Data Security Decoded

Episode: Scattered Spider: the Evolution of Identity-Based Ransomware

Host: Caleb Toland (Rubrik)
Guest: Joe Halatic, Head of Rubrik Sierra Labs
Date: September 23, 2025

Episode Overview

This episode delves into the evolving landscape of ransomware, focusing particularly on Scattered Spider—a sophisticated, financially motivated cybercriminal group. Host Caleb Toland speaks with Joe Halatic about the latest tactics in identity-based attacks, the limitations of traditional defenses, and strategic approaches to building cyber resilience in the era of rapid and devastating ransomware incidents.

Key Discussion Points & Insights

1. Who Is Scattered Spider?

Criminal Enterprise, Not Nation-State
- Scattered Spider is described as a financially motivated e-crime group, operating within the broader ransomware-as-a-service (RaaS) ecosystem.
- Quote:
  
  "They aren't a nation state, their primary objective is financial gain."
  – Joe Halatic (01:53)

2. Evolution of the Ransomware Business Model

From Encryption to Double Extortion
- Traditional ransomware focused on encrypting critical assets and demanding a payment for decryption.
- Modern groups like Scattered Spider have evolved to also steal sensitive data and threaten public disclosure, increasing leverage.
- Quote:
  
  "They now steal large amounts of sensitive data... and then they threaten you with the public disclosure as leverage. This gives them two potential payouts."
  – Joe Halatic (02:59)

3. Exploiting Identity as an Attack Vector

Living Off the Land & Social Engineering
- Attackers bypass perimeter defenses by posing as legitimate employees, often via voice-based phishing ("vishing").
- The goal: compromise credentials to move laterally, using existing administrative tools rather than malware.
- Quote:
  
  "They pose as empathetic, articulate, well informed and knowledgeable IT staff... and then figure out a way to engineer you to basically give them access."
  – Joe Halatic (04:30)
Detection Is Challenging
- Since these attackers abuse legitimate tools and processes, signature-based security is often ineffective.
- Behavioral analytics and anomaly detection are increasingly essential.
Old Tactics, New Effectiveness
- Scattered Spider revives techniques like "bring your own vulnerable driver" to disable endpoint detection.
- Quote:
  
  "These attacks load signed but outdated drivers... rendering [detection tools] useless."
  – Joe Halatic (05:26)

4. Impact on Legacy Infrastructure

Human Factor: The Point of Entry
- The initial compromise is almost always social engineering targeting the help desk for password resets or MFA bypasses.
- This enables attackers to obtain the "golden SAML backdoor," bypassing security controls.
- Quote:
  
  "They will pose as an employee, call the IT help desk, try to get their account... reset or their MFA disabled so that they can just get access."
  – Joe Halatic (06:33)
Why Legacy Backups Are at Risk
- Older backup systems often lack modern security features (e.g., immutability, quorum authentication, retention lock).
- Attackers can paralyze organizations by encrypting hypervisors and virtual machine clusters, including backup systems—potentially leaving no path to recovery.
- Quote:
  
  "There are some people still using backup software and methodologies that are decades old and they haven't modernized, which are very easy to exploit as a result."
  – Joe Halatic (07:20)

5. The Need for Cyber Resilience

Attack Speed Is Accelerating
- CrowdStrike reports breakout time (lateral movement after initial compromise) has dropped to as little as 48 minutes.
- Quote:
  
  "The fact that that can all take place within 48 minutes is pretty scary."
  – Joe Halatic (08:46)
Beyond Cybersecurity: Embracing Resilience
- Cyber resilience focuses on preparation and recovery—not just prevention—integrating risk management, business continuity, disaster recovery, and incident response.
- The assumption should be that a breach will occur; the goal is to minimize impact and recover quickly without reintroducing threats.
Tactical Recovery Considerations
- Recovery isn't just about speed (RTO, or Recovery Time Objective) but about scoping, identifying clean restore points, restoring massive datasets, and verifying operational integrity before returning to service.
- Quote:
  
  "It's not just detect and respond, but also recovery...so you have a whole timeline from detection all the way to full business continuity."
  – Joe Halatic (10:55)

Notable Quotes & Memorable Moments

On Social Engineering:

"You're going to hear me talk about things like living off the land...what is novel is the way they're employing the techniques that they are."
– Joe Halatic (04:16)
On Modernization and Recovery:

"Resilience to us is that, well, let's reintroduce a new framework of not just detect and respond, but also recovery and include those two metrics in the overall framework."
– Joe Halatic (10:52)

Timestamps for Important Segments

Scattered Spider’s Motivation & Business Model: 01:35 – 03:58
Identity-Based Attack Techniques: 03:58 – 06:20
Human Element & Legacy System Vulnerabilities: 06:20 – 08:28
Modernizing for Resilience and Recovery: 08:28 – 11:43

Additional Resources

For more insights and resources:

“0Labs rubric.com—that’s where we post all of our blogs, white papers… shifting from an annual report now to a quarterly one.”
– Joe Halatic (11:43)

Summary prepared for listeners seeking a thorough yet accessible overview of cutting-edge ransomware threats and actionable resilience strategies.

