Scattered Spider and BlackCat reemerge after takedown

New groups show striking similarities in tools and tactics

Two cybercriminal groups appear to have reemerged after a brief hiatus.

Scattered Spider and BlackCat (aka ALPHV) had seemingly vanished after a series of high-profile arrests and website seizures last year.

However, security firm ReliaQuest attributed a recent digital break-in at a manufacturing firm to Scattered Spider.

"In October 2024, ReliaQuest responded to an intrusion affecting a manufacturing sector customer. We identified Scattered Spider to be behind the incident," the company said.

The attack involved a social engineering scheme targeting the victim's help desk.

"The attacker gained initial access to two employee accounts by carrying out social engineering attacks on the organisation's help desk twice. Within six hours, the attacker began encrypting the organisation's systems.

"To maintain persistence, Scattered Spider leveraged the organisation's ESXi environment to create a virtual machine. This concealed their attack until the environment was encrypted and backups were sabotaged.”

Scattered Spider has successfully breached numerous high-profile organisations in the past by exploiting vulnerabilities in human behaviour.

A notable shift in the group's tactics is their adoption of the RansomHub encryptor.

Previously affiliated with BlackCat/ALPHV, this change suggests a potential strategic realignment or an effort to diversify the group’s toolkit.

Cybersecurity experts warn that the resurgence of these groups poses a significant threat to organisations worldwide.

Scattered Spider gang is thought to be part of a larger cybercriminal community dubbed "The Com."

"This event demonstrates that despite arrests this year, members of The Com are still actively targeting organisations," Hayden Evans, cyber threat intelligence analyst at ReliaQuest, told The Register.

BlackCat returns

The infamous ransomware group BlackCat/ALPHV also appears to have resurfaced after a brief period of dormancy, albeit under a new guise.

The FBI announced its successful disruption of the BlackCat ransomware operation in December last year. The operation, conducted in collaboration with international law enforcement agencies, dismantled the group’s ransomware infrastructure and provided a decryption tool to hundreds of victims.

BlackCat, a sophisticated ransomware-as-a-service (RaaS) group, had wreaked havoc on countless organisations worldwide. The gang's modus operandi involved infiltrating networks, encrypting sensitive data and demanding ransom payments. By exfiltrating data before encryption, BlackCat employed a double-extortion tactic, placing further pressure on victims to pay up.

The FBI's operation involved a technical intrusion into BlackCat's infrastructure, allowing agents to silently monitor the group's activities for months. The operation enabled the agency to collect critical intelligence, including decryption keys for a large number of victims.

By seizing control of the group's data leak site, the FBI effectively neutralised a key tool used to extort victims.

However, security researchers say the group has now re-emerged as Cicada3301, whose techniques and tactics bear striking similarities BlackCat's.

Since its discovery in June, Cicada3301 ransomware has targeted at least 39 victims.

Cicada's malware is written in Rust, similar to BlackCat, and shares multiple characteristics with other data-encrypting and data-wiping programmes, as analysed by Israeli endpoint security company Morphisec.

In recent findings, Group-IB threat hunters reported successfully infiltrating the Cicada3301 ransomware affiliate panel.

"These ransomware operators – whether it's Scattered Spider through RansomHub or this new Cicada ransomware group – are inherently opportunistic," said ReliaQuest’s Evans.

"A large majority of the time the tactics of these groups overlap. It's super important for defenders to identify these common TTPs and common tools of these groups and have detection, mitigations in place."