CyberSecurity news
FlagThis
Mandiant@Threat Intelligence
//
UNC3944, a financially motivated cyber threat actor also known as Scattered Spider, has evolved from primarily conducting SIM swapping operations to focusing on ransomware and data extortion. Initially, UNC3944 targeted telecommunications organizations to facilitate SIM swaps, but since early 2023, they have shifted their focus to a broader range of industries, deploying ransomware and stealing data for extortion purposes. This transition marks a significant escalation in their tactics and impact, affecting sectors such as technology, financial services, business process outsourcing (BPO), gaming, hospitality, retail, and media & entertainment. The group has been observed conducting targeted waves of attacks against specific sectors, indicating a strategic and adaptable approach to their operations.
Despite law enforcement actions in 2024 that led to a temporary decline in UNC3944's activity, experts caution that their established connections within the cybercrime ecosystem suggest a strong potential for rapid recovery. This could involve forming new partnerships, adopting new tools to evade detection, or shifting strategies to circumvent security measures. Recent reports have indicated the use of tactics consistent with Scattered Spider in attacks against UK retail organizations, involving the deployment of DragonForce ransomware. Furthermore, the operators of DragonForce have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform where UNC3944 was previously an affiliate after the shutdown of ALPHV (Blackcat) RaaS.
The retail sector has emerged as an increasingly attractive target for threat actors like UNC3944. Data from tracked data leak sites (DLS) reveals that retail organizations accounted for 11% of DLS victims in 2025, a notable increase from 8.5% in 2024. This trend is attributed to the large quantities of personally identifiable information (PII) and financial data typically held by retail companies, combined with their susceptibility to business disruption. The potential for significant financial losses resulting from ransomware attacks further incentivizes these companies to pay ransom demands, making them lucrative targets for financially motivated cybercriminals.
ImgSrc: storage.googlea
References :
Despite law enforcement actions in 2024 that led to a temporary decline in UNC3944's activity, experts caution that their established connections within the cybercrime ecosystem suggest a strong potential for rapid recovery. This could involve forming new partnerships, adopting new tools to evade detection, or shifting strategies to circumvent security measures. Recent reports have indicated the use of tactics consistent with Scattered Spider in attacks against UK retail organizations, involving the deployment of DragonForce ransomware. Furthermore, the operators of DragonForce have reportedly taken control of RansomHub, a ransomware-as-a-service (RaaS) platform where UNC3944 was previously an affiliate after the shutdown of ALPHV (Blackcat) RaaS.
The retail sector has emerged as an increasingly attractive target for threat actors like UNC3944. Data from tracked data leak sites (DLS) reveals that retail organizations accounted for 11% of DLS victims in 2025, a notable increase from 8.5% in 2024. This trend is attributed to the large quantities of personally identifiable information (PII) and financial data typically held by retail companies, combined with their susceptibility to business disruption. The potential for significant financial losses resulting from ransomware attacks further incentivizes these companies to pay ransom demands, making them lucrative targets for financially motivated cybercriminals.
ImgSrc: storage.googlea
Share:
References :
- gbhackers.com: UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion
- cyberpress.org: UNC3944 Hackers Transition from SIM Swapping to Ransomware and Data Extortion
Classification:
- HashTags: #UNC3944 #Ransomware #DataBreach
- Company: Google
- Target: Various organizations
- Attacker: UNC3944
- Product: Google Cloud
- Feature: Data theft, Social Engineering
- Malware: DragonForce
- Type: Ransomware
- Severity: Major