Scattered Spider now moves from initial access to encryption in 24 hours

The Scattered Spider ransomware group has reduced breakout time so much so that in one 2025 incident, the threat actor moved from initial access to encryption in 24 hours, according to a new report from CrowdStrike.

The company said the reduction in breakout time to 24 hours was down from 35 hours in 2024, pointing out that the threat actor now bypasses malware entirely, vishing help desks, hijacking MFA and pivoting laterally across SaaS and cloud environments.

“Scattered Spider excels at using identity compromise to pivot between multiple surfaces in a network, evading targeted organizations’ heavily monitored endpoints,” wrote the CrowdStrike researchers. “This includes performing bulk exports of Microsoft Entra ID data, obtaining credentials from privileged access management applications, and even performing help desk social engineering calls during the intrusion to gain access to accounts with higher privileges.”

Nic Adams, co-founder and CEO at 0rcus, added that Scattered Spider's identity-driven playbook pivots from malware-centric attacks to a reliance on social engineering and legitimate credentials. Adams said they now bypass malware entirely, using vishing to manipulate help desks, hijack multi-factor authentication (MFA) tokens, and then exploit the inherent trust in SaaS and cloud environments to achieve lateral movement, drastically accelerating their operational tempo.

“The reduction of breakout time to 24 hours signifies a critical shift in adversary capability, reflecting a mastery of living-off-the-land techniques and a deep understanding of organizational trust boundaries,” said Adams. “This new reality mandates that defenders transition from a perimeter-focused strategy to one of continuous identity and behavioral monitoring, as the window for detection and response has narrowed to a single business day.”

Adams added that bypassing malware has become a more effective and difficult-to-detect attack vector because it leverages trusted identities and legitimate tools, making the activity blend in with normal network traffic. He said this approach sidesteps traditional endpoint security tools focused on malware signatures and file hashes, instead requiring security teams to have deep visibility into user behavior and identity-based access controls to spot anomalous activity.

“To keep pace with adversaries like Scattered Spider, security teams must evolve their defense posture by prioritizing identity protection and behavioral analytics over traditional malware-centric security,” said Adams. “This involves implementing robust identity governance, securing the entire authentication lifecycle, and leveraging threat intelligence to proactively model and defend against these social engineering-based tactics.”

Shane Barney, chief Information security officer at Keeper Security, said that identity today is not just a set of static credentials, but a dynamic and continuously evolving attack surface. Barney said threat actors like Scattered Spider are exploiting trusted processes, like help desk interactions and credential resets, to gain access and move quickly within networks, often without triggering traditional alerts. 

“This shift requires organizations to rethink how they verify and monitor access,” said Barney. “Relying solely on reactive detection is no longer sufficient. Instead, security teams must adopt real-time, AI-driven monitoring that analyzes privileged sessions continuously.

Along with the analysis of Scattered Spider, the CrowdStrike report also pointed out that as U.S. law enforcement cracked down, North Korean operators moved their "laptop farms" overseas, exploiting remote hiring pipelines in Romania and Poland, blending in with legitimate developer talent, and funneling salaries back to fund the regime.

“Adversaries are evolving faster than the security stack, reshaping the rules of identity protection and forcing enterprises to rethink hiring, remote access, and insider risk,” wrote the CrowdStrike researchers.