The hacking collective known as Scattered Spider has shattered its previous benchmarks for financial harm, targeting major corporations across industries. What began as a series of high-profile ransom demands has escalated into a global disruption economy. The total cost of their attacks, including lost revenue, halted operations, market cap erosion, reputational damage, legal fees, and recovery investments, is now measured in billions. Estimates from M&S, Caesars Entertainment, MGM Resorts, and global ransomware cost projections confirm that Scattered Spider is inflicting financial devastation that extends far beyond the confines of ransom negotiation.
In one case, Caesars Entertainment conceded it paid a $15 million ransom in late 2023 after falling victim to Scattered Spider using sophisticated social engineering tactics to steal credentials and deploy ransomware (BBC News, 2025). But this was only a fraction of the overall cost, which is estimated to be closer to $100 million when including legal, remediation, and reputational damages, based on comparable incidents. A few weeks later, MGM Resorts endured a full system shutdown that resulted in an estimated $100 million in losses (The Guardian, 2025). These losses were not due to ransom payments alone. In MGM's case, the company refused to pay. Instead, the financial damage came from service outages, customer refunds, operational delays, IT rebuilds, and reputational damage.
Monthly global ransomware damages reached $4.8 billion in 2025, amounting to about $57 billion annually
In early 2025, Scattered Spider launched a coordinated assault on British retailers including Marks & Spencer, Harrods, and Co-op. M&S made public the cost of these attacks. It reported an estimated £300 million profit hit and announced it could halve that through insurance and cost controls to about £150 million (The Guardian, 2025). Yet even that reduced figure omits broader costs. Market value losses totaled between £500 million and £700 million in the immediate aftermath (BBC News, 2025). Shareholders absorbed the brunt of those losses, and investor confidence remains shaken.
Daily sales at M&S’s online stores were frozen for days. The disruption halted approximately £3.8 million in lost sales each day (as reported by Push Security). Operational paralysis affected logistics and stock availability across the country. Customer complaints surged, and brand loyalty took a hit. Legal expenses, forensic analysis, PR damage control, third-party audits, and future insurance premium increases are harder to quantify but form a substantial part of the total cost. When factored together, the full economic toll of the M&S breach may approach £1 billion.
Monthly global ransomware damages reached $4.8 billion in 2025, amounting to about $57 billion annually (Cybersecurity Ventures, 2025). These figures include costs far exceeding the ransom itself. Ransomware attacks now trigger complex, cascading disruptions across business ecosystems.
Anatomy of a Multi-Hundred-Million-Dollar Attack
Scattered Spider combines data extortion, ransomware deployment, credential theft, supply-chain infiltration, and targeted social engineering. Technical evidence shows that the attack on M&S began months earlier in February 2025 via a compromised third-party IT provider. The group quietly breached network accounts and exfiltrated sensitive domain control files like the NTDS.dit before launching the DragonForce ransomware payload on April 24 (Push Security, 2025).
Their modus operandi relies heavily on abusing help-desk support channels, deploying targeted phishing using Evilginx credential capture tools and typosquatted domains, and employing SIM-swap and MFA-fatigue campaigns. Over 80 percent of their observed phishing domains impersonate technology vendors to ensnare IT and administrative users. Their pivot to managed service providers multiplies their reach and allows them to compromise multiple clients from a single compromised supplier. This supply-chain model doesn’t just expand access. It multiplies liability and raises the ceiling for total financial loss across dependent organizations.
The damage from these attacks is not limited to a single payment or technical compromise. It reverberates through supply chains, slashes quarterly earnings, drives down stock valuations, sows uncertainty among investors, and requires years of reputational repair.
At Caesars and MGM, Scattered Spider used that same skill set to manipulate employees into revealing credentials, bypass MFA, move laterally, and deploy ransomware. Caesars ultimately paid $15 million (BBC News, 2025). MGM faced a $100 million hit that included lost revenue, operational shutdown, customer service rerouting, post-breach investigations, and IT infrastructure rebuilds (The Guardian, 2025). In both cases, the actual cost of responding to the incident dwarfed the ransom itself.
