Scattered Spider is a Young Ransomware Gang Exploiting Large Corporations

In 2023, ransomware attacks resulted in hackers stealing a record-setting $1.1 billion in cryptocurrency, a record booty for ransomware gangs, according to a report by Chainalysis, a firm that specializes in tracing cryptocurrency transactions. This nearly doubled the $567 million recorded in 2022, marking the highest amount observed by Chainalysis in its five-year monitoring of ransomware payments. Other reports indicate a decrease in the number of victims actually paying ransoms, suggesting that ransom demands per attack have risen. 

So how can organizations protect themselves from becoming a victim? Chainalysis also attributes this surge in ransom payments partly to more criminal gangs participating in ransomware schemes. By understanding the tactics, techniques, and procedures (TTPs) of ransomware gangs as outlined by MITRE ATT&CK, implementing the appropriate defensive measures outlined by MITRE D3FEND, and undergoing pentesting to verify the effectiveness of security controls, organizations can close security gaps and reduce the attack surfaces that attackers exploit most often. This comprehensive approach enables them to proactively address vulnerabilities before they can be exploited, thereby enhancing their overall security posture and resilience against cyber threats.

In this article we will take a look at a relatively new and highly financially motivated threat actor named Scattered Spider that is known to be increasingly recruiting young Canadians to their team, and examine their techniques for gaining initial access and maintaining persistence within a target's infrastructure until they can deploy ransomware and extort their victims.

What is Scattered Spider?

Scattered Spider [G1015] (also known as UNC3944 and Roasted 0ktapus) is a new financially motivated English speaking cyber criminal organization that is known to be active since 2022. According to public reports, the members of Scattered Spider are very young adults in Western countries who primarily target IT and telecommunication companies, and their third party supply chain partners.

The group typically gains initial access to networks using sophisticated social engineering techniques to steal credentials via SMS phishing campaigns (aka Smishing) and are known to conduct ongoing spear-phishing attacks against an organization's staff after stealing employee databases and leverage of MFA fatigue attacks to steal MFA One-Time-Passcode (OTP) tokens. This strategy is effective for maintaining presence within an organization's network and facilitates lateral movement within it. They have also been observed using the Azure Serial Console to gain administrative access to virtual machines (VMs) by hijacking serial ports and are known to use Living Off The Land attack techniques to hide from defenders.

Scattered Spider maintains the end-goal of deploying ransomware and extortion campaigns against their victims. In September 2023 the group gained notoriety for their attack against MGM Resorts and Caesar Entertainment. In response, the Federal Bureau of Investigation (FBI) and Cybersecurity and Infrastructure Security Agency (CISA) released a joint Cybersecurity Advisory (CSA), adding Scattered Spider to their watch list in November 2023 (Alert Code AA23-320A).  Scattered Spider has also been associated with other cyber gangs BlackCat/ALPHV, Octo Tempest, Storm-0875.

Tracking Scattered Spider's TTP

Here's a structured breakdown of the Tactics, Techniques, and Procedures (TTPs) used by the cyber group Scattered Spider, including the specific malware and tools they employ across various stages of their attacks:

• Reconnaissance via LinkedIn: Scattered Spider utilizes LinkedIn to gather information about potential targets, including their roles and affiliations within companies

• Initial Access via EIGHTBAIT (0ktapus phishing kit): They gain initial network access by deploying the EIGHTBAIT phishing kit, which tricks users into revealing their credentials

• Persistence via RattyRat, bedevil, AADInternals: The group ensures persistent access through tools like RattyRat, bedevil, and AADInternals, which help maintain their foothold within compromised systems.

• Privilege Escalation via LINpeas, aws_consoler, STONESTOP, POORTRY, KDMapper, HashiCorp Vault, Trufflehog, GitGuardian, Jecretz, pacu: They escalate privileges using a variety of tools and scripts, including LINpeas and aws_consoler, to gain higher-level access and manipulate system processes

• Defense Evasion via privacy.sexy: Scattered Spider employs privacy.sexy to obscure their activities and evade detection by security systems

• Credential Access via Mimikatz, ProcDump, DCSync, LAPSToolkit, LaZagne, gosecretsdump: They use tools like Mimikatz and DCSync to steal credentials and further infiltrate networks.

• Discovery via RustScan, ADRecon, ADExplorer, PingCastle, MicroBurst, Advanced Port Scanner, Angry IP Scanner, Angry Port Scanner, SharpHound, CIMplant, ManageEngine, LANDESK, PDQ Inventor, Govnomi, PureStorage FlashArray: The group utilizes comprehensive scanning and enumeration tools such as RustScan and ADExplorer to discover resources, services, and vulnerabilities within the network

• Lateral Movement via Impacket, CitrixReceiver, CitrixWorkspaceApp, mobaxterm, ngrok, OpenSSH, proxifier, PuTTY, socat, Wstunnel, RDP, Cloudflare Tunnel client, Chrome Remote Desktop, PsExec, Sshimpanzee: They facilitate lateral movement across the network using tools like Impacket and CitrixReceiver to access additional systems and spread their reach

• Collection via Atomic, Vidar, Meduza, Raccoon, Snaffler, Hekatomb, Lumma, DBeaver, MongoDB Compass, Azure SQL Query Editor, Cerebrata, FiveTran, AveMaria: Scattered Spider collects data from compromised systems using software like Vidar and Meduza, targeting databases, documents, and sensitive information

• Command and Control via RMM tools, rsocx, NSOCKS, TrueSocks, Twingate: The group maintains command and control over compromised systems using remote management tools and custom SOCKS proxies to manage and direct the infected hosts.

• Exfiltration: Telegram, Rclone, MEGAsync, Storage Explorer: Data exfiltration is conducted via applications like Telegram and Rclone, allowing the group to send stolen data to external locations securely and stealthily

• Ransomware Impact via BlackCat: The final impact of their operations often involves deploying BlackCat ransomware to encrypt victim data and extort payments from the affected organizations

Conclusion

In 2023, reports indicate that ransomware attacks reached a new peak with hackers stealing a record $1.1 billion in cryptocurrency and the increase in ransom demands per attack suggests fewer victims but more significant financial impacts per victim. Organizations should understand and counteract the tactics, techniques, and procedures (TTPs) employed by these cybercriminal groups to proactively reduce their exposure to these threats and use security testing such as Ransomware Penetration Testing to verify their resilience against highly motivated targeted attacks. 

A focused look at Scattered Spider, a notably young and aggressive group, reveals their advanced methods in initial access, persistence, and evasion, culminating in severe ransomware attacks. Understanding such detailed TTPs of groups like Scattered Spider is crucial for developing effective defenses and mitigating the risks of ransomware attacks.