Sergey Nivens - stock.adobe.com

News

NCC: How RaaS team-ups help Scattered Spider enhance its attacks

Scattered Spider’s alliances with ransomware-as-a-service gangs act as a force multiplier for the scope, and number, of its cyber attacks, according to NCC Group analysts

Alex Scroxton
By
Published: 17 Sep 2025 9:30

The notorious Scattered Spider hacking collective behind cyber attacks on Marks & Spencer and others is likely leaning on the expertise of other cyber criminals to enhance the severity of its attacks and the volume of its victims, according to NCC Group’s Threat pulse report for August 2025.

The gang’s attacks this year appear to herald a threat landscape in which collaboration is increasingly the watchword among cyber criminals.

“Scattered Spider is accumulating headlines from its attacks and signature, sophisticated social engineering techniques,” said Matt Hull, NCC head of threat intelligence.

“But its collaboration with ransomware-as-a-service (RaaS) operators is key in its disruption of global giants. The ransomware landscape operates in a ruthless, business-like structure, which needs to be considered when defences are being implemented.”

RaaS is the chief method used by the ragtag hacking collective to elevate the sophistication of its attacks so far in 2025, said NCC.

In leaning on the expertise of others to deliver the more technical aspects of its attacks, its own people – many of them thought to be ordinary teenagers sucked into cyber crime thanks to lax supervision and the influence of online forums – are free to focus on their core social engineering activities.

This combo makes Scattered Spider – already an infamous name in cyber circles thanks to a pattern of attacks dating back years – a far more dangerous threat as it can cause deeper disruption to its victims, and makes attribution – which defenders rely on for context and defensive operations – significantly harder.

Tactics, techniques and procedures

Historically, Scattered Spider has been seen working with multiple RaaS groups, including the likes of ALPHV, RansomHub, DragonForce and Qilin – Qilin alone accounted for 53 observed attacks in August. In this way, it is able to take advantage of each of these gangs’ various preferred tactics, techniques and procedures (TTPs) to target more organisations.

In selecting its RaaS partners, Scattered Spider also appears to demonstrate it has an eye for a bargain in its favour – each of the groups it is known to have worked with offers an affiliate-friendly commission structure, and Scattered Spider may even be able to play this to its advantage to receive even more favourable terms.

Not only that, but the group can also better sustain its activity should the police knock the front door in by spreading the risk across multiple operations.

NCC’s analysts added that the growing body of evidence suggesting links between Scattered Spider, ShinyHunters and Lapsus$ emphasises an even deeper threat posed by Scattered Spider.

“Scattered Spider are not fixed to a type of threat group when choosing those with whom they want to collaborate,” wrote the report’s authors.

“They go beyond ransomware to encompass cyber crime more broadly, likely to maximise attack success and opportunities for profit. Hence, we should anticipate that Scattered Spider will seek to collaborate with a broad group of threat actors and should not limit their capabilities to the world of ransomware.”

NCC said the authorities must adapt to this new dynamic if they are to see continued success in taking down cyber criminals.

Attack volumes stagnate, but threat is as real as ever

Amid all of this, the total number of observed ransomware attacks actually declined by more than a tenth last month, with just 328 incidents observed by NCC, making August 2025 the fifth consecutive period in which fewer than 500 incidents took place.

However, NCC said there was more than meets the eye to this apparent stagnation – a bulk release of Cl0p victims in February and March of 2025 skewed the data somewhat, and overall not much has changed year-on-year.

“There’s more than meets the eye to attack levels plateauing in recent months,” said Hull, highlighting how the overall threat remains as real as it ever did.

“Spikes earlier in the year have dwarfed today’s numbers, but the volume is far from low,” he said. “Despite how the graphs look at first glance, criminal partnerships signify why cyber resilience must be a first port of call for businesses and governments.” 

Besides Qilin, the most active gangs in August were Akira, Safepay, DragonForce and Play, with industrials, consumer discretionary and IT the most targeted sectors.

As usual, the report reveals that most attacks occur in North America – 57% of the total for August – with Europe, including the UK, accounting for 24%.

