Before getting to Scattered Spider, I’d like to ask your support for our Kickstarter Campaign to fund the 2nd Issue of Yours Truly, Johnny Dollar. We’ve already hit our funding goal, but we’d love to get some more backers. In the 2nd issue Johnny travels to Milan to stop a ransomware attack against a water treatment facility while dodging hitmen bent on killing him. If you love pulp detective stories and hate ransomware, I promise you will love this issue.

CISA released an excellent report on Scattered Spider [PDF] this week and Scattered Spider has been top of mind, rightfully so, for many security teams. Scattered Spider are believed to be younger threat actors, most likely based in Western countries (some have suggested London and New York - but I am not sure there is evidence for that). The fact that they are native, or near native, English speakers has allowed them to pull off attack-types that other groups struggle with, especially social engineering attacks.

What is interesting to me about Scattered Spider is that while they are generally lumped in with ransomware groups, they are more chaos agents than they are ransomware actors and that is an important distinction. Their primary focus seems to be causing trouble, and making money is secondary.

They definitely have made money, but in cases where I have been involved, they definitely seem more interested in disrupting operations and generating headlines, the money is almost secondary. Even when they’ve deployed the ALPHV/Black Cat ransomware they have only done it sporadically and not in a typically disruptive manner.

Microsoft has also reported that they will often send mocking or threatening messages to security teams or other employees of victim networks threatening to get them fired or shoot up their house.

There has been lots of really good advice about how organizations can protect themselves against the Scattered Spider attacks. I won’t try to repeat everything here, instead I encourage you to read the CISA report. I also encourage you to check out the excellent reports from Mandiant and Microsoft.

But, know that Scattered Spider is constantly evolving their techniques. So, while the reports above offer excellent advice, in a few months there may be new techniques that need to be addressed. This is one of the problem that many security teams face: New’ish attack vectors often evolve faster than security teams can keep up.

The one hope with a group like Scattered Spider is that, because they are likely located in a western country law enforcement will be able to arrest them soon. Not as soon as we would all like, but soon.