Ransomware Guide

Scattered Spider: Tactics, Techniques, and How to Defend Against the Most Prolific Threat Actor of 2026

Scattered Spider drives the most impactful ransomware campaigns of 2026. An investigative look at their TTPs, help-desk social engineering, and the defensive controls that work.

Scattered Spider: Tactics, Techniques, and How to Defend Against the Most Prolific Threat Actor of 2026

Most ransomware coverage focuses on the malware. With Scattered Spider, that misses the point entirely.

The group — also tracked as UNC3944, Octo Tempest, Muddled Libra, and 0ktapus — doesn’t write ransomware. It licenses payloads from whichever Ransomware-as-a-Service operation is currently convenient (ALPHV/BlackCat in 2023, DragonForce in 2025, various others in between) and focuses its entire operational effort on a different problem: getting into the target by talking someone into letting them in. And over the past three years, that focus has made Scattered Spider the most consistently effective financially-motivated threat actor in the Western enterprise landscape.

The demographic profile is unusual. Members are predominantly native English speakers in their late teens and early twenties, based primarily in the US and UK, operating as a loose collective rather than a hierarchical organisation, and — as multiple arrests have confirmed — young enough that the criminal prosecutions involve teenagers. A 17-year-old was arrested in connection with the MGM attack. In July 2025, three teenagers and a 20-year-old were arrested in the UK over the M&S, Co-op, and Harrods intrusions, with one suspect identified as a Latvian national. This is not a state-sponsored group. It is not a Russian-speaking cybercrime syndicate. It is a cluster of English-speaking young adults who have internalised one lesson more deeply than most security teams: if you can impersonate the right help-desk caller at the right moment, technical controls become almost irrelevant.

This article is the permanent reference page for Scattered Spider on this site. It will be updated as new campaigns emerge. The structure below covers who the group is and how it evolved, the five core TTPs that have defined their attacks, the major incidents of the last three years and what each taught defenders, and the practical controls that have actually worked against them.

Who Scattered Spider is (and who they’ve become)

The group first came to broader attention in 2022 with a series of intrusions targeting customer support infrastructure at technology and telecommunications firms. The early campaigns used SIM-swap attacks to take over phone numbers, then leveraged SMS-based multi-factor authentication resets to compromise accounts. Twilio, MailChimp, and a long tail of smaller SaaS providers were among the victims. Analysts at Mandiant and CrowdStrike began tracking the activity as UNC3944 and Octo Tempest respectively, but the name that stuck publicly was Scattered Spider.

In 2023, the group pivoted from technology targets to consumer-facing enterprises with high operational leverage. The September 2023 attacks on MGM Resorts International and Caesars Entertainment became the defining case study. MGM resisted payment and faced approximately ten days of disrupted operations across its Las Vegas properties — slot machines offline, room keys inoperable, manual check-ins. Caesars paid a reported $15 million ransom and continued operating. Both attacks started the same way: an English-speaking caller contacted the IT help desk, convincingly impersonated an employee, and persuaded the help desk to reset credentials or MFA factors.

The MGM incident was what made Scattered Spider a board-level name. It demonstrated that the group was willing to target any enterprise, that traditional MFA was not sufficient protection, and that help desks — universally considered low-risk operational functions — were actually the organisation’s single most exposed security surface.

After a period of relative quiet through 2024, punctuated by the Q4 2024 arrests that Coveware attributed to coordinated law enforcement action, the group returned in Q2 2025 with extraordinary focus. The new approach was sector-sequential: rather than hitting opportunistic targets across industries, the group concentrated on a single vertical, attacked multiple high-profile victims within it in rapid succession, and then pivoted cleanly to the next vertical.

