CISA, FBI warn of social engineering-based ransomware

A ransomware exploit that targets vulnerabilities in the networks of large U.S. corporations has captured the attention of federal law enforcement and information agencies, who issued a critical message Thursday: do not pay the ransom. 

As detailed in a joint advisory by the FBI and the Cybersecurity and Infrastructure Security Agency, Scattered Spider is a cybercriminal group that has been targeting large organizations’ sensitive data, compromising networks within corporations like MGM Resorts and Casinos.

Technical details revealed in the advisory show that Scattered Spider utilizes social engineering tactics to breach network defenses through phishing schemes, push bombing and subscriber identity module attacks. The group notably contacts information technology helpdesk services with deceptive questions to gain access to private networks. 

Once broken into the system, Scattered Spider affiliate hackers incorporate malware to monitor networks and extract data using legitimate software tools in a tactic known as “living off the land.”

Some recorded incidents also showcase Scattered Spider-linked actors running BlackCat/ALPHV ransomware within their operations. 

In addition to encouraging network managers to read and implement the FBI and CISA’s guidance, a senior CISA official told reporters on Thursday that paying a ransom following a data breach is contrary to current law enforcement guidance. Because the hackers’ motivations are often financial, compromised organizations rewarding such attacks will likely incentivize the hackers to target the same victims. 

“The proceeds from those ransom payments — being that this is a criminal business that they're running — is going to be leveraged to do two things: one, to go in the pockets of the people leading these groups as profit, or to to be reinvested into additional operations that target additional entities to include very often the same victims who had already paid,” a senior FBI official said. “Because the statistics that we have are that once you've been victimized once you're very often going to be victimized again.”

The advisory recommends that efforts to check for a Scattered Spider attack begin with verifying email in softwares like Slack, Microsoft Teams and Microsoft Exchange. Officials from both agencies also recommended that organizations review their normal cybersecurity protocols and ensure that they are being followed.

Increasing the volume of information on these and other attacks will also help officials police future threats. 

“The more data that we have coming in, the better able we're able to make those connections and execute actions against those actors,” the CISA official said.