RansomHub Brings Scattered Spider Into Its RaaS Nest

The threat group behind breaches at Caesars and MGM moves its business over to a different ransomware-as-a-service operation.

Spiders in a web
Source: Papilio via Alamy Stock Photo

Last spring's spectacular implosion of mainstay ransomware-as-a-service (RaaS) operation BlackCat/AlphV left its affiliates burned — gamed out of millions they were owed for past scams and left without infrastructure to support their future cybercrime aspirations. What ensued was a recruiting war for the best affiliates into the RaaS groups left standing.

The RansomHub RaaS group appears to have scored a major victory by attracting the Scattered Spider threat group into its affiliate ranks, according to new research from GuidePoint Security. A detailed analysis reveals that Scattered Spider, a notoriously aggressive threat group behind the 2023 ransomware attacks on Caesars Entertainment and MGM Resorts, has been carrying out ransomware attacks using RansomHub starting earlier this year.

RansomHub RaaS Recruiting Campaign

The timing jibes with ads posted on the Dark Web by RansomHub promising prospective affiliates juicy 90/10 ransom splits with the group, as well as the promise to allow the cybercriminals to get paid first and payout the group later, to avoid "exit scams" like the one BlackCat pulled last March, according to Jason Baker, senior threat consultant with GuidePoint Security.

"Scattered Spider affiliates may also have been attracted to RansomHub based on the movement of peers or positive word-of-mouth," Baker tells Dark Reading.

Since those ads began, RansomHub has seen remarkable growth, Baker adds.

"RansomHub began claiming victims publicly on its data leak site in February, and has since posted over 75 victims in an alarmingly quick rise to prominence amid its peers, who generally operate at a slower pace in early months of operations," he says. As the group continues to attract talented cybercriminals who can earn a dishonest buck with RansomHub, the RaaS outfit is likely to continue to expand its operation, Baker predicts.

"If RansomHub operations are enjoying some level of success in revenue generation, and/or if other sophisticated affiliates have begun working with RansomHub, it could make the group a more attractive destination amidst other options," Baker says.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like


More Insights