Ransomware, Identity

Scattered Spider group targets financial sector despite claims

Robotic spider crawling across a digital network with glowing blue connections

(Adobe Stock)

Not long after Scattered Spider’s affiliates claimed they were ceasing operations, evidence emerged that the ransomware group linked to Shiny Hunters has been targeting the financial sector.

In a Sept. 15 blog post, ReliaQuest said along with various financial sector attacks, Scattered Spider was observed conducting a targeted intrusion against a major U.S. banking operation.

The ReliaQuest researchers said the news should remind security teams to “not be lulled into a false sense of security.”

Despite claims that they were disbanding, the researchers said Scattered Spider’s tactics, techniques and procedures (TTPs) and indicators of compromises (IOCs) are still surfacing, showing that the threat remains active and evolving.

“Staying vigilant and proactive is critical as these groups continue to adapt their methods,” wrote the researchers.

Michael Mumcuoglu, co-founder and CEO at CardinalOps, said the reemergence of Scattered Spider underscored the critical importance of identity security in today’s financial sector.

From running social-engineering schemes on executives to exploiting Azure AD self-service password resets, escalating privileges, and targeting cloud data platforms like Snowflake and AWS, Mumcuoglu said Scattered Spider’s tactics demonstrate how attackers now blend social manipulation with cloud and infrastructure abuse.

“For financial organizations, it’s clear that traditional perimeter defenses are no longer enough,” said Mumcuoglu. “Security teams must continuously monitor for suspicious password reset flows, privilege escalations such as unexpected Global Admin assignments, and anomalous activity in VPN, Citrix, VMware, and backup service accounts.”

The Lookout Threat Intelligence team added that Scattered Spider has been making the rounds through targeted sectors over the last few months: they started with retail, then moved on to insurance, and most recently aviation.

“Considering the success they’ve had across those industries, it’s no surprise that they’re now going after financial services,” said the Lookout team. “In fact, it’s possible that their success across those other industries gave them the confidence to go after one that typically has more focus on security because of strict regulations, compliance, and sensitivity of the data they possess.”

An In-Depth Guide to Ransomware

Get essential knowledge and practical strategies to protect your organization from ransomware attacks.

Related

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

Related Terms

Basic AuthenticationBiometricsCertificate-Based AuthenticationChallenge-Handshake Authentication Protocol (CHAP)Digest AuthenticationDigital CertificateDiscretionary Access Control (DAC)

You can skip this ad in 5 seconds