The recent cyberattacks on major UK retailers have one name in common: DragonForce. This ransomware group, linked to breaches at Marks & Spencer, Harrods, and Co-op, has quickly become a household name for all the wrong reasons. But behind the scenes, there may be another actor pulling the strings to get initial access - Scattered Spider.
In recent days, reports suggest that Scattered Spider has shifted its sights to the insurance industry, particularly targeting U.S.-based organisations such as Erie Insurance and Philadelphia Insurance. While it's not yet confirmed whether ransomware has been deployed in these cases, signs of compromise are evident. In an SEC filing by Erie Insurance says, “On June 7, 2025, Erie Indemnity Company (the "Company") identified unusual network activity, which the Company determined to be the result of an information security event. Upon learning of this activity, the Company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems.”
Despite the name, Scattered Spider is no myth. It’s a loosely connected network of primarily English-speaking cybercriminals, known for high-impact attacks such as those on MGM Resorts and Caesars Entertainment in the U.S. Formerly affiliated with the BlackCat/ALPHV ransomware strain, the group is now believed to be selling access to compromised environments to third parties like DragonForce - turning initial breaches into full-blown ransomware campaigns and potentially being affiliates.
How Scattered Spider Infiltrates Organisations
What makes Scattered Spider particularly dangerous is their preference for social engineering over technical exploits. Their tactics include:
Vishing and Smishing: Impersonating IT personnel via phone or SMS to manipulate employees into resetting passwords or bypassing multi-factor authentication (MFA).
SIM Swapping: Trick telecom providers into transferring an employee’s phone number to a new SIM card, allowing full control of SMS-based MFA.
Credential Harvesting: Creating highly realistic phishing sites mimicking login portals, distributed via email or SMS.
Underground marketplaces: Credentials can be purchased form underground marketplaces including those from information stealer malware.
Threats and Intimidation: In some rare cases, resorting to coercion and psychological pressure to gain access.
These methods bypass many conventional technical controls. That’s why the defence must start with process and people.
What You Can Do Right Now
To counter these evolving tactics, organisations must rethink their identity verification and incident response playbooks. Solace Cyber recommends:
- Enforce Video Verification for Resets: All password and MFA resets should be validated via live video call. Require official ID (e.g., staff badge, driver’s license) shown on camera - without pre-warning callers this check is required.
- Prohibit Legacy MFA: Where possible, disable SMS and call-based MFA in favour of app-based or hardware token alternatives.
- Restrict SIM Swapping: Work with telecom providers to disallow SIM swaps on corporate accounts unless verified via secure, pre-approved channels.
- Empower Anonymous Reporting: Ensure employees - particularly IT staff - can report suspicious behaviour or coercion without fear of retaliation.
- Phishing Simulation and Training: Conduct regular, realistic phishing exercises with tailored training to build awareness and resilience.
Signs of a Breach: What to Watch For
Once inside, attackers from DragonForce incidents typically follow a loosely structured playbook. Key indicators include:
- Active Directory Enumeration: Use of tools like PingCastle to map weaknesses.
- Backdoor Installation: Deployment of Anydesk, rPivot, and Cobalt Strike to establish persistence and remote control.
- Credential Dumping: Exploiting backup tools like Veeam using scripts such as Get-Veeam-Creds.ps1.
- Unusual Accounts: Creation of local and AD accounts that cannot be explained.
- Unusual Outbound Traffic: Data exfiltration via platforms like Amazon S3 or Wasabi, often using tools like Rustic.
- Encryption Activity: Ransomware payloads launched from (C:\PerfLogs\win.exe), with files renamed and encrypted using the .dragonforce_encrypted extension.
- Ransom Notes: Typically named readme.txt and placed in affected directories.
Eventually, stolen data is posted to DragonForce’s dark web leak site - in an attempt to cause lasting reputational damage, loss of intellectual property and issues with ICO.
Building Long-Term Defences
To mitigate both initial access and post-compromise damage, retailers should:
- Deploy EDR Across All Assets: Ensure full visibility and response capabilities across endpoints.
- Harden Active Directory: Regularly assess AD configurations using tools like PingCastle and log domain controller activity via SIEM.
- Enforce Strong Password Policies: Require unique passwords of 14+ characters and prohibit reuse.
- Audit Remote Access Tools: Remove unused RMM software like TeamViewer; maintain a live inventory of where RMM tools are used.
- Segment the Network: Separate environments for IT management, POS systems, backups, and individual sites to isolate any potential breach to a segment of the network.
- Routine Pen Testing: Conduct regular, red-team-style penetration testing to discover and fix vulnerabilities before attackers do.
- Implement Zero Trust: principles across vendor integrations, ensuring no automatic trust is given to internal or external users, systems, or applications.
- CTI Monitoring: Ensure that your organisation is on the lookout for new breached credentials from info stealer malware or general leaks.
- Backups: Ensure you regularly test your backups and make sure they are immutable.
