of outages that impacted customer-facing services—from reservations and payments to door access and gaming systems. The group used credential-based attacks in under 10 minutes to shut down internal networks, costing the company over $100 million in lost revenue, emergency response, remediation, and legal expenses. It also triggered class-action lawsuits and regulatory scrutiny, leaving the company to manage prolonged recovery and escalating cyber insurance premiums.

Similarly, a prominent UK retailer was knocked offline this spring and suffered a six-week disruption in key systems, including contactless checkout, online orders, and supply chain logistics. The attack wiped at least £1 billion from its market value, with projected profit losses potentially reaching £300 million. The retailer continues to rebuild services and infrastructure, underscoring the long recovery tail and persistent customer impact.

Scattered Spider’s focus on hypervisors, remote management systems, and hybrid infrastructure undermines the very backbone of enterprise operations. Recovery often takes weeks or months, even with insurance coverage, and the financial and reputational costs extend far beyond the initial ransom demand.

This report pulls back the curtain on Scattered Spider’s lifecycle, aligned with the MITRE ATT&CK framework. What follows is a phase-by-phase breakdown designed to equip defenders with the understanding and operational context needed to detect, disrupt, and dismantle this evolving and highly impactful ransomware threat.

Initial Access

Scattered Spider initiates its attacks through a finely tuned social engineering strategy, combining phishing, phone-based deception, and domain spoofing to authorize entry under the pretense of legitimate identity. This human deception doesn’t just unlock a single machine, it opens hybrid infrastructure doors, enabling footholds in on‑premise networks and cloud or virtual environments:

Social Engineering & Phishing: Scattered Spider begins with highly targeted social engineering campaigns using email phishing, SMS (text) phishing, and unsolicited help desk phone calls. The group impersonates executives, IT staff, or managed service provider support to deceive employees, especially supply-chain partners, executives, and IT/security personnel. These interactions trick victims into revealing credentials, approving multi-factor authentication push requests, or registering the attacker’s authentication token. [T1566 / T1660 / T1566.004]

Spoofed Domains: To enhance credibility, the attackers register deceptive domains that closely mimic trusted services. These include variants with suffixes like “-partners,” “-vip,” regional codes, and nested country subdomains. Such domain impersonation is used to support phishing campaigns and trick users into interacting with fake web portals. [T1583.001]

Remote Access

Once the initial breach is made, the group intensifies its grip:

Remote Access Tools: After initial infiltration, Scattered Spider gains a deeper foothold by guiding victims to deploy widely trusted but maliciously reused remote-access tools (PDF). These include solutions like Fleetdeck, Atera, AnyDesk, Ngrok, and Remcos—367 distinct tools have been observed across multiple incidents. Such tools create encrypted and persistent channels into internal networks, allowing the group to operate under the radar of conventional security monitoring. They often evade detection by running legitimate-sounding processes and blending into expected administrative traffic. [T1219]

Privilege Escalation

With remote access secured, Scattered Spider exploits certificate systems, vulnerable drivers, and credential-stealing techniques:

ADCS Template Modification: Scattered Spider abuses misconfigured Microsoft Certificate Services templates to request and issue their own domain certificates. These certificates provide stealth privilege elevation and allow attackers to operate across trust boundaries without raising suspicion. [T1210]

Bring Your Own Vulnerable Driver: The group deploys signed yet vulnerable kernel drivers to disable system protections and elevate privileges to SYSTEM. This tactic gives them deep access to the host while evading detection. [T1200]

Microsoft LAPS Abuse: Scattered Spider manipulates the Local Administrator Password Solution (LAPS) by retrieving or modifying managed local administrator passwords across endpoints, enabling widespread privileged access without triggering elevated account alerts. [T1548.002]

Credential Dumping (LSASS & NTDS.dit): Once elevated, attackers harvest credentials by dumping LSASS memory and extracting NTDS.dit from domain controllers. These credential stores are then cracked offline to maintain domain-wide access. [T1003]

