Scattered Spider’s Expanding Web of Ransomware Attacks

Scattered Spider is a cybercriminal group that has been making waves recently, targeting a range of industries, including retail, insurance, and aviation. Rather than focusing on a single organization, they concentrate their efforts on one sector at a time, hitting multiple businesses within that space before abruptly shifting their focus elsewhere. Companies across these industries are trying hard to address the threat, while analysts study the group’s tactics to anticipate their next move. 

Early in 2025, a series of attacks on large UK retailers brought Scattered Spider to the attention of the public. Cyberattacks connected to the group targeted British high street chains in April, including Marks & Spencer, the Co-op, and Harrods. In the UK, the effects were severe: M&S experienced a suspension of online orders, contactless payments at retail locations not working, and even reports of empty shelves as a result of operational disruption. As M&S rushed to restore systems with help from the National Cyber Security Centre (NCSC) and law enforcement, the incident was so serious that the company’s stock price dropped by almost 7%. Notably, investigators verified that the attacks on these UK retailers were carried out through highly targeted social engineering, one of Scattered Spider’s signature techniques, and ended with the deployment of ransomware (in this case, a strain called DragonForce) to lock down systems.

The British government responded fast. In particular, the threat actors’ propensity to call IT help desks pretending to be employees or contractors in order to fool support staff into changing passwords and granting access was one of the specific tactics that the NCSC warned all businesses about. This phone-based helpdesk social engineering technique became a defining feature of Scattered Spider’s strategy. By using insider jargon and any leaked employee data to sound authentic, these attackers frequently use young, English-speaking accomplices on forums and chat groups to place the calls. Deeper infiltration is possible once they have reset an account or acquired legitimate credentials.

Scattered Spider moved its focus across the Atlantic after rifling through UK retailers. Google’s Mandiant team issued a warning in mid-May 2025 that the same pattern of attacks was being made against unidentified U.S. retail organisations. Carmakal (CTO at Mandiant) observed, “They start in the UK, and now they’ve shifted to U.S. organisations,” referring to Scattered Spider’s practice of focusing for a few weeks on a particular industry and region before branching out. In other words, the cybercriminals basically viewed the retail industry as a battlefield for their campaign, initially targeting British businesses before moving on to American retailers after breaching UK networks. As the crime spree spread abroad, U.S. retail companies were advised to remain alert. Scattered Spider’s fingerprints were found in cyber incidents reported by several U.S. retailers by the end of May, though the identities of the specific victims were not always made public.

By early June 2025, after extorting ransoms and stealing data from retail, Scattered Spider was focusing on the insurance sector. Analysts of threat intelligence saw the change almost immediately, pointing out that the same strategies that were employed in the retail hacks were now being applied to American insurance companies. Google’s John Hultquist warned in mid-June that the insurance industry should be on high alert due to Scattered Spider’s one-sector-at-a-time strategy, saying, “We are now seeing incidents in the insurance industry.” At least two US insurance companies made public the cyberattacks that took them offline within days of that warning. On June 9, Philadelphia Insurance Companies (PHLY) revealed that it had found unauthorized access to its network. As it attempted to contain the breach, the company’s systems were still unavailable. Similarly, beginning on June 7, Erie Insurance experienced business interruptions as a result of unusual network activity, which was later identified in an SEC filing as a cyber incident necessitating extensive response measures.

In the midst of this larger campaign against the insurance industry, insurance company Aflac, the biggest supplemental insurer in the United States, acknowledged that it had also been compromised. Although it was able to contain the intrusion in a matter of hours, Aflac said in a press release on June 20 that cybercriminals might have gained access to the personal and health information of clients, staff members, and others. Surprisingly, Aflac stated that its operations continued and that systems were not affected by ransomware, suggesting that the attack was halted prior to encryption or that its primary goal was data theft rather than system locking. However, the company acknowledged that the hack was part of a cybercrime campaign against the insurance industry, which was executed by a highly skilled group that simultaneously exploited several insurers. Even though Aflac did not specifically name the offender, investigators later observed that the strategies and distinguishing characteristics pointed to Scattered Spider.

By the end of June 2025, Scattered Spider had changed directions again, this time to the aviation industry. What started as unconfirmed hacks at a few airlines quickly became a problem for the whole world. The FBI sent out a warning that it had seen “the cybercriminal group Scattered Spider expanding its targeting to include the airline sector.” That warning came just as two North American airlines, WestJet in Canada and Hawaiian Airlines in the U.S., had cyber problems that caused some services to be interrupted. Within the same week, Australia’s main airline, Qantas, also reported a cyberattack that came from a third-party provider. People quickly thought it was part of the Scattered Spider campaign that was targeting airlines.

For Qantas, the breach came from an external call centre platform that had been hacked and was used for customer service. This shows how Scattered Spider often goes after the weakest link in the supply chain. The attackers were able to get information on about 6 million Qantas passengers, including their names, contact information, dates of birth, and frequent-flyer numbers. Thankfully, they didn’t get any passports or financial information. The attacks on Hawaiian Airlines and WestJet were similar. In these cases, the intrusions didn’t stop flights, but they did raise concerns about possible data leaks. Investigations showed that Scattered Spider actors had used phone phishing to target airline IT departments and contractors, just like they had in other industries, to get VPN and MFA resets. Airlines rely heavily on third-party service providers for things like ticketing, call centres, IT support, and more. The group took advantage of these trust relationships to get in.

Scattered Spider has become known as one of the most versatile and hard-to-find groups of cybercriminals. This group is different from most ransomware gangs, which are usually from Eastern Europe. Most of the members are young, native English-speaking cybercriminals from the US, UK, and Canada. It doesn’t work like a single cartel; instead, it works more like a loose coalition or online community where members share tips and even hire each other to do jobs. Researchers first used the term “Scattered Spider” to describe a set of tactics, not a strict organization, which is interesting. People also keep track of the group under different names, such as 0ktapus, UNC3944, and Muddled Libra. This shows how its makeup and branding can change. For defenders, this flexible structure is a double-edged sword because it makes Scattered Spider incredibly hard to take down.

Scattered Spider’s main skill is social engineering. The group has found a big hole in the defenses of many businesses: the people who work in IT support. They have taken full advantage of this. A Scattered Spider operative will pretend to be an employee with an urgent issue and pressure or intimidate a helpdesk agent into skipping normal security checks. They have convincing information, like personal data from past breaches, insider jargon, and even answers to common security questions. Sometimes, they send the helpdesk or user the same request over and over again (called “MFA fatigue” attacks) until someone makes a mistake. The attackers get a skeleton key to the network by tricking support staff into resetting multi-factor authentication or VPN passwords.

At its core, Scattered Spider is all about making money. It often works with or is an affiliate of big ransomware groups. It is known that the cybercriminals work with several ransomware-as-a-service groups and switch out their payloads as needed. They have worked with the BlackCat (ALPHV) gang, and they used BlackCat’s malware to encrypt more than 100 VMware ESXi servers in the infamous MGM Resorts breach of 2023. They have also been linked to newer ransomware strains like Ransom.Hub, Qilin, and DragonForce in different attacks. Because of this flexible approach, they can just switch to a different ransomware tool if one is stopped or decrypted. The group stole data in many of the 2023 cases and threatened to leak it unless they were paid, which is a common way to extort people twice. Scattered Spider can be extremely dangerous because it uses both insider methodology and malware. One day, they can quietly pretend to be employees, and the next day, they can release disruptive ransomware.

Stay ahead of data extortion and learn how BlackFog can protect you here.