Scattered Spider 2026: The Retail Wave, the Aviation Detour, and the Healthcare Pivot Defenders Should Prepare For

From Retail Wave to Sector Rotation

The modern Scattered Spider story starts in April and May 2025 with the UK retail wave. HackTheBox and Cybersecurity Dive documented the near-simultaneous compromises at Marks & Spencer, Co-op, and Harrods: empty shelves at M&S, suspended contactless payments, outages that cost the retailers an estimated £300 million collectively. Computer Weekly reported Google's threat-intelligence team confirming the same cluster was already targeting US retailers.

By June 2025, the group had rotated to aviation. BlackFog's retrospective notes attacks on Hawaiian Airlines, WestJet, and a Qantas third-party contact-center, all tied back to the same TTPs. After aviation, the group drifted into MSP and IT-vendor impersonation — Infosecurity Magazine documented the pivot to tech-vendor impersonation targeting help desks, and HIPAA Journal flagged MSP-focused activity with direct healthcare implications.

IT Pro's 2026 outlook, drawing on Sophos and Trend Micro 2026 assessments, and a US Department of Health and Human Services threat profile, identifies healthcare as the next likely concentrated target sector.

That gives defenders something unusual in ransomware tracking: a publicly named sector rotation with months of lead time to prepare.

The Attack Chain Has Not Fundamentally Changed

Every sector this group has hit — retail, aviation, insurance, MSPs, and now healthcare — followed roughly the same attack chain. ExtraHop's campaign retrospective and Palo Alto Unit 42's Muddled Libra threat assessment converge on the same stages:

1. Initial access via help-desk social engineering. The attacker calls the target's IT help desk claiming to be a legitimate employee or a contracted MSP. They exploit weak verification processes — the caller knows the employee's name, role, and manager — and convince the help desk to reset MFA or issue a password.
2. SIM-swap to defeat SMS MFA where present. In parallel or subsequently, the attacker uses previously purchased carrier insider access to port the victim's number to a controlled device.
3. Credential harvest and cloud-console access. With one foothold, the attacker pivots into Okta, Entra, Workspace, or Azure and starts enumerating federated SaaS applications — Salesforce, Snowflake, ServiceNow, Slack.
4. Data exfiltration via legitimate SaaS APIs. Rather than dropping custom malware, they use the victim's own Salesforce export and Snowflake query capabilities to exfiltrate data quietly.
5. DragonForce or RansomHub encryptor deployment. Resilience's research documents the group's affiliate relationships with multiple ransomware operators, giving them the ability to pick the encryptor brand that best fits a given engagement.

Nothing in this chain requires zero-days. It requires a help desk willing to reset MFA over the phone, a SIM-swap-capable carrier insider, and federated SSO without enforced phishing-resistant factors. That is the bar.

Why Healthcare Is the Obvious Next Target

Four structural factors explain the forecasted pivot.

• Help-desk culture. Hospitals run large, geographically dispersed help desks with high staff turnover and strong pressure to unblock clinicians quickly. That is exactly the environment Scattered Spider exploits best.
• Federated identity immaturity. Most healthcare networks have a patchwork of on-prem Active Directory, Microsoft Entra, and sector-specific identity systems (Epic, Cerner/Oracle Health). Phishing-resistant MFA (FIDO2, passkeys, hardware tokens) is far less uniformly deployed than in financial services.
• Operational impact leverage. Downtime in retail costs revenue. Downtime in healthcare threatens patient safety, which means ransom pressure is harder to resist. Scattered Spider has consistently optimized for maximum operational leverage.
• Third-party exposure. Healthcare networks are deeply entangled with MSPs, claims clearinghouses, EHR vendors, and specialist SaaS. The group's recent MSP-vendor impersonation pivot, per HIPAA Journal, fits naturally with healthcare's supply-chain topology.

The Healthcare Defender's Playbook

This is the shortlist of controls that demonstrably break the Scattered Spider attack chain. None are new; all are underdeployed in healthcare today.

• Help-desk out-of-band verification. Any request to reset MFA or a password must be verified through a channel the caller cannot control — typically a callback to the employee's manager on a number stored in HR records, not given by the caller. Enforce this as policy, not as a suggestion.
• Phishing-resistant MFA for all staff with privileged access. Hardware FIDO2 keys or platform passkeys for clinicians, admins, and IT staff. SMS and voice OTP cannot survive a SIM-swap and should be retired from high-value workflows.
• Conditional access on impossible travel and new-device login. Every major identity platform supports this natively. It is the single highest-signal alert for an active Scattered Spider intrusion.
• SaaS data-exfiltration detection. Salesforce, Snowflake, and M365 all expose APIs for monitoring unusual export or query volume. Activate them and route the alerts to the SOC — not to the application owner.
• Segmentation between clinical and administrative networks. The traditional healthcare flat network is the soft underbelly. A ransomware deployment that cannot cross from HR or help-desk systems to clinical floor workstations is a fundamentally survivable incident.
• Third-party MSP and IT-vendor vetting. Review any external IT or MSP relationship with authority to reset credentials or access privileged systems. Require them to enforce the same help-desk verification standards, or revoke the privilege.

What Leaders Should Hear from Their CISO This Quarter

If your organization runs healthcare infrastructure, insurance claims, or payer operations, three questions belong on the next board or executive-risk committee:

1. "What verification does our help desk perform before resetting MFA for a caller? Have we tested it with a realistic social-engineering call in the last 90 days?"
2. "Do our clinical admins and IT staff use phishing-resistant MFA, or are we still dependent on SMS and push?"
3. "If a Scattered Spider intrusion succeeded tomorrow via the help desk, what SaaS data would leave the organization, and how quickly would we see it?"

If any of those answers are not concrete, the organization is inside the likely target surface for 2026.

Where This Leaves Defenders

Scattered Spider is the current clearest illustration of how ransomware has shifted from malware-first to identity-first. The malware matters, but the intrusion starts with a phone call. The sector rotation — retail, aviation, MSPs, healthcare — is a gift of lead time that defenders rarely get in threat intelligence. Healthcare CISOs, in particular, have the months between April and the rest of 2026 to move help-desk verification, phishing-resistant MFA, and SaaS monitoring from the roadmap into production. Organizations that use the warning shot are in a very different position from those that discover the lesson through an incident.

Sources & Further Reading

• Scattered Spider Evolved Massively in 2025 — IT Pro
• What We Know About the Cybercrime Group Scattered Spider — Cybersecurity Dive
• £300m Gone: How Scattered Spider Hit the UK's Biggest Retailers — HackTheBox
• Scattered Spider Retail Attacks Spreading to US, Says Google — Computer Weekly
• Scattered Spider's Expanding Web of Ransomware Attacks — BlackFog
• Scattered Spider's Relentless Campaign — ExtraHop
• Muddled Libra Threat Assessment — Palo Alto Unit 42
• Scattered Spider Uses Tech Vendor Impersonation to Target Helpdesks — Infosecurity Magazine
• MSPs & IT Vendors Targeted by Scattered Spider — HIPAA Journal
• Resilience Threat Researchers Identify New Scattered Spider Campaigns — Resilience