What makes Scattered Spider different from other ransomware groups?

Scattered Spider focuses specifically on identity infrastructure as their primary attack vector, targeting Microsoft 365, Active Directory, and Entra ID systems. Rather than just encrypting files, they establish persistent control by modifying identity policies and audit systems, making recovery about rebuilding trust in identity layers rather than simply decrypting data.

How long does recovery from a Scattered Spider attack typically take?

Recovery can extend for days, weeks, or even longer because organizations must segment networks, rotate every privileged and service account, and reissue credentials from a clean root. These time-consuming steps are essential to restoring confidence in identity-driven systems and ensuring the adversary is fully removed.

Scattered Spider: Identity-Based Cyber Threats in 2025

Name: Scattered Spider: Identity-Based Cyber Threats in 2025
Uploaded: 2026-03-12T15:38:14-04:00
Duration: 4 min 25 s
Description: TL;DR Scattered Spider is a loosely organized but highly effective cybercrime group that specializes in identity-based attacks targeting Microsoft 365, Active Directory, and Entra ID systems through social engineering and MFA bypass tactics. Once insid...

Veeam

03/12/2026

0 (0%)

Report Like Favorite

TL;DR

Scattered Spider is a loosely organized but highly effective cybercrime group that specializes in identity-based attacks targeting Microsoft 365, Active Directory, and Entra ID systems through social engineering and MFA bypass tactics.
Once inside networks, the group elevates privileges, modifies identity policies, and tampers with audit systems to establish persistent control while using legitimate collaboration platforms like Exchange, SharePoint, and Teams to blend in and stage data exfiltration.
Recovery from Scattered Spider attacks is uniquely challenging because it requires rebuilding trust in identity infrastructure through network segmentation, rotating all privileged credentials, and comprehensive verification—a process that can extend recovery timelines for weeks or longer compared to traditional ransomware.

Summary

This video examines Scattered Spider, a loosely organized but highly effective cybercrime group that has emerged as one of the most dangerous threat actors in 2025. Named by the cybersecurity community rather than self-identified, Scattered Spider distinguishes itself through sophisticated identity-based attacks that target Microsoft 365, Active Directory, and Entra ID infrastructure. The group's methodology centers on exploiting identity as the connective tissue of modern IT environments, using social engineering and MFA bypass techniques to gain initial access before pivoting to cloud identity systems. Once inside, attackers elevate privileges, modify identity policies, and tamper with audit visibility to redefine who the environment trusts as legitimate. The presentation features insights from Ray Ulmerle, Field CISO for Coveware by Veeam, who brings real-world perspective as a multi-time ransomware survivor and CISSP-certified security expert. The analysis emphasizes that recovery from Scattered Spider attacks requires rebuilding trust in identity systems through network segmentation, credential rotation, and comprehensive verification—a process that can extend timelines for weeks or longer compared to traditional ransomware incidents focused on file decryption.

Chapters

0:00 - Introduction to Scattered Spider
1:03 - Meet Ray Ulmerle, Field CISO
1:40 - Identity as Attack Surface
2:26 - Attack Methodology and Recovery Challenges

Key Quotes

0:19 "... one of the names that keeps popping up that I've been super interested in is Scattered Spider ..."
2:32 "... once inside, these Scattered Spider threat actors often pivot to cloud identity systems like Enter ID. Evidence from our incident reports indicate they may elevate privileges, modify your identity policies, tamper with audit visibility, effectively redefining who the environment believes is in control ..."
3:45 "Scattered Spider really proves that when identity itself becomes the battleground, recovery isn't about decrypting files, it's about rebuilding trust ..."

Categories:

» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

03/17/2026

06:00 AM

03/17/2026

L'importance cruciale de l'ITDR pour 2026 et au-delà

https://www.truthinit.com/index.php/channel/1856/limportance-cruciale-de-litdr-pour-2026-et-au-delà/
03/18/2026

01:00 PM

03/18/2026

Beyond Chatbots: Agentic AI That Actually Fixes Identity Risk

https://www.truthinit.com/index.php/channel/1847/beyond-chatbots-agentic-ai-that-actually-fixes-identity-risk/
03/19/2026

11:00 AM

03/19/2026

Risk in Real Time: Stopping Exploits Before the CVE Even Exists

https://www.truthinit.com/index.php/channel/1372/unlocking-network-intelligence-for-smarter-risk-decisions/
03/19/2026

01:00 PM

03/19/2026

Cyber CSI 2.0: Phishing Forensics in the Age of AI and Deepfakes

https://www.truthinit.com/index.php/channel/1842/cyber-csi-2-0-phishing-forensics-in-the-age-of-ai-and-deepfakes/
03/26/2026

01:00 AM

03/26/2026

Reclaim Network Clarity and Accountability with Netskope DEM

https://www.truthinit.com/index.php/channel/1846/reclaim-network-clarity-and-accountability-with-netskope-dem/
03/26/2026

05:00 AM

03/26/2026

ITDR as an Integral Component of Critical Security Architecture

https://www.truthinit.com/index.php/channel/1863/itdr-as-an-integral-component-of-critical-security-architecture/
03/26/2026

01:00 PM

03/26/2026

HUMAN Dialogue: Transforming City-Scale Cyber Resilience through AI Innovations

https://www.truthinit.com/index.php/channel/1835/human-dialogue-transforming-city-scale-cyber-resilience-through-ai-innovations/
03/26/2026

01:00 PM

03/26/2026

Making GPUs Available On Demand (Without Breaking the Budget)

https://www.truthinit.com/index.php/channel/1858/making-gpus-available-on-demand-without-breaking-the-budget/
04/08/2026

01:00 PM

04/08/2026

Managing Configuration at Scale Across Group Policy and Intune

https://www.truthinit.com/index.php/channel/1865/managing-configuration-at-scale-across-group-policy-and-intune/
04/15/2026

01:00 PM

04/15/2026

Service Account Security in the Age of AI: From Legacy Accounts to Agentic Identities

https://www.truthinit.com/index.php/channel/1866/service-account-security-in-the-age-of-ai-from-legacy-accounts-to-agentic-identities/