- US retailers should “take note”, Google is warning
- Scattered Spider was seen targeting multiple US retailers this year
- The group has been on a “long hiatus”
Scattered Spider, a known ransomware collective, is widening its target scope, no longer focusing exclusively on UK firms. This is according to Google’s Threat Intelligence Group (TIG), who told BleepingComputer that US retailers “should take note.”
“The US retail sector is currently being targeted in ransomware and extortion operations that we suspect are linked to UNC3944, also known as Scattered Spider,” John Hultquist, Chief Analyst at Google Threat Intelligence Group, told the publication. Hultquist added that Scattered Spider has returned after a “long hiatus” to target multiple firms.
The group is not as tightly-knit as organizations such as LockBit or Cl0p. It is relatively loose, and operates within a larger hacking community known as “the Com”. Its members engage in all kinds of attacks, from social engineering and SIM swapping, to ransomware. Scattered Spider’s usual targets are financial institutions, technology firms, and entertainment/gambling organizations.
Names and addresses
Google is warning retailers to take note, however, Silent Push reported that in 2025 some of Scattered Spider’s victims included Chick-fil-A, Forbes, Instacart, New York Digital Investment Group, News Corporation, Nike, Twitter/X, Tinder, T-Mobile, and Vodafone.
Among the retailers targeted this year, BleepingComputer singled out Marks & Spencer, Co-op, and Harrods. In all of these attacks, the threat actors used DragonForce – a ransomware operation that emerged in December 2023 and gained some notoriety since then.
In April 2025, the UK National Cyber Security Centre (NCSC) published new guidance, helping UK firms defend against Scattered Spider better. The organizations urged the retail sector to “wake up” and tighten up on security.
“Whilst we have insights, we are not yet in a position to say if these attacks are linked, if this is a concerted campaign by a single actor, or whether there is no link between them at all,” the NCSC said. “We are working with the victims and law enforcement colleagues to ascertain that.”
Leave a comment