Summary4 min read

Data Security Decoded

Episode: Scattered Spider: the Evolution of Identity-Based Ransomware

Host: Caleb Toland (Rubrik)
Guest: Joe Halatic, Head of Rubrik Sierra Labs
Date: September 23, 2025

Episode Overview

This episode delves into the evolving landscape of ransomware, focusing particularly on Scattered Spider—a sophisticated, financially motivated cybercriminal group. Host Caleb Toland speaks with Joe Halatic about the latest tactics in identity-based attacks, the limitations of traditional defenses, and strategic approaches to building cyber resilience in the era of rapid and devastating ransomware incidents.

Key Discussion Points & Insights

1. Who Is Scattered Spider?

Criminal Enterprise, Not Nation-State
- Scattered Spider is described as a financially motivated e-crime group, operating within the broader ransomware-as-a-service (RaaS) ecosystem.
- Quote:
  
  "They aren't a nation state, their primary objective is financial gain."
  – Joe Halatic (01:53)

2. Evolution of the Ransomware Business Model

From Encryption to Double Extortion
- Traditional ransomware focused on encrypting critical assets and demanding a payment for decryption.
- Modern groups like Scattered Spider have evolved to also steal sensitive data and threaten public disclosure, increasing leverage.
- Quote:
  
  "They now steal large amounts of sensitive data... and then they threaten you with the public disclosure as leverage. This gives them two potential payouts."
  – Joe Halatic (02:59)

3. Exploiting Identity as an Attack Vector

Living Off the Land & Social Engineering
- Attackers bypass perimeter defenses by posing as legitimate employees, often via voice-based phishing ("vishing").
- The goal: compromise credentials to move laterally, using existing administrative tools rather than malware.
- Quote:
  
  "They pose as empathetic, articulate, well informed and knowledgeable IT staff... and then figure out a way to engineer you to basically give them access."
  – Joe Halatic (04:30)
Detection Is Challenging
- Since these attackers abuse legitimate tools and processes, signature-based security is often ineffective.
- Behavioral analytics and anomaly detection are increasingly essential.
Old Tactics, New Effectiveness
- Scattered Spider revives techniques like "bring your own vulnerable driver" to disable endpoint detection.
- Quote:
  
  "These attacks load signed but outdated drivers... rendering [detection tools] useless."
  – Joe Halatic (05:26)

4. Impact on Legacy Infrastructure

Human Factor: The Point of Entry
- The initial compromise is almost always social engineering targeting the help desk for password resets or MFA bypasses.
- This enables attackers to obtain the "golden SAML backdoor," bypassing security controls.
- Quote:
  
  "They will pose as an employee, call the IT help desk, try to get their account... reset or their MFA disabled so that they can just get access."
  – Joe Halatic (06:33)
Why Legacy Backups Are at Risk
- Older backup systems often lack modern security features (e.g., immutability, quorum authentication, retention lock).
- Attackers can paralyze organizations by encrypting hypervisors and virtual machine clusters, including backup systems—potentially leaving no path to recovery.
- Quote:
  
  "There are some people still using backup software and methodologies that are decades old and they haven't modernized, which are very easy to exploit as a result."
  – Joe Halatic (07:20)

5. The Need for Cyber Resilience

Attack Speed Is Accelerating
- CrowdStrike reports breakout time (lateral movement after initial compromise) has dropped to as little as 48 minutes.
- Quote:
  
  "The fact that that can all take place within 48 minutes is pretty scary."
  – Joe Halatic (08:46)
Beyond Cybersecurity: Embracing Resilience
- Cyber resilience focuses on preparation and recovery—not just prevention—integrating risk management, business continuity, disaster recovery, and incident response.
- The assumption should be that a breach will occur; the goal is to minimize impact and recover quickly without reintroducing threats.
Tactical Recovery Considerations
- Recovery isn't just about speed (RTO, or Recovery Time Objective) but about scoping, identifying clean restore points, restoring massive datasets, and verifying operational integrity before returning to service.
- Quote:
  
  "It's not just detect and respond, but also recovery...so you have a whole timeline from detection all the way to full business continuity."
  – Joe Halatic (10:55)

Notable Quotes & Memorable Moments

On Social Engineering:

"You're going to hear me talk about things like living off the land...what is novel is the way they're employing the techniques that they are."
– Joe Halatic (04:16)
On Modernization and Recovery:

"Resilience to us is that, well, let's reintroduce a new framework of not just detect and respond, but also recovery and include those two metrics in the overall framework."
– Joe Halatic (10:52)

Timestamps for Important Segments

Scattered Spider’s Motivation & Business Model: 01:35 – 03:58
Identity-Based Attack Techniques: 03:58 – 06:20
Human Element & Legacy System Vulnerabilities: 06:20 – 08:28
Modernizing for Resilience and Recovery: 08:28 – 11:43

Additional Resources

For more insights and resources:

“0Labs rubric.com—that’s where we post all of our blogs, white papers… shifting from an annual report now to a quarterly one.”
– Joe Halatic (11:43)

Summary prepared for listeners seeking a thorough yet accessible overview of cutting-edge ransomware threats and actionable resilience strategies.