The sequence through 2025 was retail (UK chains M&S, Co-op, and Harrods in April; US retailers through the summer), then insurance (Philadelphia Insurance, Erie Insurance, and Aflac in June; at least four other large insurers over the following months), then aviation (Qantas and others), and then manufacturing (Jaguar Land Rover in September). Each sector campaign lasted approximately six to ten weeks. During each, the group appeared to be applying lessons learned from earlier victims within the same vertical — the same help-desk pretexts worked repeatedly because the processes being exploited were effectively identical across the sector.

In late 2025, a further complication emerged. A Telegram channel calling itself “Scattered Lapsus$ Hunters” began claiming attacks and issuing extortion demands, representing a collaboration — or at least a branded alliance — between Scattered Spider, Lapsus$ (the Brazilian-origin group behind the Nvidia, Samsung, and Rockstar Games attacks of 2022), and ShinyHunters (historically a data-broker cybercrime crew). The JLR intrusion in September 2025 was claimed under this banner. Whether “Scattered Lapsus$ Hunters” represents genuine operational integration or a marketing umbrella is debated in the threat intelligence community; what is not debated is that the same core TTPs — help-desk impersonation, identity compromise, rapid privilege escalation — run through all of the attacks claimed under the joint banner.

The five core TTPs

Scattered Spider’s technical methodology has evolved but its operational pattern has remained strikingly consistent. Five techniques define almost every intrusion attributed to the group.

Help-desk impersonation. The initial access vector in the majority of documented Scattered Spider incidents is a phone call (or increasingly a Teams or Slack message) to the target’s IT help desk, with an attacker convincingly impersonating an employee — often a specific named executive or IT staff member whose details have been harvested from LinkedIn or prior breaches. The pretext typically involves a lost phone, a forgotten password, or an MFA device failure. The attacker asks the help desk to reset credentials or register a new MFA device. A help desk following standard procedure — which in most organisations does not require biometric or video verification of the caller — will complete the reset, handing over account access.

The sophistication here is linguistic and social, not technical. Native English-speaking attackers with intimate familiarity with corporate lingo, the target’s IT ticketing system, and the employee’s personal context (harvested from social media and prior data breaches) defeat standard help-desk verification in a way that scripted offshore callers cannot.

SIM-swap and MFA bypass. Where help-desk social engineering isn’t the initial vector, Scattered Spider has consistently used SIM-swap attacks against mobile phone carriers to hijack the target’s phone number, then leveraged SMS or voice-based MFA resets to compromise accounts. This was the dominant pattern in the 2022 Twilio and MailChimp intrusions. SIM-swap volume has declined somewhat as carriers have tightened procedures and organisations have moved away from SMS MFA, but the technique is still in active use against targets that retain SMS-based authentication for any critical systems.

Beyond SMS bypass, the group has used MFA fatigue (flooding a target with push notifications in the hope they’ll approve one to make it stop), adversary-in-the-middle (AitM) phishing kits like Evilginx to intercept session tokens and bypass legitimate MFA, and — in incidents where cloud identity providers are involved — token theft to impersonate an already-authenticated session.

On-premises Active Directory compromise first. Microsoft’s July 2025 advisory on Octo Tempest flagged an important shift: earlier Scattered Spider campaigns used cloud identity privileges (Entra ID, Okta) to reach on-premises systems, but recent activity has reversed the pattern — compromising on-premises Active Directory infrastructure first and then pivoting into cloud environments. This makes detection harder for organisations whose security monitoring is weighted toward cloud identity events.

The on-premises-first pattern is typically achieved by social-engineering a user with AD privileges, then rapidly escalating through known misconfigurations (Kerberoasting, overly-permissive delegation, exposed service accounts) to domain admin. Once the group has DA, cloud compromise often follows through federated SSO paths, synchronised credential stores, or trust relationships that were deployed for convenience rather than security.

Data exfiltration before encryption. Scattered Spider does not rely on ransomware encryption as its primary extortion lever. Data exfiltration typically happens first — sometimes weeks before any encryption or visible disruption — and in a significant proportion of incidents, no encryption occurs at all. The group has exfiltrated data through standard cloud storage providers (MEGA, Backblaze, rclone-to-cloud pipelines), through SaaS-to-SaaS transfer paths that look like legitimate business activity, and through direct upload from compromised endpoints.

