The notorious Scattered Spider cybercrime group has become an affiliate of the RansomHub ransomware-as-a-service (RaaS) operator, according to an analysis by GuidePoint Security.
The researchers assessed with a high degree of confidence that at least some portion of Scattered Spider, a former ALPHV/BlackCat affiliate, is now conducting ransomware operations with RansomHub based on observed tactics, techniques and procedures (TTPs).
ALPHV/BlackCat appears to have disbanded after receiving a ransom payment from US healthcare firm Change Healthcare in March 2024, which has significantly impacted the RaaS ecosystem.
Experts at Infosecurity Europe highlighted how the collapse of BlackCat and LockBit, the latter following a law enforcement operation in February, has led to the emergence of a new RaaS model, who are increasingly competing with one another for affiliates.
One such RaaS group that has come onto the scene is RansomHub, which reportedly hit Change Healthcare’s owner UnitedHealth Group with a second extortion demand by threatening to publish data stolen in the original attack.
Scattered Spider’s Link to RansomHub
GuidePoint said its analysis began after responding to a ransomware attack seeking to impact an organization’s ESXi environment in early 2024.
The attack was later attributed to an affiliate of the RansomHub RaaS group, and subsequent threat hunting enabled the researchers to assess with high confidence that the same actor had previously performed ransomware attacks under the banner of BlackCat.
GuidePoint has since assessed with high confidence that this threat actor is either a present or former member of the Scattered Spider affiliate group. This is based on numerous factors relating to known Scattered Spider tools, TTPs and infrastructure.
FBI Lifts the Lid on Notorious Scattered Spider Group
Scattered Spider mainly engages in data theft for extortion, and is thought to be responsible for a number of high-profile ransomware incidents affecting large organizations in the past year, including MGM International, Caesars Entertainment and Okta.
The group is known for its social engineering skills, often posing as IT helpdesk staff to trick employees into handing over credentials, or using SIM swap or multifactor authentication (MFA) fatigue attacks to bypass two-factor authentication.
These skills have been augmented by the participation of allegedly Western and native-English-speaking affiliates, overcoming difficulties in translation and believability that complicate similar efforts for non-English speakers.
GuidePoint said that each of its incident response investigation that have involved a known or suspected Scattered Spider actor has included some element of social engineering.
After gaining initial access into a network, Scattered Spider has been observed using a range of tools and techniques to move laterally and exfiltrate data that overlap with certain RansomHub attacks. These include:
- SecretServerSecretStealer: A PowerShell script that allows for the decryption of passwords (and other items) stored within a Thycotic Secret Server installation
- ngrok: A legitimate reverse proxy tool that can create a secure tunnel to servers located behind firewalls or on local machines that do not have a public IP
- Remina: An open-source remote desktop client for POSIX-based operating systems, based on command-line instructions for installation via BASH
- Targeting of CyberArk: Scattered Spider has been observed targeting CyberArk for credential theft and lateral movement. GuidePoint said the group has exhibited similar behavior and capabilities in the form of a PowerShell script that interacts with the CyberArk Privileged Access Security (PAS) solution to pull account information from safes and export it to a CSV file
- Windows Registry Subkey Deletion: GuidePoint researchers discovered a batch script that deletes multiple registry subkeys and entries during its threat hunting efforts, which is almost certainly intended to circumvent Virus and Threat protection settings in Windows
The researchers added that they observed the use of scripts containing multiple step-by-step instructions, which may indicate the use of a systematic playbook. For example, comments appeared throughout a number of PowerShell and Python scripts that were executed by the threat actor on victim devices.
Additionally, there have been overlapping victims, based on evidence of past claimed victims attributed to Scattered Spider and/or BlackCat.
Combatting the Scattered Spider Threat
The GuidePoint blog noted that Scattered Spider’s use of open-source tools and likely preformulated scripts mean its tactics are not particularly novel, and align with threats commonly posed by most prolific ransomware groups.
The authors wrote: “The threat actor’s primary advantage over other groups thus lies mainly in their ability to persistently and convincingly conduct social engineering operations, and to remain persistent in their attempts to gain unauthorized access until detected and evicted.”
The firm said that user education and processes designed to verify the identity of callers are the two most effective ways to combatting Scattered Spider.