A Dangerous Alliance: Scattered Spider, RansomHub Join Forces

ReliaQuest has released a detailed investigation into a cyber intrusion that impacted a manufacturing company in October 2024. The attack has been attributed with high confidence to the predominantly English-speaking cyber collective “Scattered Spider,” now partnering with the notorious “RansomHub” gang.

Scattered Spider, previously known for affiliations with the ALPHV (BlackCat) ransomware group, has shifted its focus towards high-stakes ransomware attacks, now working with RansomHub to target large organizations for financial gain.

Key Findings from the Incident

The attackers gained access through a series of social engineering attacks targeting the company’s help desk. Within hours, they encrypted the company’s systems and sabotaged backups, causing significant disruption to operations. ReliaQuest’s investigation reveals the following critical points:

• Persistent Social Engineering: The attackers convinced the help desk to reset the Chief Financial Officer’s (CFO) account credentials. Upon finding that the account lacked sufficient permissions, they repeated the social engineering tactic to compromise a domain administrator account, gaining deeper access to the company’s infrastructure.
• Telecom Infrastructure Exploitation: Scattered Spider utilized Verizon IPv6 addresses to bypass security controls, leveraging telecommunications infrastructure with a clean reputation to gain network access undetected.
• ESXi Defense Evasion: The attackers spun up a virtual machine (VM) in the company’s ESXi environment, allowing them to evade security defenses like endpoint detection and response (EDR). This VM was used to conduct lateral movement, credential dumping, and data exfiltration before encrypting the systems.
• Rapid Execution: The speed of the attack was notable—within just six hours, the attackers had encrypted the organization’s systems. ReliaQuest’s timeline shows the attackers compromised two accounts within an hour of initial access and completed their malicious objectives in under ten hours, suggesting that multiple individuals facilitated the attack.

A Dangerous Alliance

Scattered Spider, also known as “UNC3944” or “Octo Tempest,” has been active since at least May 2022. The group, believed to consist of at least 1,000 English-speaking threat actors, has a history of engaging in cybercriminal activities such as SIM-swapping, identity fraud, and social engineering. These skills have been refined through their affiliation with The Community, a network of malefactors involved in selling social engineering services.

Scattered Spider initially served as an affiliate of ALPHV (BlackCat), attacking various entities, including US-based casinos. However, after ALPHV’s disbandment in February 2024, Scattered Spider began working with RansomHub. This new ransomware group has attracted affiliates by offering them 90% of the profits from attacks, keeping just 10% for malware developers—an irresistibly lucrative deal.

Since June 2024, security researchers have noted a rise in attacks deploying RansomHub malware, with tactics matching Scattered Spider’s social engineering methods. This partnership between Scattered Spider and RansomHub poses a significant threat, especially with the group’s ability to exploit telecom infrastructure and leverage advanced techniques like VM creation within targeted environments.

Attack Timeline and Analysis

ReliaQuest’s investigation breaks down the attack timeline and tactics used:

• Social Engineering Persistence: The attacker gained access to the CFO’s account, then pivoted to a domain administrator account using the same tactic when the first account proved insufficient.
• Telecom Abuse: By using Verizon’s clean IPv6 addresses, the attackers avoided detection by security systems, allowing for unrestricted access to the network.
• ESXi Environment Exploitation: The creation of a virtual machine within the company’s ESXi environment enabled the attackers to perform various malicious activities without being detected by standard security defenses.
• Speed and Coordination: The attackers moved quickly, with the entire operation—from gaining initial access to encrypting systems—taking place in just over six hours, underscoring the high level of coordination and the probable involvement of multiple individuals.

Mitigating the Threat

ReliaQuest’s report highlights the importance of implementing strong measures to prevent similar attacks. These include restricting access to sensitive resources like SharePoint, hardening ESXi environments, and enhancing help desk protocols to reduce the risk of social engineering.

 Companies are advised to regularly assess their security posture and remain vigilant as the tactics used by groups like Scattered Spider evolve.

For further details, read ReliaQuest’s full investigation here.