What makes Scattered Spider different from other ransomware groups?

Scattered Spider focuses specifically on identity infrastructure as their primary attack vector, targeting Microsoft 365, Active Directory, and Entra ID systems. Rather than just encrypting files, they establish persistent control by modifying identity policies and audit systems, making recovery about rebuilding trust in identity layers rather than simply decrypting data.

How long does recovery from a Scattered Spider attack typically take?

Recovery can extend for days, weeks, or even longer because organizations must segment networks, rotate every privileged and service account, and reissue credentials from a clean root. These time-consuming steps are essential to restoring confidence in identity-driven systems and ensuring the adversary is fully removed.

Scattered Spider: Identity-Based Cyber Threats in 2025

Name: Scattered Spider: Identity-Based Cyber Threats in 2025
Uploaded: 2026-03-12T15:38:14-04:00
Duration: 4 min 25 s
Description: TL;DR Scattered Spider is a loosely organized but highly effective cybercrime group that specializes in identity-based attacks targeting Microsoft 365, Active Directory, and Entra ID systems through social engineering and MFA bypass tactics. Once insid...

Veeam

03/12/2026

0 (0%)

Report Like Favorite

TL;DR

Scattered Spider is a loosely organized but highly effective cybercrime group that specializes in identity-based attacks targeting Microsoft 365, Active Directory, and Entra ID systems through social engineering and MFA bypass tactics.
Once inside networks, the group elevates privileges, modifies identity policies, and tampers with audit systems to establish persistent control while using legitimate collaboration platforms like Exchange, SharePoint, and Teams to blend in and stage data exfiltration.
Recovery from Scattered Spider attacks is uniquely challenging because it requires rebuilding trust in identity infrastructure through network segmentation, rotating all privileged credentials, and comprehensive verification—a process that can extend recovery timelines for weeks or longer compared to traditional ransomware.

Summary

This video examines Scattered Spider, a loosely organized but highly effective cybercrime group that has emerged as one of the most dangerous threat actors in 2025. Named by the cybersecurity community rather than self-identified, Scattered Spider distinguishes itself through sophisticated identity-based attacks that target Microsoft 365, Active Directory, and Entra ID infrastructure. The group's methodology centers on exploiting identity as the connective tissue of modern IT environments, using social engineering and MFA bypass techniques to gain initial access before pivoting to cloud identity systems. Once inside, attackers elevate privileges, modify identity policies, and tamper with audit visibility to redefine who the environment trusts as legitimate. The presentation features insights from Ray Ulmerle, Field CISO for Coveware by Veeam, who brings real-world perspective as a multi-time ransomware survivor and CISSP-certified security expert. The analysis emphasizes that recovery from Scattered Spider attacks requires rebuilding trust in identity systems through network segmentation, credential rotation, and comprehensive verification—a process that can extend timelines for weeks or longer compared to traditional ransomware incidents focused on file decryption.

Chapters

0:00 - Introduction to Scattered Spider
1:03 - Meet Ray Ulmerle, Field CISO
1:40 - Identity as Attack Surface
2:26 - Attack Methodology and Recovery Challenges

Key Quotes

0:19 "... one of the names that keeps popping up that I've been super interested in is Scattered Spider ..."
2:32 "... once inside, these Scattered Spider threat actors often pivot to cloud identity systems like Enter ID. Evidence from our incident reports indicate they may elevate privileges, modify your identity policies, tamper with audit visibility, effectively redefining who the environment believes is in control ..."
3:45 "Scattered Spider really proves that when identity itself becomes the battleground, recovery isn't about decrypting files, it's about rebuilding trust ..."

Categories:

» Cybersecurity » Cloud Security
» Data Protection

Tags:

Show more Show less

Browse videos

Upcoming Webinar Calendar

04/29/2026

12:00 PM

04/29/2026

Strategies for Safeguarding AI in Applications, Agents, and APIs

https://www.truthinit.com/index.php/channel/1893/strategies-for-safeguarding-ai-in-applications-agents-and-apis/
04/30/2026

10:00 AM

04/30/2026

Insights from the 2026 Keepit Annual Data Report on SaaS Data Protection

https://www.truthinit.com/index.php/channel/1868/insights-from-the-2026-keepit-annual-data-report-on-saas-data-protection/
04/30/2026

01:00 PM

04/30/2026

The New Economics of a VMware Exit

https://www.truthinit.com/index.php/channel/1880/the-new-economics-of-vmware-exit/
05/06/2026

02:00 AM

05/06/2026

Transforming AI's Potential: Proactively Identifying Attacks Before Breaches Occur

https://www.truthinit.com/index.php/channel/1886/transforming-ais-potential-proactively-identifying-attacks-before-breaches-occur/
05/06/2026

10:00 PM

05/06/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1913/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

05:00 AM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1914/world-password-day-strategies-for-managing-your-passwords-effectively/
05/07/2026

01:00 PM

05/07/2026

World Password Day: Strategies for Managing Your Passwords Effectively

https://www.truthinit.com/index.php/channel/1915/world-password-day-strategies-for-managing-your-passwords-effectively/
05/12/2026

01:00 PM

05/12/2026

Transforming Black Box to Glass Box: Revealing Hidden Threats and AI Risks through Data Lineage

https://www.truthinit.com/index.php/channel/1895/transforming-black-box-to-glass-box-revealing-hidden-threats-and-ai-risks-through-data-lineage/
05/12/2026

11:30 PM

05/12/2026

Effective Strategies for Safeguarding Active Directory and Minimizing Data Exposure

https://www.truthinit.com/index.php/channel/1888/effective-strategies-for-safeguarding-active-directory-and-minimizing-data-exposure/
05/13/2026

01:00 AM

05/13/2026

Transforming the Black Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1890/transforming-the-black-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/13/2026

05:00 AM

05/13/2026

Transforming Black Box to Glass Box: Revealing AI Risks and Hidden Threats through Data Lineage

https://www.truthinit.com/index.php/channel/1894/transforming-black-box-to-glass-box-revealing-ai-risks-and-hidden-threats-through-data-lineage/
05/21/2026

11:00 AM

05/21/2026

The Autonomous Era: Orchestrating a Resilient Enterprise

https://www.truthinit.com/index.php/channel/1372/the-autonomous-era-orchestrating-a-resilient-enterprise/