The group remains active in 2025. It has joined forces with ransomware-as-a-service providers like ALPHV, RansomHub, and DragonForce. These alliances help them deploy encryptors on critical infrastructure, including VMware ESXi hosts in enterprise data centers. The damage from these attacks is not limited to a single payment or technical compromise. It reverberates through supply chains, slashes quarterly earnings, drives down stock valuations, sows uncertainty among investors, and requires years of reputational repair. These ripple effects define the true cost of modern ransomware.
Broader Implications for Global Cybersecurity
Scattered Spider’s activity exemplifies a broader surge in ransomware costs and cyber extortion. Globally, cybercrime inflicted $10.5 trillion in damages in 2025 (Cybersecurity Ventures, 2025). Ransomware alone is projected to cost victims $57 billion this year, equating to $1.1 billion per week, $156 million per day, and $6.5 million per hour.
These figures are not abstractions. They represent stalled projects, frozen sales pipelines, panicked customers, regulatory scrutiny, reputational harm, and elevated insurance premiums. Corporate ransom demands now routinely enter low-seven figures. The average payment grew from $417,000 in 2023 to $850,700 in 2024 (Chainalysis, 2025). But ransom payments are just the tip of the iceberg: many organizations now spend 10 to 20 times more on total incident response than on the ransom itself.
Scattered Spider’s strategic abuse of managed service providers and focus on high-value sectors like retail, finance, telecommunications, and cloud further amplify their impact. Breaches in one firm reverberate across client ecosystems. The M&S breach illustrates how a single vendor compromise can wipe out hundreds of millions in shareholder value, disrupt supply chains, halt online sales, and erode customer trust.
These figures should force organizations to reconsider how they measure cyber exposure. In the short term, boardrooms must account for potential losses in the hundreds of millions per major breach. In the long term, global risk models must integrate Tier-One threat groups like Scattered Spider into enterprise resilience planning.
Law enforcement responses are underway. The NCA is investigating and the FBI and CISA issued advisory AA23-320A outlining Scattered Spider’s tactics (The Guardian, 2025). Five suspects have been charged in the US (The Guardian, 2025). Arrests may disrupt some operations, but the group’s decentralized "Community" network and outsourcing structure suggest long-term persistence.
A Cost That Reshapes Risk Quantification
Scattered Spider is inflicting financial harms that outpace many traditional corporate risks. Its ransomware extortion has created single-incident losses of $100 million (MGM) and £300 million (M&S). But the broader financial footprint of these attacks far exceeds those headlines. When reputational loss, business interruption, legal costs, regulatory fallout, diminished customer trust, and depressed stock value are factored in, the total damage regularly multiplies by a factor of ten or more. In some cases, it crosses the billion-dollar threshold outright.
Its assault on global ransomware damage has helped drive the cost to $57 billion annually, with scope to grow to $275 billion by 2031 (Cybersecurity Ventures, 2025).
These figures should force organizations to reconsider how they measure cyber exposure. In the short term, boardrooms must account for potential losses in the hundreds of millions per major breach. In the long term, global risk models must integrate Tier-One threat groups like Scattered Spider into enterprise resilience planning.
Policymakers, insurers, executives, and security teams must prepare for cascading vendor compromises and high-value extortion risks. Silos alone cannot secure supply chains. Systematic vendor risk reduction, IAM hardening, breach protocols, and cross-sector collaboration are essential.
This also requires a shift in how sensitive information is managed during vulnerable workflows, especially those involving help desk requests, credential resets, and third-party access approvals. Attackers no longer depend solely on technical exploits. They manipulate trust, impersonate authority, and extract long-term value from temporary exposure. Limiting that exposure requires identity-verified communication, restricted message lifespan, and controls that prevent sensitive data from being stored in the first place.
Without structural change, groups like Scattered Spider will continue to set new records in cyber extortion. Quantifying this cost in hard dollars is the first step toward systemic resilience and toward defending global commerce in the digital era.
Don’t get caught in Scattered Spider’s web. Traceless helps organizations protect the interactions most attackers target: verifying identity, eliminating data residue, and securing every step of the workflow. See it in action by booking a demo HERE.