BOOK THIS SPACE FOR AD
ARTICLE AD
The Octo Tempest group adds RansomHub and Qilin ransomware to its arsenal
Microsoft said that in Q2 2024, the Octo Tempest cybercrime gang added RansomHub and Qilin ransomware to its arsenal.
In the second quarter of 2024, financially motivated threat actor Octo Tempest (aka Scattered Spider, UNC3944, and 0ktapus), added RansomHub and Qilin ransomware to its arsenal and used them in its campaigns.
Octo Tempest has been active since early 2022, it made the headlines with the 0ktapus campaign that is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.
The Octo Tempest is known for its advanced social engineering, identity compromise, and persistence tactics. The gang frequently targets VMWare ESXi servers and deploys BlackCat ransomware.
RansomHub is a ransomware as a service (RaaS) that was employed in the operations of multiple threat actors. Microsoft reported that RansomHub was observed being deployed in post-compromise activity by the threat actor tracked as Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.
In the second quarter of 2024, financially motivated threat actor Octo Tempest, our most closely tracked ransomware threat actor, added RansomHub and Qilin to its ransomware payloads in campaigns. pic.twitter.com/iS3nnnoxSm
— Microsoft Threat Intelligence (@MsftSecIntel) July 15, 2024Threat actors like Octo Tempest focus on identity compromise. Storm-0501 was observed adopting similar tactics, utilizing open-source toolkits like AADInternals for domain federations and other techniques to facilitate latter stages of attacks, which lead to Embargo ransomware.
— Microsoft Threat Intelligence (@MsftSecIntel) July 15, 2024The Qilin ransomware operation has been active since August 2022 and the Qilin group claimed the hack of over 130 companies.
Like many other ransomware groups, Qilin operators carry out attacks with a double-extortion model.
Recently, Qilin ransomware operators hit pathology services provider Synnovis, NHS England confirmed the attack had a severe impact of multiple London hospitals, forcing them to cancel more than hundreds of scheduled operations.
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, ransomware)