Single Sign On (SSO) & Service Account Abuse: Scattered Spider leverages on-premises and cloud service accounts, setting up rogue federated services and enrolling MFA tokens. This tactic preserves access even if passwords are reset or accounts disabled. [T1136 / T1556.006]

Environment Enumeration

Following privilege escalation, the group undertakes comprehensive reconnaissance:

Network & Environment Reconnaissance: Once elevated privilege is obtained, Scattered Spider shifts into mapping mode, gathering deep visibility across the target environment. The group utilizes Windows management tools like wmic to verify endpoint protection and system configurations, while deploying specialized reconnaissance frameworks such as ADRecon and Rubeus to enumerate domain controllers, user accounts, and Kerberos ticketing systems. They also leverage network discovery utilities such as Nmap, Angry IP Scanner, and IP scanning scripts to identify live hosts, open ports, and network topology. In hybrid or cloud-integrated environments, Scattered Spider taps into AWS Systems Manager and similar orchestration platforms to inventory EC2 instances, cloud backups, and virtual infrastructure—extended visibility that supports broader reconnaissance across organizational perimeters. Using the data collected through these methods, the attackers build a precise map of systems, share relationships, and trust boundaries. This intelligence is then used to carefully plan lateral movement operations, ensuring that future actions mimic legitimate administrative workflows and evade detection. [T1018 / T1213 / T1538]

Credential Harvesting

Armed with environmental intelligence, Scattered Spider harvests credentials to escalate its access and facilitate broader infiltration:

Credential Theft and Exfiltration: After mapping the environment, Scattered Spider moves aggressively to harvest credentials. They search for sensitive files, such as documents containing keywords like “password,” “token,” or “passwd”—across network shares, SharePoint sites, email, and cloud storage repositories.  The group uses token forging and multi-factor authentication (MFA)-fatigue techniques to capture active authentication tokens, compromising accounts without relying on stolen passwords.
Simultaneously, they extract NTDS.dit from domain controllers by making volume shadow copies or accessing backups, then crack the credentials offline to gain broad domain access. [T1003 / T1552 / T1606 / T1621]

Lateral Movement

Leveraging harvested credentials and system insight, the threat actor conducts stealthy lateral operations mimicking routine administration as they expand their presence:

Remote Services & Cloud Instances: Scattered Spider leverages valid credentials to move laterally in ways that mimic legitimate administrative workflows. The group initiates RDP connections to domain controllers and SSH sessions to web servers, providing stealthy access under common IT activities. In cloud environments, they abuse existing EC2 instances, often commandeering platform-as-a-service consoles as intermediate steps, or spin up new instances to relay access, then use those cloud endpoints to pivot back to on-premises systems and expand their foothold. This rapid, multi-surface movement enables them to escalate impact across environments without relying purely on traditional wait-and-see malware pathways. [1021.002 / T1021.007]

Security Bypass

With full domain reach underway, Scattered Spider actively dismantles defenses to evade detection:

Kernel-Level Defense Neutralization: After establishing a foothold, Scattered Spider targets foundational security controls to operate without detection. They deploy signed yet vulnerable kernel drivers using the BYOVD (Bring-Your-Own-Vulnerable-Driver) method to disable endpoint detection (EDR) and data exfiltration detection (XDR) monitoring at the kernel level. This allows them to unhook security sensors silently. They also disable AMSI and antivirus solutions (including Windows Defender, SentinelOne, and CrowdStrike) through obfuscated scripts and direct interaction with system services. In cloud environments, they leverage stolen or vendor-provided remote tools over VPN to remove security agents, clear logs, and disable scheduled protection tasks, ensuring their presence remains hidden while they prepare for further exploitation. Participating in system-level disabling across on-premises and cloud environments, this suite of evasions enables prolonged, undetected activity. [T1211 / T1562 / T1562.001]

