Scattered Spider Seen Targeting US Companies

Threat actors behind recent ransomware attacks targeting UK-based Marks & Spencer and Harrods are now targeting retailers in the United States, as Google Threat Intelligence Group reported.

Speaking to Bleeping Computer, John Hultquist, Chief Analyst at Google Threat Intelligence Group, said,

The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider…The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note.

Bleeping Computer was the first to report on Marks & Spencer's cyber incident, which the company later confirmed via an official statement. Later, it was discovered that threat actors with known ties to Scattered Spider encrypted virtual machines on VMware ESXi hosts with a DragonForce encryptor. Shortly after this incident, Harrods confirmed they had suffered a cyberattack. DragonForce claimed responsibility for these attacks.

This begs the question of how DragonForce and Scattered Spider are linked. In March 2025, DragonForce rebranded itself as a "cartel," transitioning to a distributed model that allows affiliates to create their own "brands" within its infrastructure. This model provides affiliates with administration and client panels, encryption and ransom negotiation tools, file storage systems, a Tor-based leak site, and support services. This has seen Scattered Spider threat actors adopt and use DragonForce tools and infrastructure.

It is important to remember that despite the media lumping Scattered Spider activity under their umbrella, they are a very loosely knit group of threat actors who use specific tactics during their attacks, making it challenging to track their activities. However, Mandiant has uncovered links between DragonForce and Scattered Spider that deserve a deeper dive.

DragonForce and Scattered Spider Partner Up

The Google Threat Intelligence Group initially reported a noticeable decline in activity from Scattered Spider following successful law enforcement actions in 2024. In the past, the threat group, known for its aggressive social engineering tactics and impersonation of IT staff, was a financially motivated actor previously linked to major cybersecurity incidents. Despite the lull, recent activity consistent with Scattered Spider's methods has been observed in ransomware attacks targeting UK retailers, with the DragonForce ransomware group claiming responsibility.

Mandiant researchers highlighted that DragonForce operators recently asserted control over RansomHub, a ransomware-as-a-service (RaaS) platform believed to have shut down in early 2025. This may signal an operational pivot for Scattered Spider, which previously partnered with RansomHub after the ALPHV (BlackCat) RaaS shutdown.

Historically, Scattered Spider began its operations with SIM-swapping attacks targeting telecoms, but by 2023, it had shifted toward ransomware and data extortion across various industries. Their targets have included financial services, food services, and now retail. This sector has seen a steady increase in victimization, accounting for 11% of data leak site victims in 2025, up from 8.5% in 2024.

Retailers are seen as attractive targets because they store large amounts of personally identifiable information (PII) and financial data. They may be more likely to pay ransoms to restore transaction capabilities. Scattered Spider commonly gains initial access by exploiting help desks through impersonation and social engineering, making robust identity verification processes critical. Tactics often include impersonating users to reset passwords or register for multifactor authentication (MFA).

Mandiant recommends the following when defending against threat actors like Dragon Force and Scattered Spider:

• First, organizations should ensure visibility across their identity systems and infrastructure, enforce strict identity segregation, and implement phishing-resistant MFA like FIDO2 security keys. SMS, phone calls, and email-based authentication should be eliminated in favor of more secure alternatives.
• Endpoint protection must include verifying device posture before access is granted, ensuring all devices run approved software, have updated operating systems, and have active Endpoint Detection and Response (EDR) tools. Access tokens and authentication keys should be revoked when needed, and MFA changes should be monitored for suspicious activity.
• To prevent lateral movement, security researchers urge organizations to restrict the use of local accounts for remote access and to apply firewall rules blocking common attack vectors such as SMB, RDP, and PowerShell. Group Policy Objects should be configured to restrict logon types for privileged accounts.
• Critical systems, including virtualization platforms, backups, and Privileged Access Management (PAM) systems, should be segmented from production networks, use unique credentials, and require strong authentication. VPN settings must be locked down to prevent evasion of monitoring tools.
• Cloud environments should be continuously monitored for unauthorized changes, and external scanning should identify and secure exposed IPs or domains. To limit social engineering risks, communication restrictions should be placed on tools like Microsoft Teams.
• Finally, awareness training is crucial. Employees should be educated on identifying phishing, impersonation, MFA fatigue attacks, and threats via collaboration tools. Organizations are urged to monitor authentication behaviors and conditional access settings to detect compromise early and respond effectively.