Loading summary

Transcript15 lines

[00:00]
A
The attack starts with the human element. Their masters, as I mentioned before in social engineering are hacking the person, often by posing as an employee and calling the IT help desk to request a password reset or MFA bypass, as we've sort of discussed. So that's basically it is that they will pose as an employee, call the IT help desk, try to get their account or the person they're posing as account reset or their MFA disabled so that they can just get access foreign.
[00:36]
B
Hello and welcome to another episode of Data Security Decoded. I'm your host, Caleb Toland, and if this is your first time joining us, welcome to the show. Make sure you hit that subscribe button so you're notified when we have new episodes. And if you're already a subscriber, thanks for coming back. Give us a rating. Drop a comment below, let us know what you think about the show. Now, in this episode, we were joined again by Joe Halatic, head of Rubrik Sierra Labs. And if you recall, Joe joined us in the spring to give us a little bit of insight and information around a new report from Rubert Zero Labs. And this time he's joining us to talk about modern adversaries like Scattered Spider that his team is monitoring and what defenders can do to prepare themselves and be resilient. Let's dive in. Joe, thank you again for joining us on the podcast. How's your summer been? What have you been up to since we had you last on the show?
[01:20]
A
Summer, I think, like any warm season, goes by too quickly, but overall it's been pretty great. I know then, at least in the security community, there's been a lot of different things happening. I know today we're talking about Scattered Spiders. So it's been the focus of a lot of my work over the last couple of months.
[01:35]
B
No shortage of things to talk about today. So yeah, to dive directly into that, adversaries like Scattered Spider are highly organized, financially motivated criminal enterprises. Can you break down the motivation and business model for a group like Scattered Spider, especially how they use their tactics like double extortion to maximize their financial payout.
[01:54]
A
So they aren't a nation state, their primary objective is financial gain. And as you had already mentioned, they're a financially motivated e crime group, so to speak. Their business model is a shift from traditional sort of smash and grab ransomware where most actors in the last several years have infiltrated different organizations and their modus operandi has been primarily around encryption, encryption of crown jewels, important assets, critical assets, sensitive data, pii, pci, that sort of thing. And also Applications and services. So if you're an E commerce company, your whole business model is around your website and retail and that sort of that's taken down, for instance, and you can't take it up because the system's been encrypted. That poses a problem. Now, the difference here is that they still do that. But first I'll talk a little bit about their business model. They become more or less a full fledged ransomware affiliate within a ransomware as a service ecosystem or RAS R aas, if you're not familiar with that, this allows them to monetize their access. So for instance, there's certain brokers out there that sell access to environments or sell exploits to undisclosed or unrealized vulnerabilities. So all these different types of sellers are part of this ecosystem. And then there's also operators that purchase from these sellers or are the buyers, but they're also the ones that execute these engagements. So the key tactic you mentioned around double extortion, it's an evolution from single payment for decryption. They now steal large amounts of sensitive data from a lot of unstructured sources like, say, SharePoint or OneDrive, and then they threaten you with the public disclosure as leverage. This gives them two potential payouts. So even if the victim or the organization refuses to pay to decrypt their assets, then they can just expose it to the world or interested parties or stakeholders that in a geopolitical or a corporate espionage type of environment may work against you. Does that make sense?
[03:59]
B
Yes, it absolutely makes sense. And so adversaries like Scattered Spider and other groups with similar types of motives have shifted the ransomware playbook. They're taking techniques are defying traditional perimeter defenses. So can you explain why identity as an attack vector is so devastating and why existing security tools are so blind to it?
[04:16]
A
You're going to hear me talk about things like living off the land, which I'll get into a little more detail here. But this is a critical point, because Scattered Spider, their approach is it's not new or novel. But what is novel is the way they're employing the techniques that they are. So they're not inventing anything new necessarily. They don't rely on traditional malware that security tools are designed to catch. So that's number one. They bypass perimeter defenses by using sophisticated social engineering. A good example of this would be vishing, which is it's the same as phishing, but through voice. And what that means is they're native English speakers. So they pose as empathetic, articulate, well informed and knowledgeable IT staff. So you pick up the phone, call your it, but it's actually them. And then they figure out a way to engineer you to basically give them access. That's basically how this works. And this means that they abuse legitimate administrative tools as a result. So by manipulating you as the user, they now use your credentials and then are able to pivot and access cloud services that you had access to. And this allows them to move laterally within the network. And this is actually what's called living off the land, which I mentioned before. So this makes it exceptionally difficult to detect because traditional signature based detection tools won't find this type of thing. You need to start employing things like anomaly and behavioral types of detection. One of the things that I find really interesting though, is that they brought back an old technique that was not often used, which is bringing your own vulnerable driver, mainly because it's an effective technique, but it's not an often used one until now. And these attacks load signed but outdated drivers. And this allows them to disable endpoint detection response products like CrowdStrike Falcon, for example, rendering them useless. And this is particularly effective in virtualized environments where they can encrypt an entire hypervisor of VMs in seconds, causing total paralysis of critical services like Active Directory. That's pretty much the, I'd say the long and short of the high level of what their capabilities are.