Data Exfiltration

Before finalizing encryption, Scattered Spider systematically exfiltrates high-value intellectual and operational data, ensuring leverage even if encryption is reversed:

Targeted Data Theft: Before unleashing ransomware, Scattered Spider conducts a methodical data exfiltration campaign. The group combs through systems to collect critical IT documentation, financial records, regulated data, NTDS.dit credential dumps, emails, and database contents. This data is consolidated into compressed archives using built-in tools, then transferred using custom ETL mechanisms to file-sharing services such as Mega.nz. The exfiltration is performed over encrypted channels and often executed with efficiency, ensuring maximum data theft before any encryption phase begins. [T1567.002 / T1074]

Data Destruction

To further pressure victims, the group disables system recovery features to force compliance and eliminate restoration options:

Disabling Recovery Capabilities: While Scattered Spider rarely engages in full-scale data wiper operations, it does take calculated destructive actions to maximize extortion pressure. Before launching ransom demands, the group destroys shadow copies using tools like vssadmin, eliminating on-premises system restore points and undermining local recovery efforts. In cloud environments they have gone further, locking victims out of their tenant consoles and disabling administrative services. These actions prevent cleanup or rollback, amplifying pressure to comply with ransom demands. [T1490]

Data Encryption

In the final act of disruption, Scattered Spider unleashes high-speed ransomware across the environment:

Data Encrypted for Impact: Once Scattered Spider has exfiltrated key data, the group shifts rapidly to encryption, deploying ransomware variants such as DragonForce, Qilin, Akira and Play. The encryption phase is executed with precision, often targeting VMware ESXi hypervisors first to cripple virtual environments and maximize operational disruption across both on-prem and cloud infrastructures. Victim files are locked network-wide, and backups are often rendered unusable, forcing organizations into critical decision-making under duress. [T1486]

Detection, Mitigation & Incident Response

Detection Strategies

• Branded Domain Monitoring: Detect the use of spoofed domains by monitoring both internal and public DNS for newly registered domains that resemble your supply chain, executive, or service brands (e.g. variants with “-partners” or country codes).

• Phishing & Help Desk Alerts: Flag instances of MFA push fatigue and unauthorized phone-based support requests, especially those impersonating IT, security, or managed service provider personnel.

• Remote Access Tool Detection: Enforce alerting on the deployment or use of non-standard remote access tools like Fleetdeck, AnyDesk, Ngrok, or Remcos, particularly when installed via shadow, remote shell, or VPN channels.

• Unauthorized Certificate Issuance Activity: Track ADCS template changes or unexpected certificate enrollments that could indicate abuse (e.g. actor-enrolled domain certificates).

• Credential Dumping Indicators: Monitor for suspicious actions such as LSASS memory access, creation of NTDS.dit backups, or PowerShell commands aimed at extracting credentials.

• Anomalous Lateral Movement: Detect atypical remote desktop (RDP) connections to domain controllers, SSH sessions to web servers, or cloud instances pivoting via EC2/AWS Systems Manager.

• Kernel Driver & EDR Tampering: Investigate any installation of unexpected signed drivers, EDR unhooking behaviors, suspended or removed endpoint security services (Defender, SentinelOne, CrowdStrike).

• Data Staging & Exfil Monitoring: Watch for large-scale file compression events, especially of IT documentation or credential files, followed by outbound HTTP(S) transfers to atypical cloud file-share services like Mega.nz.

• Shadow Copy Deletion & Cloud Lockout: Trigger alerts when shadow copies are deleted from hosts, or cloud console access is suddenly disabled, signaling possible extortion or tenant lockouts.

Mitigation Measures

• Staff Awareness and Social Engineering Defense: Train employees and help desk staff to recognize and resist MFA fatigue, SMS (text) phishing, SIM swapping, and social engineering attempts disguised as IT or executive requests.

• Domain Spoofing Protection: Implement strict policies and monitoring around domain registration to detect and prevent the use of spoofed domains that mimic supply-chain partners or internal services.

