Scattered Spider, BlackCat claw their way back from criminal underground

Two high-profile criminal gangs, Scattered Spider and BlackCat/ALPHV, seemed to disappear into the darkness like their namesakes following a series of splashy digital heists last year, after which there were arrests and website seizures.

Over the last couple months, however, both have reemerged – with new reported intrusions and a possible rebrand.

In October, security firm ReliaQuest responded to a digital break-in at a manufacturing firm that it attributed with “high confidence” to Scattered Spider.

This indicates that, despite law enforcement’s best efforts – including arresting a 22-year-old Brit suspected to be the gang’s kingpin in June and a 19-year-old Florida man in January – the loose-knit group of teens and early-20s males hasn’t gone away.

The manufacturing-sector intrusion began with two social engineering attacks on the victim’s help desk. Social engineering has been the gang’s preferred method of entry – and one that has paid off for this group of native English speakers behind the massive SIM-swapping attack against Okta and the Las Vegas casinos digital heists last year.

Within six hours of calling the help desk, the miscreants began encrypting the organization’s systems, we’re told. 

New encryptor, who dat?

This time, however, they used a RansomHub encryptor to lock the environment. That’s notable because the group previously was an affiliate for the BlackCat/ALPHV crew. That group also scattered after collecting a $22 million ransom from the Change Healthcare attack and  pulling an exit scam.

“This event demonstrates that despite arrests this year, members of The Com are still actively targeting organizations,” Hayden Evans, cyber threat intelligence analyst at ReliaQuest, told The Register

Scattered Spider is believed to be part of a larger cyber criminal community dubbed “The Com.” 

“This persistence is likely due to the group’s decentralized nature and indicates that these attacks will continue to take advantage of vulnerable organizations unless significant law enforcement disruption occurs,” Evans continued, adding that orgs should implement “stringent” help desk policies and technical controls to protect against Scattered Spider attacks. 

In addition to using RansomHub malware instead of BlackCat, the gang has adopted other new tactics that defenders need to be aware of.

“A lot of the social engineering for initial access and SharePoint discovery events have been associated with the group in the past,” Evans noted. “But some of the newer events involve a greater degree of defensive evasion and a new Microsoft Teams method which hasn’t been seen before.”

Scattered Spider used both of these in the attack that ReliaQuest responded to last month.

First, the gang used the organization’s ESXi environment to create a virtual machine and maintain persistence, move laterally through the environment, dump credentials and steal data. It also disguised the criminals’ activity and hid the attack until after they’d locked up the victim’s systems.

Then, they demanded a ransom via a Microsoft Teams message.

Seeking: English-speaking callers

Scattered Spider – and other groups that increasingly use social engineering tactics – are progressively looking to hire native English speakers for specialized “caller” jobs, according to Lookout VP David Richardson.

During an attack, “a caller may be hanging out on a screen-share with someone who might be somewhere else, and while the caller is executing the IT help-desk script to extract credentials the more tech-savvy individual in the criminal operation is stealing and encrypting the victim’s data,” Richardson told The Register

In one incident that his team responded to, Richardson said an employee received a phone call shortly after seeing a text message alerting them of unauthorized activity on a company account (this wasn’t true) and saying their account had been locked (also not true).

After a 30-minute phone call during which the employee didn’t fall for the social engineering attack, the criminal “congratulated” the employee on passing a “social engineering test,” in the hopes that the employee wouldn’t even think to report the suspicious activity.

Attackers don’t hack in, they log in

“Most of these campaigns are starting through SMS blasts to groups and phone calls,” Richardson noted. “They’ve going after employees’ mobile devices to launch these attacks, to get in the door.”

And they still adhere to the old classic – they are logging in, not breaking in.

“The main takeaway for defenders is the ongoing sentiment: Attackers don’t hack in, they log in,” Evans said. “Essentially, attackers aim for the path of least resistance that has a higher chance of success – such as by obtaining credentials through info-stealer logs or, as in this case, by targeting the help desk to reset credentials and bypass MFA.”

