2025年7月30日

Reducing Legal Risks From Ransomware Attacks: Lessons from Scattered Spider

作者:

Leading businesses continue to suffer cyber attacks at the hands of sophisticated ransomware groups. For example, the threat group “Scattered Spider” (also known as UNC3944, Octo Tempest, 0ktapus) is once again making headlines after a wave of attacks on retailers, insurers, and airlines, and the FBI and CISA have issued multiple recent warnings about Scattered Spider and other active ransomware groups. Any ransomware attack can inflict substantial harms on businesses (in the form of business disruption, reputational harm, and legal consequences). But Scattered Spider’s tactics highlight the importance of five key steps to mitigating legal risk from a ransomware incident:

Reinforce multi-factor authentication (MFA) solutions to resist social engineering and provide tailored training to IT help desk employees;
Design and enforce data retention policies to remove legacy data from the company’s environment when it is no longer needed;
Anticipate the arrest and prosecution of the threat actor;
Preposition key external vendors; and
Confirm escalation paths to senior leadership during incident response.

In this Legal Update, we summarize the importance of each of these steps and advise on what to look for in implementing them.

Reinforce Multi-Factor Authentication Against Social Engineering

The first line of defense for your company’s network is its access-control mechanism. The stronger that control (including the resilience provided by strong MFA and resistance to social engineering), the better the chances of defeating, or minimizing, an intrusion.

Unfortunately, Scattered Spider has proven especially adept at tricking IT help desk employees (or insiders at critical MFA partners, such as mobile phone providers), because its conspirators include native speakers whose social engineering unfolds in several, sophisticated steps. According to the FBI and CISA, the first step is learning what’s required by a target’s help desk protocol to conduct password resets. Subsequent phone calls are designed to gather that information for a particular, targeted employee. Finally, the actors call to convince IT help desk personnel to reset those specific passwords or to transfer MFA tokens. These social engineering attempts are enriched by research of social media, open-source information, commercial intelligence tools, and information exposed in other leaks.

According to public reporting, Scattered Spider actors have also:

Posed as IT help desk staff using phone calls or text messages to obtain credentials from employees (including a one-time password or an MFA authentication code), or directed those employees to run commercial remote access tools (enabling initial access);
Convinced IT help desk staff to transfer an employee’s MFA to a device they control;
Sent repeated MFA notification prompts, leading employees simply to “accept” or allow access out of fatigue; and
Convinced cellular carriers to transfer control of a targeted user’s phone number to a SIM card in their possession, gaining control over the phone and access to subsequent MFA prompts.

Based on these experiences, several mitigations may prove fruitful:

Provide tailored training to the IT help desk team. Those teams may be trained to focus on resolving tickets and getting users back online, without regard to the risk that any given request is fraudulent. Recalibrating this mindset by educating these team members on the particular risk that they will be targeted in a ransomware attack may help reduce the risk of such an attack succeeding, while still allowing them to perform their critical IT support role.
Encourage visibility across the IT help desk to potentially fraudulent requests. Because ransomware actors may make multiple calls to achieve their objective, real-time information sharing (about suspicious requests, for example) across the help desk may help avert a ransomware attack before it goes too far.
Evaluate IT help desk personnel’s permissions and consider whether key actions, such as account recovery support (at least for certain privileged users), are sufficiently monitored.
Consider whether the MFA solution deployed by the company is vulnerable to, for example, MFA fatigue or compromise through a partner (such as a mobile phone provider).

Remove Unnecessary Legacy Data

The consequences of a ransomware attack correlate with the volume of sensitive data that a threat actor is able to encrypt or exfiltrate. The quantity and type of data impacted drive statutory notification obligations and exposure to civil liability, and regulators typically inquire about the age and storage of impacted data. Scattered Spider has proven particularly adept at identifying (and exfiltrating) data of legal significance, increasing the pressure on victims to pay (even without encrypting any data). According to the FBI and CISA, Scattered Spider actors have sought out a victim’s cloud-based data platform to exfiltrate large volumes of data in a short time, often running thousands of queries rapidly.

Although business needs can often justify retention of large volumes of data, companies can reduce the consequences of a cyber incident through sound data retention policies; i.e., understanding what data the company holds (and why) and storing (or purging) it according to defined policies. Some victims learn too late that a ransomware actor exfiltrated large volumes of sensitive data that had been kept well beyond its usefulness (or in systems that were not as secure). Effective data governance is also necessary to comply with many privacy and cybersecurity legal requirements.

Here are best practices to ensure that the company is not carrying excess risk in the form of excess data:

Map the company’s data, to understand what is stored, where, and on what retention schedule. Archive or delete data that is not required for business purposes according to a documented (and enforced) retention schedule.
Consider using a legal team to oversee that process and to direct it under privilege.
As part of the acquisition process, ensure acquired entities apply the same level of discipline to data retention and come into compliance with company policy.
Identify exceptions and one-offs, such as an IT system that is created for a project that is later abandoned, or employees that violate company policy by replicating data to their personal workspace.

Planning for Potential Prosecutions

Companies have long shared information with law enforcement agencies during and after cyber incidents, balancing the need to protect confidential information with the benefits of receiving information from the relevant agency. In exceptional cases, law enforcement agencies have been able to recover ransom payments and assist with data decryption, but even in ordinary cases, this engagement has allowed victim companies to validate their understanding of the threat actors with experts in the government, indirectly help other companies facing similar attacks, and invoke their status as a cooperative victim to mitigate regulatory penalties. Generally speaking, this cooperation with law enforcement is unlikely to become public during a criminal legal proceeding, because the threat actor is unlikely to be identified or located in a cooperative jurisdiction.

