{ "id": "db949fc1-440b-4656-b33f-1121dac18532", "created_at": "2026-04-06T01:30:47.955556Z", "updated_at": "2026-04-10T03:31:50.017568Z", "deleted_at": null, "sha1_hash": "32bfc62cad72fb530e6b909fbef4773cfeaf1643", "title": "'Scattered Spider' group launches ransomware attacks while expanding targets in hospitality, retail", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 82930, "plain_text": "'Scattered Spider' group launches ransomware attacks while\r\nexpanding targets in hospitality, retail\r\nBy Jonathan Greig\r\nPublished: 2023-09-18 · Archived: 2026-04-06 01:04:17 UTC\r\nHackers connected to a group known to researchers by names like \"Scattered Spider,\" \"0ktapus,\" and UNC3944\r\nhave moved beyond targeting telecommunication firms and tech companies into attacks on hospitality, retail,\r\nmedia and financial services.\r\nThe group made waves last week for its alleged role in a ransomware attack on MGM Resorts that caused chaos at\r\nseveral hotels in Las Vegas and drew the attention of not only federal law enforcement agencies but even the\r\nWhite House.\r\nIn a report late last week, security experts at cybersecurity firm and Google subsidiary Mandiant spotlighted the\r\ngroup’s evolution from relatively aimless — yet high-profile — data theft incidents on major tech firms to\r\nsophisticated ransomware attacks on a wide range of industries.\r\nThe researchers — who refer to the group as UNC3944 — said that since 2022, the hackers' calling card has been\r\n“phone-based social engineering and SMS phishing campaigns (smishing) to obtain credentials to gain and\r\nescalate access to victim organizations.” They initially focused on SIM swapping attacks that likely supported\r\nsecondary criminal operations.\r\nYet by the middle of 2023, the group began to deploy ransomware in victim environments, “signaling an\r\nexpansion in the group's monetization strategies.”\r\n“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand;\r\nMandiant has already directly observed their targeting broaden beyond telecommunication and business process\r\noutsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment,\r\nand financial services,” the researchers said.\r\n“At least some UNC3944 threat actors appear to operate in underground communities, such as Telegram and\r\nunderground forums, which they may leverage to acquire tools, services, and/or other support to augment their\r\noperations.”\r\nUNC3944 initially made a name for itself with several high-profile attacks, including one on Coinbase in\r\nFebruary. The group, which is allegedly made up of U.S. and U.K.-based hackers, has shown skill with social-engineering techniques.\r\nGroup-IB calls the group “0ktapus” because it targets users of tech company Okta’s identity and access\r\nmanagement services. Typically it sends victims to lookalike pages to steal Okta credentials.\r\nhttps://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nPage 1 of 5\n\nDoes Scattered Spider seem to be everywhere? The scope of their intrusions since March 2022 from a\r\n@CrowdStrike perspective is pretty broad. They use social engineering, living off the land, and RMM\r\ntools before deploying ransomware or conducting extortion. pic.twitter.com/fP3Z1Mj0mW—\r\nadam_cyber (@Adam_Cyber) September 15, 2023\r\n“The methods used by this threat actor are not special, but the planning and how it pivoted from one company to\r\nanother makes the campaign worth looking into,” said Rustam Mirkasymov, head of cyber threat research at\r\nGroup-IB Europe.\r\n“0ktapus shows how vulnerable modern organizations are to some basic social engineering attacks and how far-reaching the effects of such incidents can be for their partners and customers.”\r\nFocus on data theft\r\nMandiant said the group has shown a consistent focus in stealing large amounts of sensitive data for extortion\r\npurposes and has a knack for understanding the contours of U.S. and European business practices, aiding their\r\nefforts in siphoning as much money as possible from victims.\r\nUNC3944 also rely heavily on publicly available tools, legitimate software and malware that they purchase on\r\nunderground forums.\r\nTheir most tried and true methods involve SMS phishing campaigns and calls to IT help desks, where they try to\r\nget password resets or bypass codes.\r\n“The threat actors operate with an extremely high operational tempo, accessing critical systems and exfiltrating\r\nlarge volumes of data over a course of a few days. The tempo and volume of systems UNC3944 accesses can\r\noverwhelm security response teams,” Mandiant explained.\r\n“Once obtaining a foothold, UNC3944 often spends significant time searching through internal documentation,\r\nresources, and internal chat logs to surface information that could help facilitate escalating privileges and\r\nmaintaining presence within victim environments. UNC3944 often achieves privilege escalation by targeting\r\npassword managers or privileged access management systems.”\r\nDuring ransomware attacks examined by Mandiant, the hackers tend to target specific virtual machines and other\r\nsystems that will cause significant impact to victims and force them to pay ransoms.\r\nIn the past, they have contacted company executives and employees with threatening messages, even infiltrating\r\ncommunication channels being used by victims to respond to incidents in some instances.\r\nMandiant said in the majority of cases where they identified the initial point of access, the hackers obtained\r\ncredentials after a smishing attack.\r\nUsing the stolen credentials, the hackers impersonated employees during calls with help desk officials, who\r\nprovided MFA codes or password resets.\r\nThey managed to obtain personal information about the employee being impersonated that allowed them to\r\nanswer security questions posed by help desk officials.\r\nhttps://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nPage 2 of 5\n\n“In one incident, UNC3944 social engineered the IT help desk to get the MFA token reset for account credentials\r\nthat may have been exposed on a laptop used by an IT outsourcing company contracted by the victim\r\norganization,” the researchers said.