AXIS Cyber Risk Advisory INCYTE Newsletter

Threat Advisory

Retail Under Siege: Scattered Spider and DragonForce Expand Cyber Threats

Cybercriminal collaboration is intensifying, with Scattered Spider and DragonForce ransomware targeting major UK retailers—including Marks & Spencer, Co-op, and Harrods. Scattered Spider, known for high-profile breaches such as Caesars Entertainment and MGM Resorts in 2023, has a history of aggressively exploiting sectors for financial gain. The group uses social engineering techniques, including phishing, SIM swapping, and MFA bombing, to gain initial access to target organizations.

Luna Moth: Sophisticated Social Engineering Targets Legal, Financial and Accounting Firms

Cybercriminals are ramping up social engineering attacks, putting law firms, accounting firms, and financial services at heightened risk. Luna Moth (also known as Silent Ransom Group or Storm-0252) has escalated its operations since March 2025, impersonating IT support via email, fraudulent websites, and phone calls to infiltrate organizations.

How the Attack Unfolds

Once inside, Scattered Spider steals NTDS.dit files from Windows domain controllers, securing privileged credentials to move laterally across networks and access high-value assets. The final phase is payload deployment, where DragonForce ransomware encrypts critical systems, disrupting operations and demanding ransom payments.

Collaboration with DragonForce

The DragonForce ransomware operation, which has claimed responsibility for recent UK retail attacks, offers a Ransomware-as-a-Service (RaaS) model, providing white-label services to cybercriminal groups. This collaboration expands the reach and impact of Scattered Spider, allowing more adversaries to deploy ransomware attacks with ease.

How the Attack Unfolds

Luna Moth exploits trust through social engineering tactics, convincing employees to unknowingly provide access. Once inside a network, attackers deploy remote monitoring software (RMM) tools, exfiltrate valuable data . By leveraging legitimate data transfer tools, they bypass conventional security measures, maximizing their success rate. Finally, Luna Moth threatens to leak stolen data unless ransom demands—ranging from $1 million to $8 million USD.

How Companies Can Strengthen Defenses

  • Ensure MFA is implemented across all systems to prevent unauthorized access
  • Use security tools to detect risky logins flagged in Microsoft Entra ID Protection
  • Regularly review Domain, Enterprise, and Cloud Admin accounts to verify legitimate access
  • Strengthen identity validation before resetting passwords to prevent social engineering exploits
  • Enable security teams to flag logins from residential VPNs and other suspicious locations

For further guidance, refer to the NCSC’s cybersecurity recommendations and insights from CISA’s analysis on Scattered Spider

How Companies Can Strengthen Defenses

  • Implement advanced filtering to detect and block phishing attempts
  • Educate staff on recognizing and reporting suspicious emails, websites, and phone calls
  • Confirm all IT support requests through official channels before taking any action. Strengthen authentication requirements for validation
  • Regularly audit devices for unauthorized RMM tool installations. Restrict execution of remote access software not used within your environment
  • Enforce Multi-Factor Authentication (MFA) for extra layers of security to prevent unauthorized access
  • Cybersecurity experts recommend organizations monitor new domain registrations to detect potential threats early

Learn more about evolving attack strategies and defense recommendations

To learn more about the services available from AXIS Cyber Risk Advisory, please contact CyberRM@axiscapital.com

This material is provided for informational purposes only and is not an offer to sell, or a solicitation to buy, any particular insurance product or service for a particular insured. It is intended for licensed insurance professionals. The services and service provider discussed in this document are suggested as risk mitigation and incident response resources. Use of AXIS Incident Commander does not constitute advice of any kind, and use of any service provider does not guarantee the performance or quality of the services provided, including the avoidance of loss, the fulfilment of any obligations under any contract or compliance with any law, rule or regulation. AXIS is not responsible for the effectiveness of a cyber risk management program and encourages each policyholder, together with advice from their professional insurance advisor, to perform its own independent evaluation of any service provider as part of its overall risk management strategy.

Cookies | Terms | Privacy