With Scattered Spider, that dynamic is changing. Law enforcement agencies in the United Kingdom, the United States, and other countries have initiated criminal prosecutions against members of Scattered Spider and seized ransom payments. The more realistic potential for arrest and prosecution should influence how companies think about their interaction with law enforcement. The reputational benefit associated with cooperating with law enforcement may increase (because you may play a crucial part in the arrest and conviction of a threat actor). On the other hand, while the government can routinely bring charges without naming victims, the identity of witnesses is more likely to be revealed during extradition proceedings, as part of discovery, and certainly no later than any trial. Information provided to the government on a “threat intelligence” basis may, therefore, become evidence that needs to be authenticated as such in court, by a witness from the victim company.

Companies would benefit from thinking through these scenarios in advance:

Establishing a relationship with local federal law enforcement contacts well before an incident is likely to help the company better maneuver when an incident occurs. Even though the experts on a particular threat group may not be local (they are likely to work for a different field office), that local relationship will pay dividends.
Productive information sharing relationships are often established between a company’s information security teams and law enforcement. During the crisis of incident response, however, companies should consider conducting those communications through counsel (or at least in their presence).
Understand the protections offered by the Cybersecurity Information Sharing Act of 2015 (assuming it’s renewed!)¹ before an incident. Knowing how to preserve common law privileges like attorney-work product protection may impact your decision to share information.
Incorporate a hypothetical ransomware scenario involving a potential prosecution into a tabletop exercise to work through these issues in advance.

Prepositioning Key External Vendors

Ransomware incidents can put acute and immediate demands on victim companies. High-profile ransomware incidents have highlighted the pressure companies face to lead complex forensic investigations while communicating externally, on the one hand, and negotiating with the threat actor, on the other. Response teams may find themselves quickly stretched thin as they face complex challenges across multiple dimensions. No company wants to search for a key vendor at that point: ransomware attacks continue to confirm the wisdom of prepositioning relevant external resources so that companies pull them in as soon as they are needed.

Companies’ needs for external support vary based on their own internal capabilities, their policies (including insurance), and their culture, but the following relationships are often critical:

Most companies will experience only one major ransomware attack (if that), but qualified outside counsel will have seen dozens of incidents and be prepared to coach the company through the crisis based on that experience. Establish a relationship with outside counsel before the incident, and make your lawyer one of your first calls, so that other providers can be retained under privilege.
Companies will already have a digital forensic and incident response (DFIR) firm on retainer, especially as part of a managed services agreement, but consider whether the same company providing defensive security services should also investigate what led to the breach. Even if the firm operates professionally and ethically in performing both services (as has been our experience in most cases), there is at least the potential for a conflict of interest when the investigators examine their colleagues’ defensive work (which could come to a head in civil litigation, if not before). As a result, consider having a secondary DFIR provider available for use in serious incidents, especially where there may be disputes over who should pay for the cleanup (or where there is a potential for civil litigation).
Some companies categorically refuse to consider paying a ransom, but even those companies may want to consider having a ransomware negotiation service in place, however, if only to manage communications with the threat actor group and buy time to make a final decision. Even if you hire such a firm, however, the company and its counsel should exercise strong oversight over communications with the threat actor and counteroffers.
Other companies may have very strong in-house communications teams but still may benefit from support from an external communications expert in the most extreme instances.

Whatever the preferred approach, recent ransomware incidents have highlighted the advantages of preparation. Putting in place relevant agreements with legal, forensics, communications, negotiation, and other key vendors in advance—and under privilege as appropriate—is proving a particularly important best practice for managing legal risk in ransomware incidents. By selecting the structure that will work best for the company in advance, an incident response team can save itself valuable time and focus during an actual incident, allowing it to deliver a more effective and efficient response to the crisis.

Confirming Escalation Paths to Company Leadership

Recent significant ransomware incidents have highlighted the critical role that company leadership plays in managing a successful response. Among other critical decisions, ransomware incidents may require executives to:

Decide whether and how the company should disclose the incident to employees, regulators, investors, customers, and other counterparties;
Assess whether it is necessary to update the board of directors;
Consider whether to pay the ransom; and
Determine how to balance containment and remediation of the incident with moving business forward.

Given recent tactics of ransomware groups, executives must also be mindful that a threat actor’s extortion tactics can include making direct and threatening phone calls (to employees or customers) and exposing information on the internet prematurely.

Under these circumstances, companies can benefit from ensuring that their incident response plans and procedures provide for timely and appropriate escalation of key decisions to company leaders. Striking the right balance can be more art than science: senior executives should not be pulled into every incident or expected to approve every incident-related decision. At the same time, substantial incidents raise strategic questions and determining when to escalate an incident is a key factor in ensuring a successful response. Legal teams often play an important role in striking the right balance for these situations, depending on the company’s specific culture and leadership style. Tabletop exercises can provide good opportunities to fine-tune the company’s approach on this front.

* * * * *

There are no silver bullets to neutralize sophisticated cyber actors like Scattered Spider, but maintaining a comprehensive, risk-based cybersecurity program remains the best tool for reducing cyber risks. Putting in place appropriate technical and administrative controls, providing appropriate training, ensuring effective oversight, and being prepared to respond effectively and efficiently when an incident occurs all play important roles. Understanding recent trends in attacks and the demands they put on response teams also can help companies fine-tune their risk-based cybersecurity programs.

¹ As of writing, CISA 2015 will sunset on September 30, 2025, unless renewed by Congress.