The FBI and the Cybersecurity and Infrastructure Security Agency disclosed new information about the cybercrime group Scattered Spider and its collaboration with the notorious ALPHV/BlackCat ransomware operation in a recently published advisory.
Scattered Spider, also known as 0ktapus, Starfraud, and Octo Tempest, has carried out several high-profile ransomware attacks using clever social engineering tactics to breach the networks of companies such as MailChimp, Reddit, and Twilio.
It has been uncovered that certain members of Scattered Spider have teamed up with ALPHV/BlackCat, a Russia-based ransomware group responsible for major attacks on oil giant Shell and the government of Costa Rica. This partnership enables Scattered Spider to use BlackCat to encrypt systems and demand ransom from victims.
Due to its flexible and decentralized structure, Scattered Spider is difficult to track. The FBI has identified at least 12 individuals but has not prosecuted any of them yet. Some members are also believed to be linked to “The Comm,” a network of hackers involved in recent violent crimes.
Scattered Spider gains access by exploiting human vulnerabilities, posing as IT staff to trick employees into providing credentials through SMS phishing, phone calls, and fake domain names impersonating corporate services. Once inside, they install RAT malware and monitoring tools to steal data and observe incident response efforts in communication platforms. This allows them to avoid detection, create fake accounts to move laterally, and understand how victims are attempting to remove them.
The advisory warns of their interest in source code, certificates, and credential repositories.
Experts recommend strengthening multi-factor authentication, email security, network segmentation, and patching against the MITRE techniques listed by the FBI. They also advise implementing strong data recovery plans and offline backups to facilitate recovery after an attack.
The exposure of Scattered Spider’s operations sheds light on the human infrastructure behind sophisticated cybercriminal networks executing ransomware attacks, demonstrating the evolving cyber threat landscape, wherein threat actors collaborate to maximize profits from extortion.
Photo by Pixabay.
