Once the Scattered Spider members get into the targeted systems, they may steal and encrypt the data and ask for ransom payments. (Credit: Created on Dall-E 3, an AI art generator, by Cassandre Coyer/ALM)
Employers should beef up anti-phishing systems and training to keep the Scattered Spider ransomware group and its imitators out of their computers.
The Cybersecurity Working Group, an arm of the National Association of Insurance Commissioners, included a discussion of the Scattered Spider ransomware problem in a document packet prepared for a recent in-person session in Minneapolis.
Joe Toomey, the head of security engineering at Coalition, a cybersecurity insurance group, briefed regulators on the Scattered Spider threat in July.
Typical members of the ransomware group are people ages 15 to 17 who speak English as a native language. They start with little funding, but they use their ability to speak English well to persuade workers at big companies to give them passwords and help them get around company network defense systems, Toomey told regulators.
Ransomware group members first use public websites and other sources to get the names, titles and personal details of executives and information technology workers at targeted companies. The attackers then persuade help desk workers to reset passwords and add new phones or other devices to the lists of devices used for "multi-factor authentication" efforts, or efforts to supplement password systems by confirming that computer network users are who they say they are.
In some cases, Toomey said, the attackers arrange for authorized users to get so many MFA request notifications that they accidentally approve one of the requests.
Once the Scattered Spider members get into the targeted systems, they may steal and encrypt the data and ask for ransom payments.
High-risk organizations need to pay close attention to anti-phishing safeguards and training at their vendors and service providers, because Scattered Spider members often use those to get into the targeted company, Toomey said.
Insurers and health benefits firms: Scattered Spider and other ransomware groups "have found insurers to be good targets because they pay," according to the draft meeting minutes summarizing Toomey's remarks.
Toomey noted that Scattered Spider attacks have severely disrupted the operations of two large property and casualty insurers.
In June, Episource, a UnitedHealth medical billing services subsidiary, reported that attackers had breached its computer systems in January, and Aflac said it had also earned of a breach of its systems.
Cybersecurity analysts speculated that the breaches might have been the work of Scattered Spider members.
Some employers are trying to give workers a defense against identity theft by offering employer-paid or voluntary identity protection plans.
Jeff Leston, a health plan fraud prevention expert, has argued that employers and their workers need new types of protection strategies that limit bad actors' ability to use stolen identities to make large purchases or withdraw large amounts of cash.
What it means: Health insurers and other benefits sector firms may face extra Scattered Spider risk.
They could be targeted because of their own role as employers and substantial businesses, and they could be attacked because ransomware gang members see hacking them as a route into employer clients' systems.
© Touchpoint Markets, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to TMSalesOperations@arc-network.com. For more information visit Asset & Logo Licensing.