Blog
Scattered Spider is an urgent threat that cyber (re)insurance portfolio managers must account for when assessing and future-proofing their exposure to cyber loss. The group is known for being a versatile extortion crew that frequently partners with ransomware‑as‑a‑service operators. Scattered Spider’s ability to target major corporations in the same industry and geography sequentially underscores the potential for significant and correlated attritional losses within cyber insurance portfolios.
Cyber risk exposure managers can leverage CyberCube's Portfolio Threat Actor Intelligence (PTI) solution to pinpoint organizations in their portfolios most at risk of being targeted by Scattered Spider.
Scattered Spider represents an escalating and immediate threat
The timeline below illustrates how Scattered Spider has evolved from a newly identified social‑engineering crew in 2022 into one of the most aggressive ransomware‑and‑extortion outfits on today’s threat landscape. Across 36 months, 21 major publicly disclosed cyber incidents have been attributed to the group, and 11 of those occurred in the short window between April and early July 2025, spanning retail, insurance and airlines.
The steep rise in activity in 2025 captured in Exhibit 1 highlights that the group’s capability and appetite for disruption are accelerating, demanding immediate attention from cyber exposure managers, underwriters, and security teams.
Exhibit 1: Publicly Reported Scattered Spider Attacks by Year (2022 – 2025 YTD, as of 7/3/2025)
*This chart includes only cyber attacks with strong public attribution to Scattered Spider — meaning multiple credible sources (e.g., victim disclosures, law enforcement, or leading threat intelligence firms) have directly named the group. Other attacks may exhibit similar tactics, techniques, and procedures (TTPs), but are excluded due to a lack of strong public attribution.
Source(s): Information obtained from cyber news outlets: Splunk Blog, The Hacker News, Bleeping Computer, CyberScoop, Ars Technica, WSJ, Forbes, ZDNet, Wired, Tech Radar, The Register, TechCrunch, The Record, Insurance BusinessMag, Reuters
After a lull in 2024 when members were reportedly arrested, the gang appears to have regrouped and Scattered Spider has returned with a surge of high‑impact, cross‑sector attacks.
Since April this year, Scattered Spider has been moving swiftly across industries, leaving financial losses in its wake. The group has expanded campaigns across seemingly unrelated sectors such as casinos, retail, insurance and airlines, using sophisticated social‑engineering tactics such as help‑desk impersonation and authentication bypass to infiltrate high‑value corporate networks.
Scattered Spider often targets several companies within one industry before moving on. As Exhibit 1 shows, we see (in order): four technology companies attacked in 2022; two hospitality companies in 2023; and — so far this year (through 7/2/2025) — four retail, four insurance, and three aviation firms. This clustered attack pattern allows the group to reuse successful tactics, extract value quickly, and shift targets before detection efforts catch up.
Scattered Spider’s attacks, ranging from data theft and extortion to ransomware and prolonged operational downtime, have inflicted financial losses on victims totaling tens to hundreds of millions of dollars. Most notably, in 2023, Caesars reportedly paid a $15 million ransom, and MGM absorbed approximately $100 million in losses. More recently, in May 2025, UK retailers Marks & Spencer and Co‑op faced combined damages estimated at up to $592 million.
Proactive exposure management: CyberCube’s Portfolio Threat Actor Intelligence
Unlike natural catastrophe markets that benefit from visible, trackable hazards like hurricanes or wildfires, cyber rarely offers forewarning. However, in this instance, there is a known threat actor that appears to be actively targeting a predictable set of vulnerabilities, providing insurers with a rare early-warning window to act before losses occur. CyberCube’s analysis reveals both a current cluster of elevated risk in the market and a strategic opportunity for cyber (re)insurers to act preemptively by managing exposure and incentivizing better security before Scattered Spider strikes again.
Portfolio Threat Actor Intelligence (PTI) harnesses the power of Artificial Intelligence (AI) to map the behaviour of cyber threat actors and the technologies they most frequently target. It is included as part of the CyberCube Concierge Threat Intelligence service — a first-of-its-kind offering designed specifically for the unique needs of cyber (re)insurers, built by experts in cyber threat intelligence, risk, and insurance.
CyberCube’s PTI solution has identified 2% of medium and large-sized firms across eight major markets as potential top targets for Scattered Spider. The elevated risk for these companies is driven by reliance on technologies frequently compromised by Scattered Spider and the presence of security lapses that the group is known to exploit. For portfolio managers, our findings reinforce the need to move beyond broad sector assumptions and focus on mapping technological and security posture overlaps across seemingly unrelated sectors and insureds.
All companies identified by CyberCube as high risk should be on heightened alert. Among them are seven aviation firms, including Hawaiian Airlines, which was recently confirmed as one of Scattered Spider’s latest victims.
