Dangerous Ransom Gang Scattered Spider Shifts Focus From UK to US Retail

Tushar Subhra Dutta reports in Cyber Security News that the sophisticated cybercrime group UNC3944, also known as Scattered Spider, has shifted its operations from UK-based retail organizations to US companies, according to research conducted by Google Cloud.

Scattered Spider is known for its aggressive social engineering tactics, making it especially dangerous for large enterprises with extensive outsourced IT services.

The group’s campaigns have evolved from SIM-swapping schemes to more damaging ransomware and data extortion attacks.

Scattered Spider originally targeted telecommunications companies to enable SIM-swapping but pivoted to ransomware deployment and data theft in early 2023.

It has since expanded its reach, targeting retail organizations due to their abundant personally identifiable and financial data. Notably, Mandiant reports that in 2025, retail victims comprise 11.4% of those listed on data leak sites. That is up from 8.5% in 2024.

The group’s operations span English-speaking countries, with recent incursions into Singapore and India. Although Scattered Spider activity decreased following law enforcement actions in 2024, its ties to a broader network suggest a potential swift resurgence.

Scattered Spider uses advanced social engineering techniques to infiltrate organizations. Their methods include SMS phishing, impersonation via help desk calls, MFA fatigue attacks, and fake internal communications on platforms like Microsoft Teams.

In extreme cases, the group has employed intimidation tactics, including doxxing threats. These approaches are designed to compromise authentication and gain internal access without deploying technical exploits.

Law departments and law firms should be vigilant given their sensitivity to data privacy and financial integrity. They should implement stringent identity verification protocols, disable vulnerable authentication factors such as SMS and email, and adopt phishing-resistant solutions, like FIDO2 keys.

Proactive monitoring of help desk interactions and enhanced staff training on social engineering threats are critical.