The recent cyberattacks on major UK retailers have one name in common: DragonForce. This ransomware group, linked to breaches at Marks & Spencer, Harrods, and Co-op, has quickly become a household name for all the wrong reasons. But behind the scenes, there may be another actor pulling the strings to get initial access - Scattered Spider.
In recent days, reports suggest that Scattered Spider has shifted its sights to the insurance industry, particularly targeting U.S.-based organisations such as Erie Insurance and Philadelphia Insurance. While it's not yet confirmed whether ransomware has been deployed in these cases, signs of compromise are evident. In an SEC filing by Erie Insurance says, “On June 7, 2025, Erie Indemnity Company (the "Company") identified unusual network activity, which the Company determined to be the result of an information security event. Upon learning of this activity, the Company activated its incident response protocols and took immediate action to respond to the situation to safeguard our systems.”
Despite the name, Scattered Spider is no myth. It’s a loosely connected network of primarily English-speaking cybercriminals, known for high-impact attacks such as those on MGM Resorts and Caesars Entertainment in the U.S. Formerly affiliated with the BlackCat/ALPHV ransomware strain, the group is now believed to be selling access to compromised environments to third parties like DragonForce - turning initial breaches into full-blown ransomware campaigns and potentially being affiliates.

What makes Scattered Spider particularly dangerous is their preference for social engineering over technical exploits. Their tactics include:
Vishing and Smishing: Impersonating IT personnel via phone or SMS to manipulate employees into resetting passwords or bypassing multi-factor authentication (MFA).
SIM Swapping: Trick telecom providers into transferring an employee’s phone number to a new SIM card, allowing full control of SMS-based MFA.
Credential Harvesting: Creating highly realistic phishing sites mimicking login portals, distributed via email or SMS.
Underground marketplaces: Credentials can be purchased form underground marketplaces including those from information stealer malware.
Threats and Intimidation: In some rare cases, resorting to coercion and psychological pressure to gain access.
These methods bypass many conventional technical controls. That’s why the defence must start with process and people.
To counter these evolving tactics, organisations must rethink their identity verification and incident response playbooks. Solace Cyber recommends:

Once inside, attackers from DragonForce incidents typically follow a loosely structured playbook. Key indicators include:

Eventually, stolen data is posted to DragonForce’s dark web leak site - in an attempt to cause lasting reputational damage, loss of intellectual property and issues with ICO.
To mitigate both initial access and post-compromise damage, retailers should:

Solace Cyber helps companies across the UK recover from ransomware attacks and data breaches.
Ransomware Recovery
Ransomware Groups
BEC Recovery
About Us
Blog
News
SOLACE CYBER LTD is registered in England & Wales no. 14028838

Solace Cyber
Twin Sails House,
W Quay Rd,
Poole, BH15 1JF
United Kingdom