What We Know About Ransomware Group Scattered Spider

In the past week, several well-known British high street retailers have been hit by cyber-attacks. One famous brand is believed to have been targeted by a cybercriminal group called Scattered Spider.

The retailer suffered a significant ransomware attack causing widespread disruption to its operations, including payment systems and online order processing. It’s not yet been reported that any data has been stolen. The retail sector is extremely concerned.

The cyber-attack to hit the news first was attributed to the hacking collective (also known as Octo Tempest, UNC3944, and 0ktapus), a financially motivated threat group that has been active since at least May 2022.

The attack involved theft of the Active Directory database and deployment of ransomware on VMware ESXi servers. The investigation suggests the attackers infiltrated the company’s environment as early as February 2025, culminating in the deployment of the DragonForce ransomware encryptor on 24th April.

How does Scattered Spider operate?

The attack demonstrates Scattered Spider’s refined and adaptive tradecraft. The group leverages a multi-phase intrusion approach that showcases advanced social engineering and post-exploitation techniques:

Initial Access via Credential Theft: It’s believed that Scattered Spider stole an NTDS.dit file from the Windows domain controller as early as February. This file contains hashed credentials, which can be cracked offline to recover plain-text passwords.

Lateral movement: With recovered credentials, the threat actors were able to move laterally across the environment, accessing high-value assets including VMware ESXi hosts.

Persistence and Privilege Escalation: Scattered Spider is known for using valid credentials and existing remote management tools to maintain access without triggering conventional detection mechanisms. No malware is initially dropped, allowing stealthy persistence.

Payload Deployment and Impact: On 24th April, the group deployed the DragonForce ransomware payload against ESXi infrastructure, maximising disruption by encrypting business-critical virtual machines.

Scattered Spider, employed several MITRE ATT&CK techniques:

“Given Scattered Spider’s evolving partnerships with ransomware groups like DragonForce, and its demonstrated interest in large enterprise victims, further attacks of this nature are likely,” says Jack Alexander, Senior Threat Intelligence Analyst at Quorum Cyber. “Retail, hospitality, and logistics organisations should elevate their monitoring of domain controller activity and implement anti-social engineering strategies such as contacting line management prior to credential request resets.”

Recommendations for retailers

Quorum Cyber’s Threat Intelligence team recommends all companies, including retailers, to take these steps to reduce the risks of succumbing to a cyber-attack by Scattered Spider:

Enhance logging and monitoring across endpoints and identity systems
Implement multi-factor authentication (MFA) across all sensitive environments
Implement credential access principle of least privilege
Run security awareness campaigns against social engineering tactics.

Reducing the risk of supply-chain compromise

Furthermore, Quorum Cyber’s Incident Response (IR) team recommends that any business that interacts with a company that’s been hit by a cyber-attack should consider the risk of supply chain compromise. It’s crucial that such businesses address the associated risks promptly. Organisations with credentials accessing the affected company should immediately revoke and change these credentials, enable MFA, and review access logs for unusual activity. Similarly, if the impacted company has access to your systems, revoke their access and reassess permissions.

Conduct thorough security assessments to identify vulnerabilities, enhance monitoring for suspicious activities, and update your incident response plan. Strengthen vendor management with regular security audits, and provide ongoing security training to employees, ensuring that heightened vigilance is maintained for attacks such as phishing. Clear communication with stakeholders is vital to ensure transparency and coordinated response efforts.