The FBI is warning organizations to guard against the Scattered Spider ransom group, which has already breached dozens of American firms over the past year and stolen their sensitive data for extortion – including the Las Vegas gaming and hotel giants MGM and Caesars in September.
The FBI alert follows a Reuters report this week that said the agency had struggled to stop the hacker group that is known to be skilled at using fake profiles and impersonations to trick a victim organization’s help desk into giving them access.
Besides joining forces with fellow ransomware operators ALPHV/BlackCat to carry out the attacks on casino companies MGM Resorts International and Caesars Entertainment, the group has intruded on various organizations, from telecom companies to healthcare groups, security researchers say.
The statement, issued jointly with the US Cybersecurity and Infrastructure Security Agency (CISA), sheds new light into how these hackers operate.
“Scattered Spider threat actors typically engage in data theft for extortion using multiple social engineering techniques and have recently leveraged BlackCat/ALPHV ransomware alongside their usual TTPs.” the bulletin states.
One of the more common phishing techniques used by the gang – and believed to be used in the MGM attack – includes posing as an IT and/or helpdesk staff using a phone call or text message and then tricking the company employee into handing over their username and password to gain access to the network.
Even after they’ve gained access to an organization’s systems, Scattered Spider will continue checking its internal communication channels, such as Slack, Microsoft Teams, and Microsoft Exchange, for emails or conversations that might show if their breach had been discovered, the statement said.
The criminals “frequently join incident remediation and response calls and teleconferences, likely to identify how security teams are hunting them and proactively develop new avenues of intrusion in response to victim defenses,” the agencies said.
The FBI and CISA urged critical infrastructure organizations to implement a series of recommended security measures and urged victim organizations to share information about the hacks with the agencies.
Everything from a sample ransom note, communications with the threat group, its cryptocurrency wallet information, or samples of malicious files could be useful, the agencies said.
“FBI and CISA do not encourage paying ransom as payment does not guarantee victim files will be recovered,” they said, adding that ransom payments may embolden the hackers into going after more targets.
