UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has transitioned from niche SIM swapping operations targeting telecommunications organizations to a more aggressive focus on ransomware and data theft extortion across diverse industries.

Initially observed exploiting telecom vulnerabilities to facilitate SIM swaps, UNC3944 pivoted in early 2023 to deploy ransomware campaigns, impacting sectors such as technology, financial services, business process outsourcing, gaming, hospitality, retail, and media & entertainment.

This shift has seen the group conduct targeted waves of attacks, with notable campaigns against financial services in late 2023 and food services in May 2024, alongside high-profile brands likely chosen for prestige and media attention.

Their victimology reveals a preference for large enterprises in English-speaking countries like the United States, Canada, the UK, and Australia, with recent expansions into Singapore and India, focusing on organizations with extensive help desk and outsourced IT functions vulnerable to social engineering.

Law Enforcement Impact and Emerging Threats

Despite a temporary decline in activity following 2024 law enforcement actions against alleged associates, UNC3944’s deep ties within the cybercrime ecosystem suggest a potential for rapid recovery, possibly through new partnerships or tooling to evade detection.

Recent public reports indicate tactics consistent with Scattered Spider being used in attacks on UK retail organizations, deploying DragonForce ransomware, with claims of responsibility for multiple attempted breaches.

Intriguingly, DragonForce operators have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform that ceased operations in March 2024, where UNC3944 was an affiliate post the shutdown of ALPHV (Blackcat) RaaS.

While Google Threat Intelligence Group (GTIG) has not independently verified UNC3944’s direct involvement, the rising trend of retail sector victimization on data leak sites (DLS)-accounting for 11% of victims in 2025, up from 8.5% in 2024-underscores the attractiveness of retail targets due to their wealth of personally identifiable information (PII) and financial data, often coupled with a higher likelihood of ransom payment to restore transaction capabilities.

Tactical Sophistication and Defense Imperatives

UNC3944’s arsenal heavily relies on social engineering, impersonating users to manipulate help desk personnel, alongside sophisticated tactics to bypass multi-factor authentication (MFA) and escalate privileges within compromised environments.

Their attack lifecycle includes reconnaissance using tools like ADRecon and SharpHound, targeting documentation on user provisioning and network diagrams.

To counter these threats, organizations must prioritize identity security by enforcing phishing-resistant MFA, disabling self-service password resets during heightened threat periods, and implementing strict verification processes like on-camera ID checks.

Additionally, endpoint hardening through device compliance checks, network segmentation to protect trusted service infrastructure, and robust monitoring for anomalous authentication attempts are critical.

With UNC3944’s proficiency in exploiting cloud resources and collaboration platforms like Microsoft Teams for impersonation, proactive measures such as restricting external domains, blocking TOR exit nodes, and educating staff on MFA fatigue and doxxing threats are essential to mitigate risks.

As this threat actor continues to adapt, organizations must remain vigilant, leveraging comprehensive visibility and segregated identity controls to safeguard against these evolving cyber threats.

Setting Up SOC Team? – Download Free Ultimate SIEM Pricing Guide (PDF) For Your SOC Team -> Free Download