BlackCat Ransomware and Beyond: Deciphering Scattered Spider’s Latest TTPs

Scattered Spider

The American agencies FBI and CISA have issued a joint warning regarding the activities of the hacker group Scattered Spider, predominantly comprised of young individuals under the age of 20. This group, also known by various other monikers including Octo Tempest, 0ktapus, Starfraud, UNC3944, Scatter Swine, and Muddled Libra, garnered attention following assaults on major corporations such as MGM Resorts and Caesars Entertainment.

Officials from the FBI have not disclosed information regarding the presence of group members in the USA and the UK, nor the number of victims seeking assistance. It is only mentioned that the FBI is conducting an investigation concerning Scattered Spider.

According to the agencies’ profile, Scattered Spider possesses expertise in social engineering, employing various tactics including phishing, Push Bombing, and SIM Swapping. In recent months, the group has also utilized the ransomware AlphV/BlackCat in their attacks and has actively collaborated with other BlackCat affiliates.

The FBI and CISA urge affected companies to promptly report incidents of compromise, to increase the likelihood of detecting and halting future attacks by the group.

The issue of concealing information about attacks is quite prevalent in the USA. For instance, following the operation to dismantle Hive’s infrastructure, it was revealed that only 20% of victims reported the attack and sought help from law enforcement.

This reticence by organizations is likely linked to concerns over reputation and business stability, as there have been numerous instances where major companies have faced bankruptcy due to a plethora of lawsuits initiated after customer data breaches.

A report based on FBI investigations notes that Scattered Spider primarily targets the commercial sector. The hackers use social engineering to acquire credentials and install remote access tools, often circumventing multi-factor authentication.

In September, Lisa Monaco, the Deputy Attorney General of the USA, expressed concern over the involvement of youth in hacking activities, as is the case with Scattered Spider members, emphasizing the need to counter this trend.

According to last year’s report by Group-IB, Scattered Spider’s phishing campaign had already compromised nearly ten thousand accounts in over 130 organizations, including Riot Games and Reddit, highlighting the peril posed by this hacker conglomerate.

To mitigate the repercussions of Scattered Spider’s malicious activities, the FBI and CISA recommend that organizations implement regular and robust data backup, enforce multi-factor authentication, and introduce management tools for applications used within the company.