“Scattered Spider” evolves with new ransomware and social engineering tactics

The loosely connected network of threat actors behind several high profile hacks known as Scattered Spider has added new ransomware and improved social engineering techniques to its arsenal, the Australian Cyber Security Centre (ACSC) and associated Western agencies warn.

An update by the cyber security agencies to an intial 2023 alert on Scattered Spider identifies several new tactics, techniques and procedures (TTPs) used by the group.

As part of the new TTPs, Scattered Spider now deploys DragonForce ransomware in its attacks, the agencies said in their advisory.

The ransomware is now often used after the group has already stolen data for extortion purposes, after which Scattered Spider communicates with targeted organisations through The Onion Router (TOR) network, email, or encrypted applications.

Data exfiltration to multiple sites, including Mega.nz and US-based data centres such as Amazon S3, has also been observed.

The criminals have enhanced their social engineering, now posing as employees to convince an organisation’s information technology helpdesk to reset passwords and transfer multi-factor authentication (MFA) tokens to a device they control.

They have also adopted new legitimate remote access tools like AnyDesk and Teleport.sh to blend in with normal network traffic and evade detection.

Meanwhile, a Java-based remote access trojan called RattyRAT has also been added to their toolkit for maintaining persistent, stealth access.

The advisory said Scattered Spider targets organisations’ Snowflake data cloud access to allow them to exfiltrate large volumes of data with thousands of queries in a short time.

After stealing the data, the actors now often encrypt the victim’s VMware ESXi servers to apply further pressure for ransom payments.

To maintain their foothold and monitor response efforts, the actors create new user identities within a compromised network.

These are often backstopped with fake social media profiles to appear legitimate.

Organisations should implement phishing-resistant multi-factor authentication, use application controls to block unauthorised software, and maintain tested offline backups to mitigate the threat Scattered Spider presents, the agencies recommend.

This year, Scattered Spider has been named as being behind several well-publicised attacks, including ones on Alaska Airlines, and British and US retailers. 

Scattered Spider is believed to be associated with the Com online criminal network that attracts young people through digital platforms such as Roblox, Minecraft and Discord.

Last week, the FBI issued a public alert about a Com subset, Hacker Com, which the agency said is technically sophisticated, and linked to ransomware-as-a-service groups.

Hacker Com members are selling their technical services and use their capabilities for profit and to steal crypto currency to fund other criminal activity, the FBI said.

Among the criminal activity allegedly perpetrated by Hacker Com are distributed denial of service (DDoS) attacks, phishing, ransomware, malware development and deployment, computer intrusions and subscriber identity module (SIM) swapping to gain access to accounts via mobile devices.

Com actors often target each other, FBI said, with criminal activity spilling over into the outside world with physical extortion, and violent actions such as kidnapping and torture, as well as “swatting” which involves calling in armed police on victims as a form of retaliation.