[06:21]
B
All right, so could you break down that attack path a little bit further? What is it about legacy infrastructure that makes it so easy for them to sabotage a company's ability to recover and sometimes even take out that backup system itself?
[06:32]
A
The attack starts with the human element, their masters, as I mentioned before in social engineering or hacking the person, often by posing as an employee and calling the IT help desk to request a password reset or MFA bypass. As we've sort of discussed, that's basically it is that they will pose as an employee, call the IT help desk, try to get their account or the person they're posing as account reset or their MFA disabled so that they can just get access has proven pretty successful. This identity compromise gives them a key, and this key or this golden Saml back door that bypasses all security controls. So once they have that foothold, they're able to weaponize identities and move laterally, escalate privileges and so on. When they target legacy infrastructure, such as a backup system running on, say a vulnerable virtual machine, it becomes like a perfect target for sabotage, mainly because they're most likely using native tooling. If it's in the cloud, for instance, they rely upon native services which may lack a lot of the security features that are inherent to third party products like native immutability, quorum authentication, retention lock. So there are certain protective features that exist within some third party projects that may not exist in native tools. And on the on prem side of things and say legacy environments, there are some people that are still using backup software and methodologies that are decades old and they haven't modernized, which are very easy to exploit as a result. So I mentioned before that they also their technical capabilities also extend to hypervisor encryption. Well, if they're able to access the hypervisor and perform encryption, they can also access the virtualization interfaces to encrypt entire ESXi clusters. And this tactic can take an entire backup system offline. And this is how organizations that rely on ESXi cluster and dealing with the hypervisor encryption, it may leave their organization with no way to recover at all.
[08:28]
B
Right, that makes sense. So what are some of the key capabilities that organizations should look for when they're going through some type of modernization so they don't accidentally reintroduce the threat during a recovery?
[08:39]
A
So the speed of these attacks is really accelerating. CrowdStrike earlier this year reported a breakout time that has dropped to as low as 48 minutes. And for those who don't know, breakout is not the same as initial access. It's the breakout time is how long it takes to achieve the ability to move laterally. So they've already gained access to your environment and the breakout time is that now they're moving around. And the fact that that can all take place within 48 minutes is pretty scary. So given that time is not on your side, I think resiliency is really going to shape up to be the future in terms of managing a security posture. Just security operations as a whole dive into that a little bit what cyber resilience really is. So cyber resilience is the ability of an organization to prepare for, respond to and recover from cyber attacks or other digital disruptions while continuing to operate your critical business functions. So it goes beyond traditional cybersecurity by integrating multiple groups such as risk management, business continuity, disaster recovery, incident response, all into a unified strategy. The goal is not to prevent the attack, but to withstand them and then bounce back quickly with minimal impact. Therefore, cyber resilience to me in our view, is about accepting the assumption of a breach. Because with that attitude, that mindset, you're always thinking from a defensive posture and a mindset, and this means restoring both your data and identity systems to a trusted clean state without reintroducing the attackers backdoors or persistence mechanisms. So instead of focusing like how quickly we can detect and respond, we also have to take those frameworks and metrics and extend it further by well, how long does it take to not only detect and then respond, but also recover? I know most people are familiar with RTO recovery time objective, you know, which is a metric of how many times or how much, you know, seconds, minutes, days, you can then return to that recovery. But there is so much more that happens within the recovery process from scoping to identifying a clean snapshot to recover to to then actually restoring the data. Because if you're dealing with this over the Internet and you have petabytes of data, that's going to take some time. That's not a quick thing even with a modern Internet speeds. So you have to account for all of these different timelines, even the ability to verify once you've restored everything, your infrastructure, applications and services, then you have to validate everything is working. So resilience to us is that, well, let's reintroduce a new framework of not just detect and respond, but also recovery and include those two metrics in the overall framework. So you have a whole timeline from detection all the way to full business continuity. Right.
[11:28]
B
I couldn't agree more. Resilience and recovery are just going to become more and more important as time goes on and as more organizations face adversaries like Scattered Spider. So this has been great Joe, thank you for sharing your perspective and insights. If folks want to learn more, where should they go to look?
[11:44]
A
0Labs rubric.com that's where we post all of our blogs, white papers, where we're shifting from a annual report now to a quarterly one or that's our mission right now. So you can find a lot of that on xerolabs.rootrig.com awesome.
[11:59]
B
Wonderful. Well Joe, thank you again so much. It was great. And until next time.
[12:02]
A
Thanks Caleb. Sam.