Scattered Spider: the Evolution of Identity-Based Ransomware

Identity-based ransomware is no longer a fringe tactic; it’s becoming the playbook of today’s most dangerous adversaries. Scattered Spider, a financially motivated e-crime group, has shifted the model from smash-and-grab encryption to a far more devastating combination of double extortion, social engineering, and hypervisor encryption attacks.

In this episode of Data Security Decoded, host Caleb Tolin welcomes back Joe Hladik, Head of Rubrik Zero Labs, to unpack how Scattered Spider is evolving the ransomware playbook. From double extortion and identity compromise to hypervisor encryption and legacy system exploitation, Joe explains why these tactics succeed where traditional defenses fail and why building cyber resilience, not just detection and response, is the critical next step for security leaders.

What You’ll Learn:

• How Scattered Spider leverages ransomware-as-a-service and double extortion to maximize payouts
• Why identity compromise and social engineering make traditional defenses ineffective
• How “living off the land” techniques and vulnerable drivers bypass signature-based tools
• Why legacy infrastructure and outdated backup systems are prime targets for exploitation
• What cyber resilience really means and how to build recovery into your security posture

Episode Highlights:

[00:30] Joe on Scattered Spider’s financial motivations and shift to double extortion 

[06:53] Why identity compromise and social engineering bypass traditional defenses 

[08:49] Disabling EDR with “living off the land” techniques and vulnerable drivers 

[13:06] Hypervisor encryption: how attackers can take entire backup systems offline 

[16:21] Cyber resilience as the future: assuming breach and restoring trusted systems

Episode Resources:

• Caleb Tolin on LinkedIn
• Joe Hladik on LinkedIn