Scattered Spider: the Evolution of Identity-Based Ransomware
September 23, 2025
In this episode of Data Security Decoded, join Caleb Tolin as he welcomes back Joe Hladik, Head of Rubrik Zero Labs, to explore how modern adversaries like Scattered Spider are reshaping the ransomware landscape. From double extortion schemes to identity compromise and hypervisor encryption, Joe explains why these attackers succeed where traditional defenses fail and what security leaders must do to embed resilience and recovery at the core of their strategy.
• Learn how double extortion turns data theft into a two-payout playbook
• Hear why identity compromise and social engineering bypass even strong defenses
• Understand why breakout times as fast as 48 minutes change the response equation
• Get practical ways to build resilience and recovery without reintroducing attacker backdoors
Identity-based ransomware is no longer a fringe tactic; it’s becoming the playbook of today’s most dangerous adversaries. Scattered Spider, a financially motivated e-crime group, has shifted the model from smash-and-grab encryption to a far more devastating combination of double extortion, social engineering, and hypervisor encryption attacks.
In this episode of Data Security Decoded, host Caleb Tolin welcomes back Joe Hladik, Head of Rubrik Zero Labs, to unpack how Scattered Spider is evolving the ransomware playbook. From double extortion and identity compromise to hypervisor encryption and legacy system exploitation, Joe explains why these tactics succeed where traditional defenses fail and why building cyber resilience, not just detection and response, is the critical next step for security leaders.
What You’ll Learn
- How Scattered Spider leverages ransomware-as-a-service and double extortion to maximize payouts
- Why identity compromise and social engineering make traditional defenses ineffective
- How “living off the land” techniques and vulnerable drivers bypass signature-based tools
- Why legacy infrastructure and outdated backup systems are prime targets for exploitation
- What cyber resilience really means and how to build recovery into your security posture
Episode Highlights:
[00:30] Joe on Scattered Spider’s financial motivations and shift to double extortion
[06:53] Why identity compromise and social engineering bypass traditional defenses
[08:49] Disabling EDR with “living off the land” techniques and vulnerable drivers
[13:06] Hypervisor encryption: how attackers can take entire backup systems offline
[16:21] Cyber resilience as the future: assuming breach and restoring trusted systems
[00:30] Joe on Scattered Spider’s financial motivations and shift to double extortion
[06:53] Why identity compromise and social engineering bypass traditional defenses
[08:49] Disabling EDR with “living off the land” techniques and vulnerable drivers
[13:06] Hypervisor encryption: how attackers can take entire backup systems offline
[16:21] Cyber resilience as the future: assuming breach and restoring trusted systems
Episode Resources:
Data Security Decoded is handcrafted by our friends over at: fame.so