Retailers in the United States are now coming under attack from Scattered Spider, the English-speaking hacking collective that is suspected of being behind a series of DragonForce ransomware attacks on high street stores Marks & Spencer (M&S) and Co-op, according to Google’s Threat Intelligence Group (GTIG).

GTIG and its cohorts at Google Cloud’s Mandiant threat intel unit said the cyber attacks are still under investigation, and for reasons of privacy the researchers have not yet named any victims in the US. The team also held back from providing any formal attribution at this time.

“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” GTIG chief analyst John Hultquist told Computer Weekly via email this afternoon.

“The actor, which has reportedly targeted retail in the UK following a long hiatus, has a history of focusing their efforts on a single sector at a time, and we anticipate they will continue to target the sector in the near term. US retailers should take note,” said Hultquist.

Hultquist described Scattered Spider as aggressive, creative, and highly adept at circumventing even the most mature security programmes and defences.

“They have had a lot of success with social engineering and leveraging third parties to gain entry to their targets. Mandiant has provided a hardening guide based on our experience with more details on their tactics and steps organisations can take to defend themselves,” said Hultquist.