A cybercriminal group previously linked to a series of ransomware attacks on major UK retailers is now targeting companies in the United States, according to a new warning issued by Google’s Threat Intelligence team.

The hacking group, tracked by cybersecurity experts as Scattered Spider and believed to be part of a broader criminal network known as “the Community” or “the Com,” is suspected of shifting its ransomware and extortion operations to the US retail sector.

Google’s threat analysts say this represents an escalation in cyber threats facing American businesses.

US retail sector now in hackers’ crosshairs

John Hultquist, chief analyst at Google Threat Intelligence Group, stated that American retailers are currently being targeted in cyberattacks involving ransomware and extortion tactics.

He said these operations are likely linked to UNC3944, an alias for Scattered Spider. While Google has not made a formal attribution, it noted the group’s pattern of focusing on a single industry at a time.

The warning comes after a wave of high-profile cyber incidents in the UK, affecting brands such as Marks & Spencer, Harrods, and the Co-op. In those cases, attackers reportedly used DragonForce ransomware to compromise networks and extort payments.

Security experts say the group appears to be reviving its activity following a lull and is now redirecting its efforts toward similar retail targets across the Atlantic.

Sophisticated social engineering tactics

Scattered Spider has earned a reputation for using advanced social engineering techniques to breach secure systems.

Hultquist warned that the attackers are skilled at bypassing even mature cybersecurity defences, often exploiting third-party vendors or employees through phishing and SIM-swapping.

“They are aggressive, creative, and particularly effective at circumventing mature security programs,” he said.

The group’s methods reportedly include impersonating employees or service providers to gain unauthorised access, a strategy that has made them especially dangerous to large organisations with complex digital infrastructures.

History of high-profile attacks

Scattered Spider and its affiliates have been linked to several significant ransomware campaigns in recent years. The group was previously associated with attacks on US casino operators MGM Resorts and Caesars Entertainment, leading to widespread service disruptions and data breaches.

In July last year, a UK teenager was arrested for his suspected involvement in the MGM breach. Five other individuals, all American citizens, were charged in November in connection with the group’s activities.

The gang has also been tied to previous breaches affecting major tech firms including Coinbase, Mailchimp, LastPass, Twilio, Riot Games, and Reddit—highlighting the wide-ranging impact of their operations.

Cybersecurity analysts caution that the renewed activity by Scattered Spider underscores the growing threat posed by ransomware groups targeting critical commercial infrastructure.

US retailers, in particular, are urged to strengthen their cyber defences and remain alert to social engineering tactics that continue to fuel these attacks.