This matters for detection because it means the conventional “ransomware is happening now, systems are locked” detection signal often doesn’t fire. By the time the victim knows anything has happened, exfiltration is complete and the extortion demand arrives by email or Telegram rather than through a locked-screen ransom note.

Rapid high-profile extortion and media engagement. Unlike most ransomware operators who prefer low-profile negotiation, Scattered Spider actively engages with journalists, posts screenshots on Telegram, and deliberately amplifies the public profile of their attacks. The JLR intrusion was claimed publicly on Telegram within days. The BBC was contacted directly during the M&S campaign. The group treats media visibility as a negotiation lever — public attention accelerates executive panic, regulatory attention, and cyber insurance involvement, which they correctly judge increases payment likelihood.

What the major incidents taught defenders

Each major Scattered Spider campaign has produced specific defensive lessons, most of which generalise across organisations.

The MGM and Caesars attacks in September 2023 established that help-desk process is a first-class security control. Both organisations had strong perimeter security, MFA, and endpoint protection. Neither had a help-desk verification procedure that could distinguish a legitimate employee call from a prepared social engineer. After the incidents, hospitality sector help-desk policies universally shifted toward video verification, callback to verified numbers, and manager approval for sensitive credential resets. The 2024 and 2025 sector campaigns against retail and insurance demonstrated that these lessons had not generalised across other industries — the same attacks worked because the same processes remained in place.

The M&S, Co-op, and Harrods UK retail campaign in April 2025 demonstrated the power of sector sequencing. All three retailers ran similar IT service models, some used the same third-party managed service providers, and the help-desk procedures were functionally equivalent across the three. Scattered Spider moved between victims in weeks, using refinements learned from each attack against the next. M&S disclosed approximately £300 million in cumulative operational impact from the incident. The UK arrests that followed — the four suspects detained in July 2025 — are among the most visible criminal proceedings against Scattered Spider members to date, but the NCA has been cautious about claiming the full operational cluster has been dismantled.

The US insurance sector campaign in June 2025 — Philadelphia Insurance, Erie Insurance, Aflac — demonstrated the group’s pivot toward sectors with sensitive data and high regulatory leverage. Insurance companies hold PII, health information, and financial data in volumes that make data-exfiltration extortion extremely effective. The Aflac incident is particularly instructive: the company disclosed that while attackers may have accessed PII and health information of customers, employees, and others, operational systems were not encrypted and the intrusion was contained within hours. This appears to have been a data-exfiltration-only attack, and Aflac’s relatively fast containment is a template for what rapid detection and response looks like against this group.

The Jaguar Land Rover intrusion in September 2025, claimed by the Scattered Lapsus$ Hunters alliance, caused production shutdowns at multiple UK plants including Halewood and lasted several weeks. The attackers referenced a SAP NetWeaver vulnerability as the alleged entry point, though JLR has not publicly confirmed the initial access vector. The insurance industry reaction was telling — underwriters flagged the incident as a test case for how cyber policies respond to prolonged manufacturing outages, supply chain cascade effects, and ambiguous attribution between collaborating threat actors.

The healthcare sector warning issued by the US Department of Health and Human Services Healthcare Cybersecurity Coordination Center in late 2025, supported by Sophos and Trend Micro 2026 threat assessments, flagged healthcare as the next likely concentrated campaign target. Healthcare shares the characteristics that made retail and insurance attractive to the group: outsourced help-desk functions, heavy SaaS reliance, and significant financial leverage from operational disruption.

The controls that actually work

Defences against Scattered Spider are not exotic. The group’s methodology exploits weaknesses that are well-documented, widely present, and — in most organisations — correctable with existing tooling. Five control areas matter more than the rest.

