Mission Type
Financial extortion through social engineering and ransomware
Primary Sectors
Operational Period
2022 – present
Attributed Cases
1
Attributed Cases
TTP Pattern Summary
Scattered Spider relies primarily on social engineering rather than technical exploitation: vishing (voice phishing) of helpdesks, SIM swapping, and impersonation to obtain credentials and MFA resets. Once inside, the group uses identity provider manipulation and cloud console access for persistence. Operates as an affiliate of ALPHV/BlackCat ransomware-as-a-service.
Behavioural Signature
Scattered Spider demonstrates that loosely organized criminal groups composed of young individuals can cause enterprise damage comparable to state actors. Their exclusive reliance on social engineering as an initial vector — bypassing technical controls entirely — has forced a reassessment of identity and helpdesk security as critical attack surfaces. The group's English-language proficiency distinguishes it from Russian-speaking ransomware ecosystems.
Governance Footprint
Operations prompted FBI/CISA joint advisory (Nov 2023). MGM/Caesars incidents were among the first subject to SEC cyber disclosure rules. Multiple members arrested in the US and UK (2024), demonstrating that domestic law enforcement can reach non-state cyber actors more effectively than state-sponsored ones.