A 17-year-old Walsall local was arrested by U.K. law enforcement for being an alleged member of the notorious Scattered Spider ransomware gang, which has targeted several major companies, including the U.S. MGM Resorts.
Coordinated with the U.K. National Crime Agency (NCA) and the U.S. Federal Bureau of Investigation (FBI), the arrest is “part of a global investigation into a large-scale cyber hacking community.”
The suspect was taken into custody on suspicion of Blackmail and Computer Misuse Act offenses and released on bail. The investigation continues, as evidence at the suspect’s address was recovered, including digital devices that will undergo forensic examination.
In June, the Scattered Spider alleged leader was arrested in Spain. The man is said to be a SIM-swapper connected to many high-profile ransomware campaigns attributed to the cybercriminal group.
Another alleged member of the hacker gang was arrested this year in January. The FBI believes the group’s members mainly come from the US and the UK.
Scattered Spider (also known as Starfraud, UNC3944, Scatter Swine, and Muddled Libra) is an offshoot of a loose-knit group called The Com that appeared in May 2022, focusing on data extortion and other criminal activities, targeting large companies and their contracted IT help desks.
Over the past two years, it has been suspected of infiltrating Twilio, LastPass, DoorDash, Mailchimp, and nearly 130 other organizations worldwide. Scattered Spider has evolved into an initial access broker and affiliate, delivering ransomware families like BlackCat, Qilin, and RansomHub.
They use several social engineering techniques like phishing, push bombing, and subscriber identity module (SIM) swap attacks to obtain credentials, install remote access tools, and/or bypass multi-factor authentication (MFA).
Their campaigns use tools such as Fleetdeck, Level, Mimikatz, Ngrok, Pulseway, Screenconnect, Splashtop, Tactical.RMM, Tailscale, and Teamviewer. They deploy the Raccoon Stealer, VIDAR Stealer, and AveMaria (also known as WarZone) malware and sometimes BlackCat/ALPHV ransomware.