Scattered Spider

Threat Actor updated 10 days ago (2024-08-28T22:17:54.743Z)

Download STIX

Preview STIX

Scattered Spider is a threat actor group known for its malicious cyber activities. The group's operations involve searching SharePoint repositories for sensitive information, maintaining persistence on targeted networks, and exfiltrating data for extortion purposes. They primarily gain access to victims' networks through phishing attacks, where they seek login credentials. Once inside, they search for exploitable infrastructure, such as remote systems. Microsoft and other security vendors have identified Scattered Spider, among other groups, exploiting the CVE-2024-37085 vulnerability to deploy ransomware strains like Akira and Black Basta. The group has been linked to numerous ransomware events over the past 18 months, with Microsoft paying particular attention to their persistent activities. Despite some arrests, including a member in Spain and a 17-year-old affiliate in the UK, the group remains active and continues to pose significant cybersecurity threats. Evidence suggests that some members of Scattered Spider were working from within the FBI, contributing to the complexity of their operations and the difficulty in apprehending them. Recent criticism has been directed at the FBI for their perceived slow response to the brazen activities of Scattered Spider, particularly regarding a cyberattack on MGM casinos. This has led to speculation about the group's current status and potential internal changes. However, it remains unclear whether Scattered Spider has discontinued the use of the BlackCat ransomware strain in their operations.

Description last updated: 2024-08-28T22:15:56.883Z

What's your take? (Question 1 of 5)

Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.

Possible Aliases / Cluster overlaps

It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.

ID	Votes	Profile Description
Octo Tempest	4	Octo Tempest, a known threat actor in the cybersecurity landscape, has recently added RansomHub and Qilin ransomware to its arsenal of cyber weapons. This expansion of their capabilities marks a significant escalation in their potential for harm and demonstrates a clear evolution towards more sophis
UNC3944	4	UNC3944, also known as Scattered Spider and 0ktapus, is a financially motivated threat actor group that has been increasingly active in recent years. The group initially targeted telecommunication firms and tech companies but has now expanded its operations to include the hospitality, retail, media,
Muddled Libra	4	Muddled Libra is a notable threat actor known for its sophisticated use of cloud services, particularly Amazon Web Services (AWS) and Microsoft Azure, to execute cyberattacks. The group leverages legitimate cloud service provider (CSP) features to efficiently exfiltrate data. In AWS, Muddled Libra t
The Com	2	"The Com" is a threat actor or cybercriminal community that has been involved in numerous high-profile cyberattacks, including recent attacks on Las Vegas resorts that severely impacted several prominent hotels and casinos. The community is largely composed of young hackers who are inducted into a l
Tyler	2	Tyler, also known by the alias "Tylerb," is a notable threat actor involved in high-profile ransomware attacks and other malicious activities. Identified as Tyler Buchanan, a 22-year-old from Dundee, Scotland, he was reportedly arrested for his involvement with the Scattered Spider hacking group, ac
Scatter Swine	2	Scatter Swine, also known by multiple names such as 0ktapus, Scattered Spider, UNC3944, and Muddled Libra, is a threat actor group that has been active since early 2022. The group first came to light in August 2022 when they executed smishing attacks against over 100 organizations, including Twilio
Oktapus	2	Oktapus, a threat actor also known as Scattered Spider, Scatter Swine, and Muddled Libra, has been identified as a significant cybersecurity risk due to its sophisticated phishing campaigns. The group first gained notoriety in 2022 when it launched the Oktapus phishing campaign, targeting employees

Miscellaneous Associations

Other elements of context that could aid in the identification of relevance

Ransomware

Lateral Move...

Cybercrime

Ransom

RaaS

Extortion

Esxi

Phishing

MGM

Malware

Exploit

Credentials

Sharepoint

Encryption

Scams

Microsoft

Reconnaissance

Okta

Windows

Fbi

Vpn

Bitcoin

Exploits

Aws

Analyst Notes & Discussion

Be the first to leave your mark here! Log in to share your views and vote.