Timeline: Scattered Spider and ShinyHunters

  • 22 April 2025: A cyber attack at M&S has caused significant disruption to customers, leaving them unable to make contactless payments or use click-and-collect services.
  • 24 April: M&S is still unable to provide contactless payment or click-and-collect services amid a cyber attack that it says has forced it to move a number of processes offline to safeguard its customers, staff and business.
  • 25 April: M&S shuts down online sales as it works to contain and mitigate a severe cyber attack on its systems.
  • 29 April: An infamous hacking collective may have been behind the ongoing cyber attack on M&S that has crippled systems at the retailer and left its ecommerce operation in disarray.
  • 30 April: A developing cyber incident at Co-op has forced the retailer to pull the plug on some of its IT systems as it works to contain the attack.
  • 1 May: Co-op tells staff to stop using their VPNs and be wary that their communications channels may be being monitored, as a cyber attack on the organisation continues to develop.
  • 1 May: Harrods confirms it is the latest UK retailer to experience a cyber attack, shutting off a number of systems in an attempt to lessen the impact.
  • 2 May: The National Cyber Security Centre confirms it is providing assistance to M&S, Co-op and Harrods as concerns grow among UK retailers.
  • 7 May: No end is yet in sight for UK retailers subjected to apparent ransomware attacks.
  • 13 May: M&S is instructing all of its customers to change their account passwords after a significant amount of data was stolen in a DragonForce ransomware attack.
  • 14 May: Google’s threat intel analysts are aware of a number of in-progress cyber attacks against US retailers linked to the same gang that supposedly attacked M&S and Co-op in the UK.
  • 20 May: Cold chain services provider Peter Green Chilled, which supplies the likes of Aldi, Sainsbury’s and Tesco, has been forced to halt operations after succumbing to a ransomware attack.
  • 4 June: A threat group is using voice phishing to trick targeted organisations into sharing sensitive credentials, according to Google.
  • 11 June: So-called Black Swan events expose the blind spots in even the most sophisticated forecasting models, signalling a need to rethink how businesses, and those investing in them, quantify and prepare for cyber risk.
  • 13 June: The recent spate of cyber attacks on UK retailers has to be a wake-up call to build more cyber resilience into digital supply chains and fortify against social engineering attacks.
  • 17 June: Following a series of high-profile attacks on prominent retailers and consumer brands, a group of criminal hackers appears to be expanding their targeting to the insurance sector.
  • 20 June: The UK’s Cyber Monitoring Centre has published its first in-depth assessment of a major incident, reflecting on the impact of and lessons learned from cyber attacks on M&S and Co-op.
  • 26 June: US authorities have unsealed charges against 25-year-old hacker Kai West, aka IntelBroker, accusing him of being behind multiple cyber attacks.
  • 27 June: Multiple reports are emerging of cyber attacks on airlines – Google Cloud’s Mandiant believes them to be linked.
  • 2 July: Australian flag carrier Qantas is investigating significant data theft of personal information for up to six million customers after a third-party platform used by its call centre was compromised.
  • 2 July: A developing cyber attack at Australian airline Qantas that started at a third-party call centre is already being tentatively attributed to the same gang that hit UK retailers. Find out more and learn about the next steps for those affected.
  • 8 July: The government should extend ransomware reporting mandates to businesses to help gather more intelligence and better support victims, says M&S chairman Archie Norman.
  • 9 July: Australian flag carrier begins notifying millions of individuals after a cyber attack on a call centre, confirming that while financial and passport details are safe, a significant volume of other personal information was compromised.
  • 10 July: Police have made four arrests in connection with a trio of cyber attacks on UK retailers Marks & Spencer, Co-op and Harrods.
  • 14 July: French luxury goods retailer LVMH has disclosed multiple cyber attacks in 2025 so far, and their impact is now spreading to the UK as a new incident affecting Louis Vuitton comes to light.
  • 16 July: Microsoft warns users over notable evolutions in Scattered Spider’s attack playbook, and beefs up some of the defensive capabilities it offers to customers in response.
  • 16 July: Co-op chief executive Shirine Khoury-Haq has revealed that all the personal data of all 6.5 million of its members was compromised in the April 2025 cyber attack on its systems.
  • 24 July: Cleaning products manufacturer Clorox fell victim to a Scattered Spider social engineering attack two years ago – it blames its IT helpdesk provider, Cognizant.
  • 30 July: CISA, the FBI, NCSC and others have clubbed together to update previous guidance on Scattered Spider’s playbook, warning of new social engineering tactics and exploitation of legitimate tools, among other things.
  • 7 August: Air France - KLM alerts authorities of a data breach in which threat actors were able to get away with names, email addresses, phone numbers, and more. (Dark Reading)
  • 7 August: ShinyHunters is back, with low-tech hacks that nonetheless manage to bring down international megaliths like Google, Cisco, and Adidas. (Dark Reading)
  • 11 August: Computer Weekly gets under the skin of an ongoing wave of ShinyHunters cyber attacks orchestrated via social engineering against Salesforce users.
  • 12 August: ReliaQuest researchers present new evidence that firms up a potential link, or outright partnership, between the ShinyHunters and Scattered Spider cyber gangs.
  • 18 August: A campaign of voice-based social engineering attacks targeting users of Salesforce’s services appears to have struck HR platform Workday.
  • 19 August: Millions of people are supposedly affected by a breach at Allianz Insurance arising via attacks on Salesforce (Dark Reading).
  • 2 September: Jaguar Land Rover reports a cyber attack has ‘severely disrupted’ its vehicle production and retail operations, recalling similar attacks on other prominent British brands this year.
  • 5 September: The recent cyber attack on Jaguar Land Rover is keeping workers out of plants as possible attack group identity becomes public.
  • 9 September: Qantas executives are to take a pay cut in the wake of the recent cyber attack on the airline’s systems (Dark Reading).
  • 10 September: Carmaker Jaguar Land Rover revealed that data was stolen in the cyber attack that began on 31 August, as its production line continues to be affected.
  • 12 September: M&S chief digital and technology officer Rachel Higham steps back from her role in the wake of the April 2025 cyber attack on the retailer’s systems.
  • 15 September: Kering, the parent group of fashion houses including Balenciaga and Gucci, becomes the latest organisation to allegedly fall victim to ShinyHunters.

Read more on Hackers and cybercrime prevention