Help-desk verification hardening. This is the single most impactful control. Help-desk procedures for credential resets, MFA re-registration, and account unlocks should require video verification against an HR-maintained photo, callback to a verified internal number, or in-person verification. A properly-designed procedure should make it impossible for a single help-desk agent, following standard process, to reset credentials for a high-privilege account based on a phone call alone. Several organisations that have been attacked by Scattered Spider and defended successfully have shared that the attack failed at this step — a help-desk agent refused to proceed without video verification, and the attacker disconnected.

Phishing-resistant MFA for all privileged accounts. FIDO2 hardware keys, passkeys with biometric verification, or certificate-based authentication eliminate the bypass paths Scattered Spider relies on. SMS, voice, and push-based MFA are all known to be bypassable and should be removed from any privileged access path. This is non-negotiable for administrator accounts, executive accounts, and any account with access to sensitive data or infrastructure.

Identity threat detection. Scattered Spider’s actions inside a compromised environment — privilege escalation, AD enumeration, cloud credential harvesting, unusual cross-tenant access — produce detectable signals. Identity-focused detection platforms (Microsoft Defender for Identity, Varonis, Proofpoint’s identity-threat products, SentinelOne’s identity products) are designed to catch these patterns. The general-purpose EDR that most organisations already have will also catch some of this, but identity-layer visibility is the layer where Scattered Spider’s movement is most exposed. For comparisons of the zero-trust IAM platforms that form the foundation of this defence, see our guide to Okta vs Entra ID vs Ping for enterprise.

On-premises Active Directory hardening. The shift toward compromising AD first makes traditional AD security hygiene urgent. Tier 0 asset protection, privileged access workstations, elimination of stale or over-privileged service accounts, regular AD security assessments, and removal of known-misconfigured delegation paths are all foundational. Microsoft’s Active Directory hardening guidance and the ANSSI AD checklist both remain good starting references. Cloud-only organisations are not exempt — most still have some synchronised identity infrastructure that can be pivoted through.

SaaS and OAuth hygiene. Scattered Spider’s recent campaigns have increasingly leveraged SaaS-to-SaaS OAuth trust relationships to expand access once a single user is compromised. Reviewing and restricting OAuth grants, implementing SaaS security posture management (SSPM) tooling, and maintaining visibility over cross-SaaS integrations reduces the blast radius of any single account compromise.

For organisations looking to anchor these controls in a recognised certification scheme, UK Cyber Essentials Plus covers several of the foundational requirements (MFA, privileged access, patching), though it doesn’t extend to the help-desk process or identity-threat-detection elements that matter most specifically against this group.

Incident response considerations specific to Scattered Spider

When the group is confirmed or suspected as the threat actor in an incident, several response considerations differ from a typical ransomware engagement.

Assume cloud compromise even if the visible impact is on-premises, and vice versa. Scattered Spider routinely pivots between environments, and the visible symptoms often understate the scope of access. Forensic scoping should include cloud audit logs, SaaS access logs, and federated identity trust paths from the first hour of the investigation.

Treat data exfiltration as likely-occurred until proven otherwise. The group’s preference for exfiltration-based extortion means that even if no encryption has happened, data may have already left the environment. Network egress analysis, cloud storage API logs, and DLP telemetry from the two to four weeks before detection should all be reviewed.

Expect media engagement from the threat actor. Prepare communications leadership early. Scattered Spider has contacted journalists, posted screenshots on Telegram, and deliberately amplified the public profile of their attacks. A reactive, no-comment posture gives the attacker narrative control.

Engage law enforcement early. The FBI in the US and the NCA in the UK have active investigations into Scattered Spider and have made multiple arrests. Reporting incidents early both supports the collective investigation and — in the US — creates the voluntary-disclosure record that OFAC considers a mitigating factor if any payment decision arises. For the operational sequence of the first 72 hours of any ransomware response, see the 72-hour response playbook.

