DragonForce & Scattered Spider: Ransomware Collaboration Highlights the 2025 Threat Landscape
Executive Summary
In early 2025, the DragonForce ransomware group expanded its global campaign by collaborating with Scattered Spider, an English-speaking threat actor notorious for advanced social engineering and initial access techniques. This partnership allowed DragonForce to leverage Scattered Spider’s skills in phishing, credential harvesting, and network penetration to facilitate rapid, multi-stage compromises of major corporate networks across various sectors. Attackers gained initial access using phishing and social engineering against IT and security staff, followed by lateral movement and deployment of ransomware to encrypt critical data. The attacks resulted in significant operational disruption, data loss, and extortion demands for affected organizations.
This incident exemplifies a growing threat trend: ransomware operators teaming up with specialized access brokers to accelerate intrusion success and maximize impact. Organizations now face highly coordinated, multi-vector attacks that challenge traditional defenses, driving urgency around zero trust architectures and improved lateral security controls.
Why This Matters Now
This incident underscores the escalating sophistication of ransomware ecosystems, where collaboration between threat actors amplifies attack effectiveness. Organizations must urgently adapt their defenses as attackers combine expertise in social engineering, initial access, and ransomware deployment to bypass standard security controls and inflict severe business disruption.
Attack Path Analysis
The DragonForce ransomware operation, allied with Scattered Spider, likely began with sophisticated social engineering targeting cloud credentials to gain initial access. Attackers escalated their privileges by abusing legitimate accounts or manipulating cloud IAM. Once inside, they moved laterally across multi-cloud and hybrid environments, exploiting weak segmentation to access sensitive workloads. They established covert command and control channels, maintaining persistence while avoiding detection. Sensitive data was exfiltrated over encrypted channels or via egress routes before deploying ransomware to disrupt, encrypt, or destroy cloud assets and backups.
Kill Chain Progression
Initial Compromise
Description
The adversaries used advanced social engineering and potentially phishing to obtain valid cloud credentials or session tokens, exploiting exposed interfaces or misconfigurations to access cloud systems.
Related CVEs
CVE-2021-44228
CVSS 10A remote code execution vulnerability in Apache Log4j2 allows unauthenticated attackers to execute arbitrary code.
Affected Products:
Apache Log4j2 – 2.0-beta9 to 2.14.1
Exploit Status:
exploited in the wildCVE-2023-46805
CVSS 9.8An authentication bypass vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to access restricted resources.
Affected Products:
Ivanti Connect Secure – 9.x
Ivanti Policy Secure – 9.x
Exploit Status:
exploited in the wildCVE-2024-21887
CVSS 9.8A command injection vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to execute arbitrary commands.
Affected Products:
Ivanti Connect Secure – 9.x
Ivanti Policy Secure – 9.x
Exploit Status:
exploited in the wildCVE-2024-21893
CVSS 9.1A path traversal vulnerability in Ivanti Connect Secure and Policy Secure allows remote attackers to access restricted files.
Affected Products:
Ivanti Connect Secure – 9.x
Ivanti Policy Secure – 9.x
Exploit Status:
exploited in the wildCVE-2024-57726
CVSS 9.9A privilege escalation vulnerability in SimpleHelp allows authenticated attackers to gain elevated permissions.
Affected Products:
SimpleHelp SimpleHelp – < 5.2.0
Exploit Status:
exploited in the wildCVE-2024-57727
CVSS 7.5Multiple path traversal vulnerabilities in SimpleHelp allow remote attackers to access restricted files.
Affected Products:
SimpleHelp SimpleHelp – < 5.2.0
Exploit Status:
exploited in the wildCVE-2024-57728
CVSS 7.2An arbitrary file upload vulnerability in SimpleHelp allows remote attackers to upload malicious files.
Affected Products:
SimpleHelp SimpleHelp – < 5.2.0
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Phishing: Spearphishing Attachment
Valid Accounts
Gather Victim Identity Information
Data Encrypted for Impact
Remote Services: Remote Desktop Protocol
Impair Defenses: Disable or Modify Tools
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Strong Authentication for Access
Control ID: 8.3.1
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management
Control ID: Article 8
CISA ZTMM 2.0 – Robust Verification of Identities
Control ID: Identity Pillar: Identity Verification
NIS2 Directive – Incident Handling Procedures
Control ID: Article 21(2)(d)
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Financial Services
DragonForce ransomware with Scattered Spider's advanced social engineering threatens financial institutions through encrypted traffic vulnerabilities and east-west lateral movement attacks.
Health Care / Life Sciences
Healthcare organizations face critical risk from multistage ransomware intrusions exploiting unencrypted traffic and lacking zero trust segmentation for patient data protection.
Information Technology/IT
IT sector highly vulnerable to DragonForce operations targeting cloud infrastructure through kubernetes security gaps and multicloud visibility weaknesses in hybrid environments.
Telecommunications
Telecom networks at severe risk from coordinated ransomware attacks exploiting encrypted traffic vulnerabilities and requiring enhanced egress security policy enforcement capabilities.
Sources
- Deep dive into DragonForce ransomware and its Scattered Spider connectionhttps://www.bleepingcomputer.com/news/security/deep-dive-into-dragonforce-ransomware-and-its-scattered-spider-connection/Verified
- DragonForce actors target SimpleHelp vulnerabilities to attack MSP, customershttps://www.sophos.com/en-us/blog/dragonforce-actors-target-simplehelp-vulnerabilities-to-attack-msp-customersVerified
- CISA and Partners Release Updated Advisory on Scattered Spider Grouphttps://www.cisa.gov/news-events/alerts/2025/07/29/cisa-and-partners-release-updated-advisory-scattered-spider-groupVerified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Zero Trust segmentation, microsegmentation, egress policy enforcement, and threat detection could have restricted attacker movement, limited privilege escalation, detected abnormal activity, and blocked data theft and ransomware deployment. Encrypted and segmented east-west traffic with multi-cloud visibility would have constrained lateral movement and enabled faster incident response.
Control: Multicloud Visibility & Control
Mitigation: Anomalous logins from unexpected locations or resources would be rapidly detected.
Control: Zero Trust Segmentation
Mitigation: Privileged access is tightly restricted to least privilege with dynamic policies.
Control: East-West Traffic Security
Mitigation: Lateral attacker movement is significantly limited by microsegmentation and policy controls.
Control: Threat Detection & Anomaly Response
Mitigation: Abnormal traffic patterns, including covert remote access, are quickly detected and alerted.
Control: Egress Security & Policy Enforcement
Mitigation: Data exfiltration attempts are blocked or logged based on adaptive egress filtering and FQDN controls.
Malicious activity targeting destruction or encryption of assets can be limited or identified in real-time.
Impact at a Glance
Affected Business Functions
- Customer Support
- Data Management
- IT Operations
Estimated downtime: 5 days
Estimated loss: $5,000,000
Potential exposure of sensitive customer data, including personal identifiable information (PII) and financial records.
Recommended Actions
Key Takeaways & Next Steps
- • Expand zero trust and microsegmentation to isolate critical cloud workloads and block unauthorized lateral movement.
- • Implement comprehensive cloud egress controls and FQDN-based filtering to stop data exfiltration and command/control channels.
- • Deploy anomaly detection and real-time threat intelligence to identify and alert on suspicious access and traffic patterns.
- • Enforce least-privilege identity and access policies using dynamic, identity-based segmentation across multi-cloud environments.
- • Integrate centralized multi-cloud visibility and policy enforcement to rapidly detect and respond to incident progression.
