UNC3944 Hackers Shift from SIM Swapping to Ransomware and Data Extortion

UNC3944, a financially-motivated threat actor also linked to the group known as Scattered Spider, has transitioned from niche SIM swapping operations targeting telecommunications organizations to a more aggressive focus on ransomware and data theft extortion across diverse industries.

Initially observed exploiting telecom vulnerabilities to facilitate SIM swaps, UNC3944 pivoted in early 2023 to deploy ransomware campaigns, impacting sectors such as technology, financial services, business process outsourcing, gaming, hospitality, retail, and media & entertainment.

This shift has seen the group conduct targeted waves of attacks, with notable campaigns against financial services in late 2023 and food services in May 2024, alongside high-profile brands likely chosen for prestige and media attention.

Their victimology reveals a preference for large enterprises in English-speaking countries like the United States, Canada, the UK, and Australia, with recent expansions into Singapore and India, focusing on organizations with extensive help desk and outsourced IT functions vulnerable to social ...