Casino cybercrime gang has already attacked over 100 companies, experts claim

A fish hook is lying across a computer keyboard, representing a phishing attack on a computer system
(Image credit: weerapatkiatdumrong / Getty Images)

The cybercrime gang reportedly behind recent cyberattacks against several Las Vegas casinos has been extremely active in its brief, two-year lifespan, a new report has claimed.

The findings from Mandiant on the group known as Scattered Spider states it may have successfully hit approximately 100 companies, including employees of Okta, a popular employee identity solutions provider. 

The threat actors usually go for SMS phishing and phone-based social engineering, so in its very essence, this is a scam organization. By tricking people into giving away the login credentials to various company services, the group manages to wiggle its way into endpoints, where it does all kinds of malicious activities, from stealing sensitive data to - in more recent times - deploying ransomware. 

Moving to ransomware

This move into ransomware began in mid-2023, the researchers argue, claiming that is when the group’s “expansion in its monetization strategies” began. 

“These changes in their end goals signal that the industries targeted by UNC3944 will continue to expand," the analysis says. Mandiant tracks Scattered Spider as UNC3944. "Mandiant has already directly observed their targeting broaden beyond telecommunication and business process outsourcer (BPO) companies to a wide range of industries including hospitality, retail, media and entertainment, and financial services."

When it goes phishing, the group uses three kits - Eightbait (used between late 2021 and mid-2022), and in newer times two unnamed kits, which were mostly used in parallel. 

When it comes to ransomware, the group seems to have chosen BlackCat, also known as ALPHV. This is a known ransomware-as-a-service provider that’s been used in numerous high-profile ransomware attacks. 

"ALPHV operates as a RaaS and we have observed UNC3944 deploy this ransomware," Mandiant's threat intel team told The Register. "In these partnerships, the operators of the ransomware will typically provide builds to its affiliates to distribute along with other related support services such as infrastructure that allows easy management of victims and extortion support (e.g. DDoS)."

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
A person at a laptop with a cybersecure lock symbol floating above it.
Cybercrime gang targets victims with "triple threat" attacks
A close-up of an interent search bar with 'http://ww' visible
Major website hijacking scam sees over 35,000 sites attacked, redirected to gambling sites, so be on your guard
A group of 7 hackers, 6 slightly blurred in the background and one in the foreground, all wearing black with hoods pulled up over their heads. You cannot see their faces. The hacker in the foreground sits with an open laptop in front of them. The background, behind the hackers, is a Chinese flag
China government-linked hackers caught running a seriously dangerous ransomware scam
Insecure network with several red platforms connected through glowing data lines and a black hat hacker symbol
Cisco, ASUS, QNAP, and Synology devices hijacked to major botnet
ransomware avast
“Every organization is vulnerable” - ransomware dominates security threats in 2024, so how can your business stay safe?
Flags of Iran, China, Russia and North Korea on a wall. China North Korea Iran Russia alliance
Cybercrime is helping fund rogue nations across the world - and it's only going to get worse, Google warns
Latest in Security
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
China
Notorious Chinese hackers FamousSparrow allegedly target US financial firms
A digital representation of a lock
NYU website defaced as hacker leaks info on a million students
NHS
NHS IT supplier hit with major fine following ransomware attack
Businessman holding a magnifier and searching for a hacker within a business team.
Cloud streaming hoster StreamElements confirms data breach following attack
A digital representation of blockchain.
Malicious npm packages use devious backdoors to target users
Latest in News
Three angles of the Apple MacBook Air 15-inch M4 laptop above a desk
Apple MacBook Air 15-inch (M4) review roundup – should you buy Apple's new lightweight laptop?
Witchbrook
Witchbrook, the life-sim I've been waiting years for, finally has a release window and it's sooner than you think
Shigeru Miyamoto presents Nintendo Today app
Nintendo Today smartphone app is out now on iOS and Android devices – and here's what it does
Nintendo Virtual Game Card
Nintendo reveals the new Virtual Game Card feature, an easier way to manage your digital Switch games
Isometric demonstrating multi-factor authentication using a mobile device.
NCSC gets influencers to sing the praises of 2FA
Nintendo Switch 2
The Nintendo Switch 2 pre-order date has seemingly been confirmed by Best Buy Canada – here's when you'll be able to order yours