Organized crime groups pose a significant threat to the retail sector by exploiting system vulnerabilities to gain access to sensitive customer information and disrupt business operations. These groups engage in a variety of illicit activities, including ransomware attacks, data breaches, and payment card fraud, all aimed at financial gain. The rise of malware-as-a-service (MaaS) platforms has further exacerbated this threat, enabling even less technically skilled criminals to launch sophisticated attacks with relative ease. Vast amounts of sensitive data can be leveraged for extortion, such as customer payment information, personal identifiable information (PII), purchase history, loyalty program data, employee information, business financial data, supply chain information, and operational data.
Stealware harvests user session data, including multifactor authentication (MFA) tokens and passwords, that can be leveraged in attacks. Common deployment of stealware is via phishing, malvertising, or is embedded within specially crafted websites that are designed to mimic sites commonly used by retail organizations. Investigations and dark web monitoring has identified that retail organizations are being targeted via stealware. This is likely due to the large numbers of staff, customers, and affiliates using official retail accounts on a regular basis, therefore sensitive credential data is stored in the victim’s session.
When combined with privilege escalation vulnerabilities, attackers with access to stolen credentials almost certainly pose a significant threat to the retail sector, and lead to severe compromise. For example, Lumma Stealer, a low-cost MaaS, was identified as the most active stealer in circulation last year, accounting for 59 percent of session data sales — sales which cost approximately $10 per instance.
Retail organizations are advised to obtain dark web visibility to identify leaked credentials before they can be used by threat actors. Additionally, organizations should review conditional access policies of all domains and ensure that credential and MFA input is required no later than every three days. This is based on the timeline between the theft of a session, sale, and the usage by a purchasing threat actor.
Scattered Spider is a financially motivated cybercriminal group that emerged around 2022, comprising mostly native English speakers, some as young as 16, operating mainly from the UK and the U.S. This decentralized and well-organized network collaborates in real time via online forums and chat platforms, sharing tactics and strategies. Initially known for social engineering attacks to steal credentials, Scattered Spider now engages in aggressive extortion and ransomware deployment, targeting the retail sector by exploiting vulnerabilities in customer data and payment systems. Their primary aim is financial gain through extortion, focusing on stealing sensitive information for identity theft or sale on dark web marketplaces. Members often seek notoriety, boasting about their exploits in criminal forums. Their advanced social engineering, data theft, and disruptive attacks on large enterprises make them a significant threat, challenging law enforcement efforts to dismantle their operations. Scattered Spider ransomware infection chains start by exploiting vulnerabilities on unpatched systems for initial access.
Once in, Scattered Spider aggressively maintains access. It often registers new devices or SIM cards to victim accounts (via SIM swapping) to persist in MFA-protected environments. The actors create new user accounts or cloud instances in victim infrastructure to establish redundant backdoors. Notably, it deploys numerous legitimate remote administration tools in the network, often installing five or more different RMM tools so that even if one is discovered and removed, others remain as fallback access points. The final stage of the attack chain involves the execution of the ransomware which encrypts files prior to dropping a ransom note.
Scattered Spider is assessed as a highly capable and persistent threat actor that will almost certainly continue its operations into the foreseeable future. The collective’s proven success in breaching large enterprises and the financially lucrative outcomes (ransoms paid, data sold) provide strong incentive for it to keep attacking. Despite several law enforcement actions and arrests in late 2023 and 2024, the group’s decentralized makeup has enabled it to remain active — new members fill gaps and tactics are adjusted swiftly.
The risk to organizations from Scattered Spider is therefore severe. This group has demonstrated the intent and ability to cause major disruption. Given its focus on disruption for extortion, any company with a large consumer-facing or critical service component (where downtime is devastating) should consider the threat level to be high. Current intelligence suggests the retail sector is especially at risk in the near term. The successful attack on British multinational retailer Marks & Spencer (M&S) in 2025 may embolden Scattered Spider to target other prominent retailers. These organizations have vast customer databases and rely on constant uptime for sales, making them prime extortion targets. In summary, Scattered Spider is considered one of the most dangerous and active hacking groups currently monitored on the global stage.
Scattered Spider attacks frequently exploit vulnerabilities, leaked credentials, and helpdesks via social engineering as initial access vectors. To strengthen defenses against such threats, the following security measures are strongly recommended:
- Patching Policy: Maintain a robust, intelligence-led patching policy that prioritizes vulnerabilities under active exploitation or those with a published proof of exploit.
- Credential Monitoring: Invest in dark web credential monitoring solutions to detect leaked credentials before they can be used in attacks. In 2024, 29 percent of ransomware attacks were likely initiated through compromised credentials.
- MFA: Implement MFA across all sensitive environments to add an extra layer of security.
- Least Privilege Principle: Apply the principle of least privilege to restrict credential access.
- Security Awareness: Conduct regular security awareness campaigns and phishing training to counter social engineering tactics.
- Credential Reset Protocol: Ensure requests for credential resets, especially for admin users, undergo additional scrutiny by involving line management before issuance. In alignment with the Cybersecurity & Infrastructure Security Agency (CISA) standards, organizations should implement the following strategies to mitigate the threat of Scattered Spider and potential ransomware compromises:
- Offline Backups: Maintain offline, encrypted backups of critical data to safeguard against data loss.
- Zero-Trust Architecture: Implement a zero-trust architecture to prevent unauthorized access to data and services. By implementing these measures, organizations can significantly bolster their defenses against Scattered Spider and similar cyber threats.
Scattered Spider remains a formidable threat to the retail sector, leveraging a blend of social engineering and technical prowess to achieve its objectives. Its decentralized structure and collaborative approach with other cybercriminal entities make it a resilient adversary. Retailers must remain vigilant, adopting comprehensive cybersecurity measures and fostering a culture of awareness to mitigate the risks posed by this group.
Nabeil Samara is a seasoned senior consultant at Quorum Cyber, specializing in security managed services for financial services, private equity, retail, and hospitality clients.
