NCC: How RaaS team-ups assist Scattered Spider improve its assaults
The infamous Scattered Spider hacking collective behind cyber assaults on Marks & Spencer and others is probably going leaning on the experience of different cyber criminals to reinforce the severity of its assaults and the amount of its victims, in line with NCC Group’s Menace pulse report for August 2025.
The gang’s assaults this 12 months seem to herald a risk panorama during which collaboration is more and more the watchword amongst cyber criminals.
“Scattered Spider is accumulating headlines from its assaults and signature, subtle social engineering methods,” mentioned Matt Hull, NCC head of risk intelligence.
“However its collaboration with ransomware-as-a-service (RaaS) operators is essential in its disruption of world giants. The ransomware panorama operates in a ruthless, business-like construction, which must be thought of when defences are being carried out.”
RaaS is the chief technique utilized by the ragtag hacking collective to raise the sophistication of its assaults to this point in 2025, mentioned NCC.
In leaning on the experience of others to ship the extra technical features of its assaults, its personal folks – a lot of them considered unusual youngsters sucked into cyber crime due to lax supervision and the affect of on-line boards – are free to concentrate on their core social engineering actions.
This combo makes Scattered Spider – already an notorious identify in cyber circles due to a sample of assaults courting again years – a much more harmful risk as it might trigger deeper disruption to its victims, and makes attribution – which defenders depend on for context and defensive operations – considerably more durable.
Techniques, methods and procedures
Traditionally, Scattered Spider has been seen working with a number of RaaS teams, together with the likes of ALPHV, RansomHub, DragonForce and Qilin – Qilin alone accounted for 53 noticed assaults in August. On this method, it is ready to benefit from every of those gangs’ varied most popular techniques, methods and procedures (TTPs) to focus on extra organisations.
In deciding on its RaaS companions, Scattered Spider additionally seems to exhibit it has a watch for a discount in its favour – every of the teams it’s identified to have labored with gives an affiliate-friendly fee construction, and Scattered Spider could even be capable of play this to its benefit to obtain much more beneficial phrases.
Not solely that, however the group may also higher maintain its exercise ought to the police knock the entrance door in by spreading the danger throughout a number of operations.
NCC’s analysts added that the rising physique of proof suggesting hyperlinks between Scattered Spider, ShinyHunters and Lapsus$ emphasises a fair deeper risk posed by Scattered Spider.
“Scattered Spider should not mounted to a kind of risk group when selecting these with whom they need to collaborate,” wrote the report’s authors.
“They transcend ransomware to embody cyber crime extra broadly, more likely to maximise assault success and alternatives for revenue. Therefore, we must always anticipate that Scattered Spider will search to collaborate with a broad group of risk actors and mustn’t restrict their capabilities to the world of ransomware.”
NCC mentioned the authorities should adapt to this new dynamic if they’re to see continued success in taking down cyber criminals.
Assault volumes stagnate, however risk is as actual as ever
Amid all of this, the overall variety of noticed ransomware assaults really declined by greater than a tenth final month, with simply 328 incidents noticed by NCC, making August 2025 the fifth consecutive interval during which fewer than 500 incidents came about.
Nonetheless, NCC mentioned there was greater than meets the attention to this obvious stagnation – a bulk launch of Cl0p victims in February and March of 2025 skewed the info considerably, and general not a lot has modified year-on-year.
“There’s greater than meets the attention to assault ranges plateauing in current months,” mentioned Hull, highlighting how the general risk stays as actual because it ever did.
“Spikes earlier within the 12 months have dwarfed right this moment’s numbers, however the quantity is much from low,” he mentioned. “Regardless of how the graphs take a look at first look, legal partnerships signify why cyber resilience have to be a primary port of name for companies and governments.”
Moreover Qilin, probably the most lively gangs in August had been Akira, Safepay, DragonForce and Play, with industrials, shopper discretionary and IT probably the most focused sectors.
As standard, the report reveals that almost all assaults happen in North America – 57% of the overall for August – with Europe, together with the UK, accounting for twenty-four%.
