Source: Cisa.gov
💥 Who or What Is “Scattered Spider”?
Scattered Spider is a dangerous cybercriminal group that has recently targeted big companies, including their IT help desks. They're known for stealing sensitive data, installing malware, and demanding ransom. Think of them as high-tech thieves who trick people into giving them the keys to the digital castle.
They’re also known by other names like UNC3944, Octo Tempest, Scatter Swine, and Storm-0875—but no matter the name, the threat is real.
đź§ How Do They Break In?
Scattered Spider uses smart, sneaky tactics instead of brute force. Here’s how they get in:
Pretending to be IT staff and calling or texting employees.
Tricking employees into giving up passwords or clicking on fake support links.
SIM swap attacks – they convince phone companies to give them control of your phone number, allowing them to steal login codes.
MFA fatigue – they bombard users with endless login requests until someone accidentally clicks "Accept."
Buying passwords from illegal websites.
Once inside, they often install remote access tools, steal information, and sometimes lock up the company’s data for ransom.
đź’» What Tools & Tricks Do They Use?
They’re clever – they often use legit software that companies already trust. Here are a few examples:
🛠️ Tool 📋 What It Does TeamViewer, AnyDesk, ScreenConnect Remote access to computers Ngrok, Teleport.sh Create hidden tunnels into networks Mimikatz, Raccoon Stealer Steal passwords and cookies DragonForce Ransomware Locks files until a ransom is paid
📦 What Happens After They Get In?
Once inside a company’s system, Scattered Spider:
Spies around to find important data (like code, emails, and backups).
Moves through the network without getting caught.
Steals data and threatens to leak it unless paid.
Sometimes encrypts everything and demands ransom.
They even listen in on company Zoom or Teams calls to stay a step ahead of security teams. Creepy, right?
🚨 What’s New in July 2025?
They’ve added DragonForce ransomware to their arsenal.
They’re now faking employee identities more convincingly.
They're searching cloud systems like Amazon S3 and Snowflake to grab huge amounts of data fast.
They're joining incident response calls to spy on the response teams.
Using fake social media profiles and constantly switching tactics to stay hidden.
🛡️ What Can You (and Your Company) Do to Stay Safe?
Here’s a simple checklist for non-tech folks and businesses:
✅ Use phishing-resistant Multi-Factor Authentication (MFA) – Avoid SMS codes. Use physical keys or apps like Google Authenticator.
✅ Keep backups of your data – Store them offline and test them regularly.
✅ Limit remote access tools – Only allow approved ones and block everything else.
✅ Update all software and systems – Hackers love old, unpatched programs.
✅ Train employees – Everyone should know how to spot fake IT calls, emails, and texts.
✅ Use strong, unique passwords – Avoid reusing the same ones and ditch “password123.”
✅ Turn off unused software ports – Like closing unused doors to your building.
✅ Monitor your network for strange activity – Use cybersecurity tools or hire professionals.
⚠️ Important: Don’t Pay the Ransom
Even if your company gets hit, the FBI strongly advises against paying ransom. It doesn’t guarantee your files will be returned and it encourages more attacks.
Instead:
Report the attack to the FBI or CISA.
Provide as much info as you can (like ransom notes, emails, or what was accessed).
Cooperate with cybersecurity experts to contain and recover.
📝 Bottom Line
Scattered Spider is a fast-evolving, professional cybercrime group. They don’t break in using brute force—they trick people, exploit trust, and use legit tools against you.
But with a few smart precautions, you can make it much harder for them to succeed.
📞 If You Need Help or Want to Report an Incident
CISA 24/7 Hotline: 1-844-SAY-CISA (1-844-729-2472)
FBI’s Internet Crime Complaint Center (IC3): https://www.ic3.gov
Email: SOC@mail.cisa.dhs.gov
🔒 Stay alert. Stay secure. Cyber safety is everyone’s job.
👉 Book a free compliance readiness assessment
👉 Get a customized cybersecurity roadmap
👉 Train your team to be your first line of defense
📞 Schedule a call today or 📧 contact us for a consultation.