Scattered Spider Attacks Spike

The FBI has issued a warning about a significant uptick in attacks on U.S.-based organizations by the cybercriminal group Scattered Spider. Known for sophisticated social engineering and partnerships with ransomware crews, this group poses a growing threat to businesses in multiple critical industries. Organizations are encouraged to review their security posture immediately in light of this alert, focusing on Scattered Spider’s tactics. This means enforcing strict help desk verification, adopting phishing-resistant MFA, auditing remote access tools, and monitoring cloud accounts for token theft and privilege escalation. Proactive detection, incident response planning, and employee training are essential. 

Scattered Spider – aka UNC3944 and Octo Tempest—is a financially motivated threat group that has become notorious for high-impact intrusions in the U.S. and other English-speaking countries. This group is best known for advanced social engineering tactics, including vishing (voice phishing) calls to help desks, credential theft and MFA bypass through phishing, prompt bombing, and SIM swapping, and cloud account takeovers exploiting stolen tokens and SSO abuse. Scattered Spider has also been observed deploying ransomware in partnership with the ALPHV/BlackCat operation, making them a double-extortion threat. They have been implicated in high-profile attacks on hospitality, telecommunications, and gaming companies, including the widely reported breaches of Marks and Spencer, Harrods and last year’s MGM Resorts International breach.

Scattered Spider’s attacks are a stark reminder that modern ransomware crews don’t just rely on malware—they rely on exploiting human mistakes. Defending against them requires more than signature-based security or conventional endpoint tools. Upsight was purpose-built to counter these advanced, human-operated threats.

The FBI and cybersecurity vendors warn that Scattered Spider has refined its social engineering playbook to bypass security controls, particularly targeting U.S.-based companies with large help desk operations. Their tactics include vishing campaigns that persuade IT support staff to reset passwords or MFA settings, smishing attacks that deliver credential-harvesting links via SMS, and MFA fatigue attacks designed to overwhelm users with push notifications until they approve access.

They also abuse remote management tools such as AnyDesk, TeamViewer, and ConnectWise ScreenConnect to establish persistent access. Once inside, they target cloud consoles using stolen session tokens or SAML manipulation to escalate privileges and expand control. Their operations typically involve stealing data for extortion before deploying ransomware payloads from ALPHV/BlackCat affiliates to maximize their leverage against victims.

The FBI and CISA have warned that Scattered Spider is among the most disruptive and damaging financially motivated threat groups active today. Their operations demonstrate high success rates in bypassing MFA through social engineering, a deep understanding of enterprise IT and help desk processes, hybrid on-premises and cloud compromise capabilities, and established partnerships with ransomware operations to maximize extortion impact.  They have targeted industries such as hospitality and gaming, telecommunications, technology and SaaS, financial services, and healthcare. Recent warnings highlight concerns aligned to Law Firms and Airline and Aviation Services.

Organizations in these sectors should assume they are at elevated risk and take steps to review their security procedures, especially around help desk workflows and MFA enforcement.  For instance, helpdesk procedures should be modified to require additional verification such as a call back combined with verification of employee records using non-public information before resetting MFA tokens in particular. Integrating your existing security with Upsight helps organizations close these critical security gaps by delivering advanced detection and response capabilities that specifically address social engineering-driven intrusions, unauthorized remote access, and ransomware deployment. With Upsight’s AI , companies can harden help desk processes, improve MFA resilience, and proactively detect the early stages of these sophisticated human-operated attacks.

Our platform helps organizations detect and halt ransomware operations early—even before encryption can take place. It identifies and evicts attackers from affected endpoints quickly and safely, using patented methods to prevent repeat attacks by blocking second attempts. Upsight integrates seamlessly with your existing EDR and AV investments to strengthen your overall security posture without disruption.

If you’re concerned about Scattered Spider or other human-operated ransomware threats, contact us today to see how Upsight can help you improve your defenses.

Schedule a demo with Upsight and see how we can help you stay ahead of advanced ransomware threats.