Insights from our Scattered Spider Webinar: Protecting Your Firm from Emerging Cyber Threats

Threat Actor group Scattered Spider has been making headlines for its ruthless waves of high-profile cyberattacks spanning several industries. This relentless cybercriminal group is rapidly evolving, often exploiting social engineering tactics to deceive and manipulate their targets. On August 11th, 2025, Abacus Group and Blackpoint Cyber hosted an in-depth webinar, Inside Scattered Spider: Safeguarding Highly-Regulated Industries from Emerging Cyber Threats, that focused on who Scattered Spider is, the tactics Scattered Spider employs, and strategies organizations can follow to defend themselves against the shifting tactics of threat actors.  

With expertise in frontline incident response and red team tactics, our panelists uncovered critical insights into Scattered Spider. If you missed it, learn more in the webinar summary below. 

Who is Scattered Spider & Why Are They Different?

Our panel of experts—Travis DeForge, Director of Cybersecurity at Abacus Group, Michael Brunetti, Senior Director of Incident Response at Abacus Group, and Andi Ursry, Senior Threat Intelligence Analyst at Blackpoint, joined moderator Jonathan Bohrer, President of Abacus Group, to discuss Scattered Spider and why they are a unique threat in the ever-evolving cybersecurity landscape.

During the session, the speakers highlighted the group’s differentiators from other threat actors. This included not being associated with a nation state, a focus on employing social engineering tactics, and their focus on receiving ransomware payments, rather than making a political statement. The makeup of the group is unique, with most members being underage minors or young adults and consisting of native English speakers, commonly from the United States and the United Kingdom. Additionally, the speakers commented on the group’s targeted approach of overwhelming different industries, like retail or insurance, and wreaking havoc before moving on to another vertical. The industries they choose typically have three characteristics in common: high-value data such as PII, complex IT infrastructure, and/or outsourced or vulnerable help desk operations, all of which are applicable to highly-regulated industries such as financial services and healthcare. 

Understanding the Impact on Targets 

It is estimated that victims of Scattered Spider have lost between $9.5-25 million in ransom payments since May 2025. While this number alone is impactful, it does not consider losses associated with victims’ downtime due to an attack. Other side effects discussed include SEC disclosure obligations, cyber insurance costs and coverage implications, reputational damage, and the threat of double extortion (data encryption and exfiltration).  

With these numbers in mind, the panelists highlighted that all organizations could be a target of a Scattered Spider ransomware attack. While it is usually the largest companies hit making the headlines, Abacus Group’s Incident Response team has helped small and midsized businesses across industries recover from breaches.  

What Strategies Does Scattered Spider Use? 

One of the key takeaways from the discussion was that Scattered Spider deploys sophisticated social engineering techniques to target their victims. These strategies include: 

• Buying employee and company information on the dark web to gain details about who they are impersonating, including social security numbers, employee IDs, and managerial structure, to create a convincing lie
• Calling the help desk and creating a sense of urgency to pressure action
• Using native English speakers to add legitimacy when calling the help desk
• Phishing and smishing via sending deceptive emails, SMS messages, or chats to trick users into revealing credentials
• Posing as help desk staff to deceive employees into sharing confidential information or installing malicious software
• Using deep-fake voice calls to impersonate executives or IT personnel  

After convincing the help desk to initiate a password reset and to change MFA settings, Scattered Spider deploys “remote rat” tools to establish access in the environment. Next, they audit the victim’s infrastructure to identify sensitive and proprietary information and strategic targets, like hypervisors and backups. Following this, the threat actor will exfiltrate the data, encrypt systems, and send a ransom demand. 

In the event of an attack, there are several mistakes firms make within the first 48 hours, including: 

• Letting backups and snapshots roll over
• Restoring over-infected systems
• Not following or not having an incident response plan
• Purchasing additional hardware
• Not bringing in third party expert vendors 

In cases where an Incident Response partner such as Abacus Group was already in place, these expert vendors are able to disrupt a Scattered Spider attack before they get to the data exfiltration and ransom phase. 

How to Defend Your Organization Against a Cyberattack 

Our panelists pointed out an important fact – it is not necessary for organizations to have the most mature and cutting-edge security strategy; however. It’s imperative they not be the easiest target. They outlined core strategies that organizations need to have in place to stop Scattered Spider from advancing through their environment.

Initial Access: Inhibit social engineering tactics with advanced email security, phishing-resistant MFA, ongoing security awareness training, strengthened help desk protocols, and Zero Trust strategies. 

• Execution: Utilize endpoint MDR, cloud MDR, and application controls to increase visibility, spot unusual execution chains, and block unapproved software.
• Persistence and Privilege Escalation: Identify the creation of new privileged accounts and escalation of group memberships through endpoint MDR, cloud MDR, phishing-resistant MFA, Zero Trust strategies, and strengthened help desk protocols.
• Discovery: Rely on endpoint MDR and cloud MDR to detect reconnaissance and anomalous access patterns.
• Lateral Movement: Follow Zero Trust strategies to isolate what threat actors can see and reach.
• Post Compromise Activity: Work with a trusted partner that is experienced in incident response to begin immediate containment measures and bring in all necessary parties, including legal counsel, forensics, and restoration, to quickly recover your business

Watch the Recording

Scattered Spider is an ongoing threat, and security experts are persistently working to understand their latest tactics in order to protect businesses. If you couldn’t attend the live session, you can access the webinar recording to learn more. For more insights on our cybersecurity offerings, contact us today. 

If you believe you are the target of a cyberattack, email our 24x7x365 incident response team at inbound@entaracorp.com and an expert will respond within 15 minutes.