Ransomware Alliances Amplify Threat of Skilled Social Engineering Actors Scattered Spider

In October 2024, a manufacturing organization experienced a ten-hour intrusion orchestrated by Scattered Spider, a social engineering threat group now identified with ties to the RansomHub ransomware collective. In a detailed investigation reported by ReliaQuest, Scattered Spider infiltrated the organization's network by targeting its help desk to reset passwords and multi-factor authentication (MFA) devices, ultimately compromising the Chief Financial Officer’s (CFO) account. This access paved the way for broader infiltration across the organization’s systems, with additional accounts compromised, including removing and resetting MFA on critical accounts. Known as highly capable in social engineering, Scattered Spider’s collaboration with RansomHub amplifies the threat. ReliaQuest notes, "Russia-aligned threat actors have been reluctant to collaborate with English-speaking counterparts."

ReliaQuest’s attack analysis, led by cyber intelligence analyst Hayden Evans and threat hunter James Xiang, provides detailed insights into the sequence of malicious actions carried out during the intrusion. Scattered Spider’s initial step involved contacting the help desk to reset the CFO’s account and add a new MFA device. Evidence from Okta logs showed verification through a Google Voice phone number, with SMS used to supply the MFA code. After successfully accessing the CFO’s account, the attackers targeted the Thycotic password vault through its Okta application, though insufficient permissions initially blocked further access. However, reconnaissance through the organization’s SharePoint instance enabled the discovery of a domain administrator account. Repeating their social engineering tactics, the attackers secured a password reset on this account, which carried Okta Super Administrator privileges, allowing further infiltration of critical systems.

With these elevated privileges, the attackers modified authentication processes, disabled secondary MFA, and accessed the SentinelOne endpoint solution by impersonating a valid user. "By impersonating a user with SentinelOne permissions, they granted access to the domain administrator account, allowing them to access the SentinelOne console with view permissions," ReliaQuest reports. The attackers then exploited the organization’s VPN and ESXi environments, deploying a virtual machine (VM) to evade detection while creating RDP connections across essential servers. From this VM, it was evident they captured the NTDS.dit file, which houses critical credentials and information. Notably, ReliaQuest highlighted that despite EDR coverage, no alerts were triggered during this intrusion, likely due to the attack’s execution at the hypervisor level, which often lacks logging visibility at the operating system layer.

Following data exfiltration to Mega Cloud, the attackers issued a ransom demand by sending the ransom note via Microsoft Teams instead of a traditional README file. They successfully encrypted the organization’s ESXi environment and compromised both on-premises and cloud backups. ReliaQuest’s investigation revealed critical gaps in the organization’s response protocols. "In both instances, the help desk failed to follow the firm’s standard operating procedures (SOPs), resulting in the password and MFA information for the domain administrator account falling into the hands of the threat actor."

This incident underscores a concerning trend: highly skilled social engineering groups like Scattered Spider are increasingly collaborating with ransomware collectives such as RansomHub, leading to an escalation in both the scope and impact of cyberattacks. The expanding collaboration between threat actors and ransomware operations reflects an interconnected cybercriminal ecosystem, with groups increasingly leveraging Ransomware-as-a-Service (RaaS) models and affiliate partnerships to amplify their reach and efficacy. Notably, this report aligns with recent findings from Unit 42 on the Andariel group's connection to Play ransomware, demonstrating how alliances across different threat actor groups continue to fuel a complex, global cybercrime network.