skip to content

Microsoft warns users that one of the most dangerous cybercrime crews has dangerous new tool in arsenal

Microsoft security experts have revealed that Octo Tempest, one of the most dangerous cybercrime groups, has expanded its capabilities to include two new ransomware payloads, RansomHub and Qilin.

Microsoft’s cybersecurity researchers shared this information on X/Twitter and detailed the group’s advanced techniques in social engineering, identity compromise, and persistence.

Octo Tempest, which typically targets VMware ESXi servers, has been known for deploying BlackCat ransomware. However, with BlackCat now defunct, the group introduced these new payloads in the second quarter of 2024.

Earlier this year, an affiliate associated with Octo Tempest breached Change Healthcare and extorted $22 million from the company. The money, however, was intercepted by the BlackCat maintainers, who then shut down the operation and disappeared, leaving the affiliate holding gigabytes of sensitive information.

This incident led to the creation of RansomHub, one of the new ransomware payloads now used by Octo Tempest. Despite being relatively new, RansomHub has quickly made a name for itself, linked to attacks on Christie’s, Rite Aid, and NRS Healthcare.

Microsoft’s researchers observed that Manatee Tempest often deploys RansomHub in post-compromise scenarios after Mustard Tempest gains initial access via FakeUpdates/Socgholish infections.

Microsoft first highlighted Octo Tempest in October 2023 with an in-depth analysis that revealed the hackers are native English speakers, financially motivated, and possess extensive knowledge and experience.

The group, formed in early 2022, initially focused on SIM swaps and stealing accounts rich in cryptocurrencies. They later expanded their operations to include phishing, social engineering, and resetting passwords for hacked service providers.

The introduction of RansomHub and Qilin marks a significant evolution in Octo Tempest’s threat landscape. Their shift from VMware ESXi servers to these new ransomware payloads indicates their adaptability and continuous drive to exploit vulnerabilities for financial gain. This expansion in their arsenal poses a heightened risk to organizations, emphasizing the need for robust cybersecurity measures.

Organizations are advised to update and patch their systems regularly to prevent the exploitation of known vulnerabilities. Implementing strong access controls can reduce the risk of compromise. Educating employees on phishing and social engineering tactics can help prevent cybercriminals’ initial access. Using comprehensive security solutions can detect and mitigate threats before they cause significant damage. Ensuring that data backups are frequent and stored securely can aid in recovery during a ransomware attack.

These steps are essential for organizations to protect themselves against the evolving threat posed by groups like Octo Tempest and their expanding ransomware arsenal. The landscape of cyber threats is constantly changing, and staying informed and proactive is critical to maintaining security.

Share your love
Facebook
Twitter
LinkedIn
WhatsApp

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.

error: Unauthorized Content Copy Is Not Allowed