Lookout VP David Richardson echoed this, and also noted that most of Scattered Spider’s affiliates log in through legitimate means.

“People need to know that these kinds of attacks are happening and that just because an American calls you up, or you receive a text message, does not mean that this thing is legitimate,” he told The Register. “As a good employee, you should confirm this through multiple channels.”

Richardson suggests reaching out to the person initiating the communication via an internal chat tool and looking them up on your company’s org chart to make sure they do exist. 

BlackCat’s 9 lives

In December 2023, an FBI-led operation seized BlackCat/ALPHV’s website – shutting down the gang’s dark web presence – and released a decryptor tool.

This famously didn’t stop the criminals from roaring back into action a few months later with the Change Healthcare ransomware infection, which crippled American pharmacies and compromised about 100 million people’s sensitive information – making it the largest healthcare data breach in US history.

And after parent company United Health’s CEO made the difficult decision to pay the extortionists, BlackCat disappeared. 

Dark-web chatter over subsequent months has suggested that some affiliates joined RansomHub.

Then in September researchers began noting “striking similarities” between BlackCat and Cicada3301 ransomware, which has claimed at least 39 victims since it was spotted in June.

In addition to being written in Rust, like BlackCat, Cicada’s malware shared many other similarities with the other data-encrypting and deleting code, which were detailed by Israeli endpoint security outfit Morphisec.

Last month, threat hunters at Group-IB revealed that they had successfully infiltrated the Cicada3301 ransomware affiliate panel. The ransomware crew primarily attacks companies in the US and UK, and has published stolen data from 24 of these between June and October. 

In their deep dive into the group’s inner workings and ransomware variants, they also saw connections between BlackCat and Cicada, according to Sharmine Low, a Group-IB malware analyst.

“These two software programs exhibit significant similarities,” Low told The Register. “Notably, they use identical commands for inhibiting system recovery, shutting down virtual machines and killing processes for smoother execution. Additionally, both include a legitimate PsExec executable embedded within the Windows variant, while their naming conventions differ by only one word. Cicada3301 uses RECOVER-[encrypted_extension]-DATA.txt while BlackCat uses RECOVER-[encrypted_extension]-FILES.txt.”

At the time of writing, Cicada had posted new victims on its leak site as recently as October 24.

‘You can’t let your guard down’

“The main thing is: you can’t let your guard down,” ExtraHop senior technical manager Jamie Moles told The Register. “The simple fact of the matter is that ransomware gangs have been with us for a while now, and the big issue that we have is that technology and geography have made their life easy and have offered them a huge amount of protection.”

Specifically the rise of cryptocurrency, which, by its decentralized and distributed nature, makes it much easier for criminal groups to hide the money trail and makes it more difficult for law enforcement to track.

Plus, Moles added, “the geography part of it is that most of the ransomware operators who are a big deal in the industry operate out of what you might call a modern day Axis of Evil – which is North Korea, China and Russia/Ukraine.”

He warned: “Anybody who’s a potential target” should take note of these ransomware gangs’ resurgence along with the newer, emerging groups.

The first question that companies should ask themselves when it comes to protecting their IT environments is: “How would you protect yourself if you had an unlimited budget,” Moles suggested. “Start there, and then work your way down to where your actual budget sits.”

It’s worth noting that most breaches get in via email – Moles put the percentage at between 95 and 98. “So you’ve got to have the best email filtering possible,” he opined.

“You also want to have the best training for your users to make sure they understand the threats and the risks,” Moles noted, adding that other vital pieces include endpoint security, to give orgs a chance of catching malicious code running on the endpoints, along with network traffic monitoring to hunt for any suspicious activity on the network.

“These ransomware operators – whether it’s Scattered Spider through RansomHub or this new Cicada ransomware group – are inherently opportunistic,” Evans observed. “A large majority of the time the tactics of these groups overlap. It’s super important for defenders to identify these common TTPs and common tools of these groups and have detection, mitigations in place.” ®

READ MORE HERE