Which companies are most at risk of being targeted by Scattered Spider?
Using CyberCube’s PTI solution, we analyzed a portfolio of approximately 15,000 companies from key global markets, segmenting them into risk tiers based on their exposure to Scattered Spider — specifically their technology footprint and observed security weaknesses.
The analysis found that 2% of companies with revenues over $500 million across eight key cyber (re)insurance markets — USA, UK, Canada, Australia, Germany, France, Japan, and Singapore — face the highest likelihood of being targeted by Scattered Spider.
Exhibit 2 - Global Enterprise Risk Distribution to Scattered Spider Attacks (June 2025)
The analysis in Exhibit 2 is designed to help cyber insurance portfolio risk managers prioritize insureds for exposure management activities that address active threat campaigns, such as those led by Scattered Spider. While it does not suggest that most firms are safe from targeting, it underscores the importance of prioritization as all medium and large enterprises should be on heightened alert, and resources must be focused where the risk is greatest.
Source: CyberCube Portfolio Threat Actor Intelligence, analysis conducted on CyberCube’s Global Industry Exposure Database (IED), USA, UK, Canada, Australia, Germany, France, Japan, and Singapore, ≥$500 million annual revenue, June 2025, n = 14,997
High-risk companies (287, or 2%) are those using three or more technologies frequently targeted by Scattered Spider, combined with security lapses the group is known to exploit. Notably, high-risk companies also tolerate security conditions that may allow the threat actor to complete critical steps across the attack lifecycle and ultimately achieve their objectives. Medium-risk companies (1,037, or 7%) use at least one of the group’s preferred technologies and exhibit security weaknesses that could enable only partial progression through the attack lifecycle.
CyberCube’s Single Point of Failure (SPoF) Intelligence solution can be used to detect when a company relies on technologies frequently targeted by Scattered Spider. It shows the group’s preferred identity and access management (IAM) tools (e.g. Okta, Microsoft Active Directory), help desk systems, and remote access technologies. This visibility enables exposure managers to assess hidden concentrations of risk that are not apparent in traditional analyses.
The majority of the portfolio — 91% — is currently classified as “low risk” for Scattered Spider attacks. While these companies are not immune, they are considered less in need of immediate attention by portfolio exposure managers based on current observations of their technology use and security posture. The purpose of this analysis is not to suggest that most companies do not need to worry about Scattered Spider, but rather to demonstrate how CyberCube’s PTI solution can help prioritize the firms most urgently at risk from this specific threat actor.
It is important to note that some technologies and security gaps may not always be visible through external data, and true exposure could shift as Scattered Spider’s targeting evolves and new data becomes available. This underscores the need to continuously monitor the threat landscape and revise the assumptions in this analysis on a regular cadence.
Which industries could Scattered Spider target next?
Exhibit 3: Industry Breakdown of High-Risk Companies for Scattered Spider Attacks (June 2025)
Box size corresponds to the proportion of companies in each industry within the portfolio of 287 companies that CyberCube identified as the highest risk of being targeted by Scattered Spider.
Source: CyberCube’s Portfolio Threat Actor Intelligence, analysis conducted on CyberCube’s Global Insurance Exposure Database (IED), USA, UK, Canada, Australia, Germany, France, Japan, and Singapore, ≥$500 million annual revenue, June 2025, n = 287
Examining companies at the highest risk for Scattered Spider attacks shows there are high concentrations of companies in the Manufacturing, Education, IT, and Retail sectors (see Exhibit 3). Many of these sectors, especially IT and Retail, have already been publicly targeted by Scattered Spider, reinforcing higher risk designations for companies in these industries.
Scattered Spider zeroes in on companies that use widely adopted identity‑and‑access‑management systems, remote‑access software, and IT help‑desk platforms, and especially when those tools are weakly or inconsistently configured. The group prefers organizations with large workforces that rely on a central IT help desk and whose operations cannot tolerate downtime, leaving them vulnerable to disruption and extortion.
How CyberCube can help
CyberCube helps (re)insurers understand their exposure through the lens of current threat actor behavior. The ability to segment companies into risk tiers using CyberCube’s PTI solution allows portfolio exposure managers to proactively prioritize engagement with the riskiest insureds to encourage improved cybersecurity controls, adjust pricing, and reduce exposure.
Scattered Spider, and similar threat actors are here to stay. But with the right analytics tools and proactive threat intelligence, (re)insurers can take decisive steps to strengthen portfolio resilience, protect clients, and reduce the risk of losses.
If you’re a carrier or reinsurer looking to understand your exposure or a broker seeking to protect your clients, CyberCube is here to help.
