Ransomware group sets sights on US retailers after hitting UK merchants

The ransomware group that hit UK retailers Marks & Spencer, the Co-op, and Harrods over the past few weeks now aims to target retailers in the United States, according to the Google Threat Intelligence Group (GTIG).

"The U.S. retail sector is currently being targeted in ransomware and extortion operations that 'we suspect' are linked to UNC3944, also known as Scattered Spider,” said John Hultquist, chief analyst for GTIG. “The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. U.S. retailers should take note.”

Hultquist added that while GTIG has not "officially" attributed either the UK retail hacks or the impending U.S. activity to UNC3994, he said the actors that carried out the attacks in the UK are the same ones about to attack in the United States. Hultquist said they are aggressive, creative, and particularly effective at circumventing mature security programs — and have had a lot of success with social engineering and leveraging third parties to gain entry to their targets.

What if it is Scattered Spider?

Boris Cipot, senior security engineer at Black Duck, pointed out that Scattered Spider usually deploys social-engineering techniques to pursue employees into handing over credentials, much like it did in the September 2023 MGM hack. Cipot said among their other techniques, SIM swapping and MFA fatigue attacks are common. They are also known to use legitimate remote management software such as Any Desk or TeamViewer to avoid detection, and tend to partner with ransomware groups.

“Their usual targets are in the hospitality and telecommunication sectors however, they have shifted towards retail, which could have, on one hand, monetary motivation, and on the other hand, a gap in deployment of cybersecurity tools and cybersecurity hygiene, which makes those targets easier to breach,” said Cipot. “The retail sector also has large amounts of highly sensitive personal data to offer, especially payment data, which is of great value for extortion or further sale. Additionally, the retail sector has complex supply chains, making it harder to deploy resilient cybersecurity strategies.”

Chad Cragle, chief information security officer at Deepwatch, added that security teams can defend against Scattered Spider and other leading ransomware groups by doing the following: secure privileged accounts, implement phishing-resistant MFA, and verify every help-desk identity request.

“Retailers are particularly vulnerable, as they handle large amounts of payment data, manage intricate supply chains, and operate under significant uptime pressure that often encourages ransom payments,” said Cragle. “However, organizations with valuable data and critical availability needs are equally at risk.”