The notorious Scattered Spider hacking collective behind cyber attacks on Marks & Spencer and others is likely leaning on the expertise of other cyber criminals to enhance the severity of its attacks and the volume of its victims, according to NCC Group’s Threat pulse report for August 2025.
The gang’s attacks this year appear to herald a threat landscape in which collaboration is increasingly the watchword among cyber criminals.
“Scattered Spider is accumulating headlines from its attacks and signature, sophisticated social engineering techniques,” said Matt Hull, NCC head of threat intelligence.
“But its collaboration with ransomware-as-a-service (RaaS) operators is key in its disruption of global giants. The ransomware landscape operates in a ruthless, business-like structure, which needs to be considered when defences are being implemented.”
RaaS is the chief method used by the ragtag hacking collective to elevate the sophistication of its attacks so far in 2025, said NCC.
In leaning on the expertise of others to deliver the more technical aspects of its attacks, its own people – many of them thought to be ordinary teenagers sucked into cyber crime thanks to lax supervision and the influence of online forums – are free to focus on their core social engineering activities.
This combo makes Scattered Spider – already an infamous name in cyber circles thanks to a pattern of attacks dating back years – a far more dangerous threat as it can cause deeper disruption to its victims, and makes attribution – which defenders rely on for context and defensive operations – significantly harder.
Tactics, techniques and procedures
Historically, Scattered Spider has been seen working with multiple RaaS groups, including the likes of ALPHV, RansomHub, DragonForce and Qilin – Qilin alone accounted for 53 observed attacks in August. In this way, it is able to take advantage of each of these gangs’ various preferred tactics, techniques and procedures (TTPs) to target more organisations.
In selecting its RaaS partners, Scattered Spider also appears to demonstrate it has an eye for a bargain in its favour – each of the groups it is known to have worked with offers an affiliate-friendly commission structure, and Scattered Spider may even be able to play this to its advantage to receive even more favourable terms.
Not only that, but the group can also better sustain its activity should the police knock the front door in by spreading the risk across multiple operations.
NCC’s analysts added that the growing body of evidence suggesting links between Scattered Spider, ShinyHunters and Lapsus$ emphasises an even deeper threat posed by Scattered Spider.
“Scattered Spider are not fixed to a type of threat group when choosing those with whom they want to collaborate,” wrote the report’s authors.
“They go beyond ransomware to encompass cyber crime more broadly, likely to maximise attack success and opportunities for profit. Hence, we should anticipate that Scattered Spider will seek to collaborate with a broad group of threat actors and should not limit their capabilities to the world of ransomware.”
NCC said the authorities must adapt to this new dynamic if they are to see continued success in taking down cyber criminals.
Attack volumes stagnate, but threat is as real as ever
Amid all of this, the total number of observed ransomware attacks actually declined by more than a tenth last month, with just 328 incidents observed by NCC, making August 2025 the fifth consecutive period in which fewer than 500 incidents took place.
However, NCC said there was more than meets the eye to this apparent stagnation – a bulk release of Cl0p victims in February and March of 2025 skewed the data somewhat, and overall not much has changed year-on-year.
“There’s more than meets the eye to attack levels plateauing in recent months,” said Hull, highlighting how the overall threat remains as real as it ever did.
“Spikes earlier in the year have dwarfed today’s numbers, but the volume is far from low,” he said. “Despite how the graphs look at first glance, criminal partnerships signify why cyber resilience must be a first port of call for businesses and governments.”
Besides Qilin, the most active gangs in August were Akira, Safepay, DragonForce and Play, with industrials, consumer discretionary and IT the most targeted sectors.
As usual, the report reveals that most attacks occur in North America – 57% of the total for August – with Europe, including the UK, accounting for 24%.