\r\n“Mandiant determined that RECORDSTEALER credential theft malware was installed on this laptop through a\r\nfake software download only a few weeks prior. UNC3944 typically uses stolen credentials to then establish a\r\nfoothold on victim environments.”\r\nThe hackers also use their access to internal systems to create phishing pages that look like legitimate single sign-on pages or service pages, fooling other employees into handing over even more credentials.\r\nIn addition to their skilled use of impersonation, Mandiant said it has identified three phishing kits that allow the\r\nhackers to send stolen credentials to a Telegram channel controlled by the actors, deploy remote management\r\nsoftware onto a victim device and more.\r\nUNC3944 has been seen using other credential theft tools, infostealers and data miners to move laterally within\r\nvictim networks\r\n“A common hallmark of UNC3944 intrusions has been their creative, persistent, and increasingly effective\r\ntargeting of victims’ cloud resources,” Mandiant said.\r\n“This strategy allows the threat actors to establish a foothold for their later operations, perform network and\r\ndirectory reconnaissance, and to access many sensitive systems and data stores while having minimal interaction\r\nwith what some organizations would traditionally consider their internal corporate network.”\r\nMandiant warned that the hackers continue to evolve their skill set and take advantage of internal system tools to\r\nperpetrate their attacks. The researchers said defenders should expect that these hackers will continue to improve\r\ntheir tradecraft and may expand their relationships with other groups for more support.\r\nIts initial success is likely what emboldened it to expand to attacks that are more disruptive and profitable,\r\nMandiant said, noting that the expansion into ransomware and extortion was likely to lead to the use of other\r\nstrains and methods of monetization to maximize profits.\r\nAlphV dispute\r\nA report from cybersecurity company Group-IB said a recent phishing campaign by the group resulted in 9,931\r\naccounts from more than 136 organizations being compromised — including Riot Games, Reddit and Twilio.\r\nWhile UNC3944 was initially identified as involved only in data theft, in recent months they allegedly have\r\ncoordinated with the BlackCat/AlphV ransomware gang — with several recent victims showing up on the group’s\r\nleak site.\r\nMembers of the group spoke to the Financial Times and TechCrunch last week, claiming their original goal was to\r\nattack MGM’s slot machines only and use paid mules to slowly milk the devices. But when that failed, they turned\r\nto their tried-and-true methods of attack, eventually encrypting the company’s systems.\r\nAccording to Telegram conversations with both outlets, the hackers were able to exploit remote login software and\r\nleaked VPN account information from MGM employees to move throughout the company’s system.\r\nhttps://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nPage 3 of 5\n\nAlphV has since come out to dispute these claims and deny that anyone connected to them spoke to news outlets –\r\ncausing confusion and igniting claims that the gang was either attempting to take credit for the MGM attack back\r\nfrom UNC3944 or attempting to draw law enforcement scrutiny away from the hackers.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nJonathan Greig\r\nhttps://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nPage 4 of 5\n\nis a Breaking News Reporter at Recorded Future News. Jonathan has worked across the globe as a journalist since\r\n2014. Before moving back to New York City, he worked for news outlets in South Africa, Jordan and Cambodia.\r\nHe previously covered cybersecurity at ZDNet and TechRepublic.\r\nSource: https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nhttps://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail\r\nPage 5 of 5", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://therecord.media/scattered-spider-ransomware-attacks-hospitality-retail" ], "report_names": [ "scattered-spider-ransomware-attacks-hospitality-retail" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "7da6012f-680b-48fb-80c4-1b8cf82efb9c", "created_at": "2023-11-01T02:01:06.643737Z", "updated_at": "2026-04-10T02:00:05.340198Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "Scattered Spider", "Roasted 0ktapus", "Octo Tempest", "Storm-0875", "UNC3944" ], "source_name": "MITRE:Scattered Spider", "tools": [ "WarzoneRAT", "Rclone", "LaZagne", "Mimikatz", "Raccoon Stealer", "ngrok", "BlackCat", "ConnectWise" ], "source_id": "MITRE", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "6e23ce43-e1ab-46e3-9f80-76fccf77682b", "created_at": "2022-10-25T16:07:23.303713Z", "updated_at": "2026-04-10T02:00:04.530417Z", "deleted_at": null, "main_name": "ALPHV", "aliases": [ "ALPHV", "ALPHVM", "Ambitious Scorpius", "BlackCat Gang", "UNC4466" ], "source_name": "ETDA:ALPHV", "tools": [ "ALPHV", "ALPHVM", "BlackCat", "GO Simple Tunnel", "GOST", "Impacket", "LaZagne", "MEGAsync", "Mimikatz", "Munchkin", "Noberus", "PsExec", "Remcom", "RemoteCommandExecution", "WebBrowserPassView" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "e424a2db-0f5a-4ee5-96d2-5ab16f1f3824", "created_at": "2024-06-19T02:03:08.062614Z", "updated_at": "2026-04-10T02:00:03.655475Z", "deleted_at": null, "main_name": "GOLD HARVEST", "aliases": [ "Octo Tempest ", "Roasted 0ktapus ", "Scatter Swine ", "Scattered Spider ", "UNC3944 " ], "source_name": "Secureworks:GOLD HARVEST", "tools": [ "AnyDesk", "ConnectWise Control", "Logmein" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775439047, "ts_updated_at": 1775791910, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/32bfc62cad72fb530e6b909fbef4773cfeaf1643.pdf", "text": "https://archive.orkl.eu/32bfc62cad72fb530e6b909fbef4773cfeaf1643.txt", "img": "https://archive.orkl.eu/32bfc62cad72fb530e6b909fbef4773cfeaf1643.jpg" } }