Associated Malware

To see the evidence that has resulted in these malware associations, create a free account

ID	Type	Votes	Profile Description
Akira	Unspecified	2	Akira is a malicious software or malware that has been causing significant damage to various organizations and systems worldwide. The ransomware, known for its persistent and harmful attacks, has successfully infiltrated numerous systems, often without the knowledge of the users, disrupting operatio
Raccoon	Unspecified	2	Raccoon is a type of malware, specifically an infostealer, used predominantly by the Scattered Spider threat actors to obtain login credentials, browser cookies, and histories. This malicious software, which is sold as Malware-as-a-Service (MaaS) on dark web forums, is both effective and inexpensive

Associated Threat Actors

To see the evidence that has resulted in these threatActor associations, create a free account

ID	Type	Votes	Profile Description
Alphv	is related to	7	Alphv is a threat actor group known for its malicious activities in the cyber world. They have been particularly active in deploying ransomware attacks, with one of their most significant actions being the theft of 5TB of data from Morrison Community Hospital. This act not only disrupted hospital op
Ransomhub	Unspecified	3	RansomHub, a threat actor group, has emerged as a significant cyber threat since its inception in February. The group employs a double-extortion strategy, which involves both encrypting IT systems and exfiltrating data to extort victims. RansomHub is known for its unique approach to ransom demands,
Qilin	Unspecified	2	The Qilin ransomware group, a malicious threat actor in the cybersecurity landscape, has been active since at least 2022 and gained significant attention in June 2024 for attacking Synnovis, a UK governmental service provider for healthcare. The group was later associated with Octo Tempest, which ad
Noberus	Unspecified	2	Noberus, also known as ALPHV or BlackCat, is a significant threat actor in the cybersecurity landscape. The group, which primarily operates a ransomware-as-a-service (RaaS) model, was the second most active ransomware group in April 2023, responsible for 14% of total observed victims. Originating fr

Source Document References

Information about the Scattered Spider Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more

Source Link	CreatedAt	Title
DARKReading	10 days ago	BlackByte Targets ESXi Bug With Ransomware to Access Virtual Assets
Securityaffairs	a month ago	SECURITY AFFAIRS MALWARE NEWSLETTER – ROUND 6
DARKReading	a month ago	Microsoft on CISOs: Thriving Community Means Stronger Security
Securityaffairs	a month ago	security-affairs-malware-newsletter-round-5
DARKReading	9 months ago	Feds Snarl ALPHV/BlackCat Ransomware Operation
CERT-EU	6 months ago	MGM Resorts’ Cyberattack Headache Continues as Regulators Launch Investigations
DARKReading	a month ago	Ransomware Gangs Exploit ESXi Bug for Instant, Mass Encryption of VMs
DARKReading	2 months ago	Teenage Scattered Spider Suspect Arrested in Global Cybercrime Sting
Securityaffairs	2 months ago	UK police arrested a 17-year-old linked to Scattered Spider gang
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 3
Securityaffairs	2 months ago	Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
DARKReading	2 months ago	Microsoft: Scattered Spider Widens Web With RansomHub & Qilin
InfoSecurity-magazine	2 months ago	Pharmacy Giant Rite Aid Hit By Ransomware
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 2
Trend Micro	2 months ago	An In-Depth Look at Crypto-Crime in 2023 Part 2
Securityaffairs	2 months ago	Security Affairs Malware Newsletter - Round 1
Securityaffairs	2 months ago	Security Affairs newsletter Round 478 by Pierluigi Paganini – INTERNATIONAL EDITION
Securityaffairs	3 months ago	Security Affairs newsletter Round 477 by Pierluigi Paganini – INTERNATIONAL EDITION
DARKReading	3 months ago	CISO Corner: Critical Infrastructure Misinformation; France's Atos Bid