• Remote Access Hardening: Block unauthorized remote access tools—such as Fleetdeck, Atera, AnyDesk, Ngrok, and Remcos—and enforce strict whitelisting for approved tools. Apply hardened jump box configurations and require MFA for RDP and VPN access.

• Certificate and MFA Governance: Strengthen certificate issuance processes and ADCS policies. Use secure provisioning protocols to manage MFA enrollment and prevent rogue token registration.

• Least Privilege Access Controls: Apply strict privilege separation for user, service, and SSO accounts. Avoid granting administrative or service-level privileges without verified, time-bound justification.

• Network Segmentation and Lateral Movement Monitoring: Segment critical infrastructure and ESXi workloads to limit lateral access. Use EDR and flow analytics to detect unusual access patterns, such as cross-environment RDP, SSH, or cloud instance transitions.

• Endpoint Security Integrity: Enable tamper protection on EDR and antivirus tools. Block installation of unauthorized or vulnerable signed drivers. Monitor for kernel-level tampering and the removal of security agents.

• Backup and Data Resilience: Maintain immutable, offline backups and multi-region cloud snapshots. Ensure shadow copies are isolated and protected against deletion.

• Incident Readiness: Maintain and regularly test a documented incident response plan. Include plays for rapid isolation, credential seizure, backup recovery, and forensic validation. Ensure communication protocols are in place to manage ransomware extortion scenarios effectively.

Incident Response Protocols

• Immediate Containment: Immediately isolate all impacted systems and affected network segments. Disable any compromised credentials, including federated identities and MFA tokens, to prevent further unauthorized access.

• Forensic Evidence Collection: Capture volatile system memory, disk images, logs, and cloud audit trails (such as AWS CloudTrail or Azure Activity Logs) to preserve evidence for post-incident investigation and attribution analysis.

• Threat Infrastructure Eradication: Use endpoint detection tools and manual review to locate and remove all remote access tools, web shells, vulnerable drivers, and malicious scheduled tasks deployed during the attack.

• Credential Reset and Certificate Revocation: Rotate all domain, service, and administrator credentials. Revoke any unauthorized or malicious certificates that may have been issued during the intrusion.

• System Recovery: Restore affected systems from clean, offline, and immutable backups. Validate restored environments by verifying security settings, patch levels, and agent integrity before reintroducing into production.

• Comprehensive Threat Hunt: Conduct proactive threat hunting across the environment, including on-prem and cloud systems, to identify and eliminate potential backdoors, persistence mechanisms, or lateral movement artifacts.

• Post-Incident Hardening: Update and refine incident response and threat-hunting playbooks based on findings from the investigation. Incorporate lessons learned to fortify detection, containment, and recovery approaches for future resilience.

Conclusion

Scattered Spider represents a major evolution in ransomware risk, combining deep social engineering, layered technical sophistication, and rapid double‑extortion capabilities. In a matter of hours, the group can breach, establish persistent access, harvest sensitive data, disable recovery mechanisms, and detonate ransomware across both on‑premises and cloud environments.

Its recent attack on major UK retailers reportedly wiped more than £500 million off a market cap and crippled online operations across hundreds of stores. Scattered Spider’s uniquely Western English-speaking operatives disguise phone calls as trusted IT personnel to bypass defenses and expedite infiltration.

This threat delivers sustained operational disruption, weeks-long downtime, steep recovery costs, regulatory penalties, brand damage, and potential existential risk to businesses of all sizes. They shrewdly combine cloud persistence, certificate abuse, and ransomware deployment on hypervisors to wreck infrastructure and escalate impact.

To defend against Scattered Spider’s current campaign, organizations must aggressively strengthen identity controls, enforce strict network segmentation, deploy behavior-based detection across hybrid environments, and maintain resilient, offline recovery systems to ensure rapid and secure recovery.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more, and check out our quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.