Who’s next

Threat intelligence consensus at the start of 2026 — across Sophos, Trend Micro, Microsoft, and the HHS healthcare-specific warning — points to healthcare as the next concentrated sector target for Scattered Spider. The characteristics match: large organisations with outsourced help desks, heavy SaaS dependence, sensitive regulated data, and severe consequences from operational disruption. Healthcare organisations in the US, UK, and EU should be treating the threat as imminent rather than theoretical.

Financial services, legal services, and higher education have also been flagged as plausible next targets. All three share the sector characteristics that have made Scattered Spider’s approach effective. All three have, on average, help-desk processes that would not reliably defeat a competent social engineer.

The other groups operating at the top of the threat landscape — Qilin, Akira, and Lynx — work differently from Scattered Spider and are covered separately in our guide to the ransomware groups dominating 2026. But Scattered Spider remains the group whose methodology most directly tests the controls that matter — help-desk process, phishing-resistant MFA, identity threat detection — and whose success rate most directly reflects whether those controls are in place and working.

Frequently asked questions

Who is Scattered Spider and what other names are they known by? Scattered Spider is a financially-motivated cybercrime group, predominantly English-speaking and based primarily in the US and UK, that has conducted some of the most high-profile ransomware and extortion attacks since 2022. They are also tracked as UNC3944 by Mandiant, Octo Tempest by Microsoft, Muddled Libra by Palo Alto Unit 42, and 0ktapus in earlier coverage. In 2025, members began operating under the “Scattered Lapsus$ Hunters” banner alongside Lapsus$ and ShinyHunters affiliates.

What’s the most effective defence against Scattered Spider? Help-desk verification hardening is the single most impactful control. Most Scattered Spider intrusions start with a phone call to the IT help desk. Requiring video verification, callback to verified internal numbers, or manager approval for credential and MFA resets defeats the attack at its first step. Phishing-resistant MFA (FIDO2, passkeys) closes the secondary bypass paths.

Have Scattered Spider members been arrested? Yes. Multiple arrests have been made, including a 17-year-old in connection with the MGM attack and four individuals (three teenagers and a 20-year-old) in the UK in July 2025 over the M&S, Co-op, and Harrods incidents. However, the group operates as a loose collective rather than a hierarchical organisation, and arrests to date have not appeared to meaningfully disrupt ongoing operations.

Why is Scattered Spider so successful against large enterprises? Two reasons. First, they are native English speakers with deep familiarity with corporate IT environments, which defeats help-desk verification procedures designed around a different threat model. Second, they target systemic weaknesses — help-desk process, MFA configuration, AD hygiene — that are widespread across industries and rarely hardened until after an incident. Their technical sophistication is modest; their social and operational sophistication is not.

Is Scattered Spider a ransomware group? Technically, no — they don’t develop ransomware. They operate as Ransomware-as-a-Service affiliates, licensing payloads from whichever RaaS operation suits the current campaign. In 2023 they used ALPHV/BlackCat. In 2025 they used DragonForce. Increasingly, they conduct data-exfiltration extortion without any encryption component, which means traditional “ransomware” framing understates the breadth of what they do.

What sectors are most at risk from Scattered Spider in 2026? Healthcare is the top consensus forecast for 2026, based on the HHS advisory and Sophos/Trend Micro threat assessments. Financial services, legal services, and higher education are also plausible next targets. Any organisation with outsourced help-desk functions, heavy SaaS reliance, and high operational-disruption leverage should consider itself in the target set.

How do I know if Scattered Spider has compromised my organisation? Key indicators include: unusual help-desk ticket activity around MFA resets or credential changes for privileged accounts; logins from unexpected geographic locations or device types; unusual AD enumeration or privilege assignment; large outbound data transfers to cloud storage services; and any extortion communication claiming a breach, regardless of whether systems appear encrypted. Identity-focused detection tooling is the most likely to catch the group’s movement; standard EDR alone is frequently insufficient.