Data Security Decoded

Episode: Scattered Spider: the Evolution of Identity-Based Ransomware

Host: Caleb Toland (Rubrik)
Guest: Joe Halatic, Head of Rubrik Sierra Labs
Date: September 23, 2025

Episode Overview

Key Discussion Points & Insights

1. Who Is Scattered Spider?

Criminal Enterprise, Not Nation-State
- Scattered Spider is described as a financially motivated e-crime group, operating within the broader ransomware-as-a-service (RaaS) ecosystem.
- Quote:
  
  "They aren't a nation state, their primary objective is financial gain."
  – Joe Halatic (01:53)

2. Evolution of the Ransomware Business Model

From Encryption to Double Extortion
- Traditional ransomware focused on encrypting critical assets and demanding a payment for decryption.
- Modern groups like Scattered Spider have evolved to also steal sensitive data and threaten public disclosure, increasing leverage.
- Quote:
  
  "They now steal large amounts of sensitive data... and then they threaten you with the public disclosure as leverage. This gives them two potential payouts."
  – Joe Halatic (02:59)

3. Exploiting Identity as an Attack Vector

Living Off the Land & Social Engineering
- Attackers bypass perimeter defenses by posing as legitimate employees, often via voice-based phishing ("vishing").
- The goal: compromise credentials to move laterally, using existing administrative tools rather than malware.
- Quote:
  
  "They pose as empathetic, articulate, well informed and knowledgeable IT staff... and then figure out a way to engineer you to basically give them access."
  – Joe Halatic (04:30)
Detection Is Challenging
- Since these attackers abuse legitimate tools and processes, signature-based security is often ineffective.
- Behavioral analytics and anomaly detection are increasingly essential.
Old Tactics, New Effectiveness
- Scattered Spider revives techniques like "bring your own vulnerable driver" to disable endpoint detection.
- Quote:
  
  "These attacks load signed but outdated drivers... rendering [detection tools] useless."
  – Joe Halatic (05:26)

4. Impact on Legacy Infrastructure

Human Factor: The Point of Entry
- The initial compromise is almost always social engineering targeting the help desk for password resets or MFA bypasses.
- This enables attackers to obtain the "golden SAML backdoor," bypassing security controls.
- Quote:
  
  "They will pose as an employee, call the IT help desk, try to get their account... reset or their MFA disabled so that they can just get access."
  – Joe Halatic (06:33)
Why Legacy Backups Are at Risk
- Older backup systems often lack modern security features (e.g., immutability, quorum authentication, retention lock).
- Attackers can paralyze organizations by encrypting hypervisors and virtual machine clusters, including backup systems—potentially leaving no path to recovery.
- Quote:
  
  "There are some people still using backup software and methodologies that are decades old and they haven't modernized, which are very easy to exploit as a result."
  – Joe Halatic (07:20)

5. The Need for Cyber Resilience

Attack Speed Is Accelerating
- CrowdStrike reports breakout time (lateral movement after initial compromise) has dropped to as little as 48 minutes.
- Quote:
  
  "The fact that that can all take place within 48 minutes is pretty scary."
  – Joe Halatic (08:46)
Beyond Cybersecurity: Embracing Resilience
- Cyber resilience focuses on preparation and recovery—not just prevention—integrating risk management, business continuity, disaster recovery, and incident response.
- The assumption should be that a breach will occur; the goal is to minimize impact and recover quickly without reintroducing threats.
Tactical Recovery Considerations
- Recovery isn't just about speed (RTO, or Recovery Time Objective) but about scoping, identifying clean restore points, restoring massive datasets, and verifying operational integrity before returning to service.
- Quote:
  
  "It's not just detect and respond, but also recovery...so you have a whole timeline from detection all the way to full business continuity."
  – Joe Halatic (10:55)

Notable Quotes & Memorable Moments

On Social Engineering:

"You're going to hear me talk about things like living off the land...what is novel is the way they're employing the techniques that they are."
– Joe Halatic (04:16)
On Modernization and Recovery:

"Resilience to us is that, well, let's reintroduce a new framework of not just detect and respond, but also recovery and include those two metrics in the overall framework."
– Joe Halatic (10:52)

Timestamps for Important Segments

Scattered Spider’s Motivation & Business Model: 01:35 – 03:58
Identity-Based Attack Techniques: 03:58 – 06:20
Human Element & Legacy System Vulnerabilities: 06:20 – 08:28
Modernizing for Resilience and Recovery: 08:28 – 11:43

Additional Resources

For more insights and resources:

“0Labs rubric.com—that’s where we post all of our blogs, white papers… shifting from an annual report now to a quarterly one.”
– Joe Halatic (11:43)

Summary prepared for listeners seeking a thorough yet accessible overview of cutting-edge ransomware threats and actionable resilience strategies.

wavePod

Scattered Spider: the Evolution of Identity-Based Ransomware

Powered by Wave AI

Summary

Data Security Decoded

Episode: Scattered Spider: the Evolution of Identity-Based Ransomware

Episode Overview

Key Discussion Points & Insights

1. Who Is Scattered Spider?

2. Evolution of the Ransomware Business Model

3. Exploiting Identity as an Attack Vector

4. Impact on Legacy Infrastructure

5. The Need for Cyber Resilience

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Additional Resources

Summary

Data Security Decoded

Episode: Scattered Spider: the Evolution of Identity-Based Ransomware

Episode Overview

Key Discussion Points & Insights

1. Who Is Scattered Spider?

2. Evolution of the Ransomware Business Model

3. Exploiting Identity as an Attack Vector

4. Impact on Legacy Infrastructure

5. The Need for Cyber Resilience

Notable Quotes & Memorable Moments

Timestamps for Important Segments

Additional Resources