The Federal Bureau of Investigation and the Cybersecurity and Infrastructure Security Agency have exposed new details about the cybercrime group Scattered Spider and its collaboration with the notorious ALPHV/BlackCat ransomware operation in an advisory published on Friday.
According to a Bleeping Computer report, Scattered Spider — tracked by multiple aliases including 0ktapus, Starfraud, and Octo Tempest — has been responsible for some of the most high-profile ransomware attacks in recent years. The fluid collective of English-speaking hackers as young as 16 has relied on cunning social engineering tactics to breach the networks of companies like MailChimp, Reddit and Twilio.
Now, the FBI reveals that select members of Scattered Spider have joined forces with ALPHV/BlackCat, the Russia-based ransomware cartel behind major attacks on oil giant Shell and Costa Rica’s government. This alliance allows the Scattered Spider actors to encrypt and lock systems using BlackCat, then extort victims for ransom payments.
Experts say Scattered Spider’s loose, decentralized structure makes the group difficult to track. The FBI knows the identities of at least 12 individuals but has yet to prosecute any members. Some are believed also to be part of “The Comm,” a network of hackers involved in recent violent crimes.
Scattered Spider’s access tactics exploit human vulnerabilities. Posing as IT staff, they trick employees into handing over credentials via SMS phishing, phone calls, and fake domain names impersonating corporate services. Once inside, they covertly install RAT malware and monitoring tools to steal data and learn about incident response efforts in Slack or email. This allows Scattered Spider to evade detection, create fake accounts to move laterally and determine how victims are trying to kick them out.
The advisory warns they take interest in source code, certificates, and credential repositories.
Experts urge strengthening MFA, email security, network segmentation, and patching against the MITRE techniques listed by the FBI. They also advise implementing robust data recovery plans and offline backups to empower recovery after an attack.
The exposure of Scattered Spider’s inner workings sheds light on the human infrastructure behind sophisticated cybercriminal networks executing ransomware attacks. It also exemplifies the evolving cyber threat landscape, where threat actors share capabilities to maximize profits from extortion.
Photo by Pixabay.