Casino cybercrime gang has already attacked over 100 companies, experts claim

Scattered Spider hasn’t been around for long, but is doing serious damage

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

The cybercrime gang reportedly behindrecent cyberattacks against several Las Vegas casinoshas been extremely active in its brief, two-year lifespan, a new report has claimed.

The findings from Mandiant on the group known as Scattered Spider states it may have successfully hit approximately 100 companies, including employees of Okta, a popular employee identity solutions provider.

The threat actors usually go for SMS phishing and phone-based social engineering, so in its very essence, this is a scam organization. By tricking people into giving away the login credentials to various company services, the group manages to wiggle its way intoendpoints, where it does all kinds ofmaliciousactivities, from stealing sensitive data to - in more recent times - deploying ransomware.

Moving to ransomware

This move into ransomware began in mid-2023, the researchers argue, claiming that is when the group’s “expansion in its monetization strategies” began.

“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand," the analysis says. Mandiant tracks Scattered Spider as UNC3944. “Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services.”

When it goes phishing, the group uses three kits - Eightbait (used between late 2021 and mid-2022), and in newer times two unnamed kits, which were mostly used in parallel.

When it comes to ransomware, the group seems to have chosen BlackCat, also known as ALPHV. This is a known ransomware-as-a-service provider that’s been used in numerous high-profile ransomware attacks.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

“ALPHV operates as a RaaS and we have observed UNC3944 deploy this ransomware,” Mandiant’s threatintelteam toldThe Register. “In these partnerships, the operators of the ransomware will typically provide builds to its affiliates to distribute along with other related support services such as infrastructure that allows easy management of victims and extortion support (e.g. DDoS).”

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Cisco issues patch to fix serious flaw allowing possible industrial systems takeover

Washington state court systems taken offline following cyberattack

Google TV will require more RAM for future upgrades – which might leave older TVs and streaming boxes behind