Microsoft warns that one of the most dangerous cybercriminal gangs has expanded its arsenal
One of the world’s most dangerous cybercrime gangs has expanded its arsenal with two additional ransomware payloads, security experts at Microsoft have revealed.
a thread Posted on X/Twitter by cybersecurity researchers at Microsoft, Octo Tempest, known for its “advanced social engineering techniques, identity compromise, and persistence,” is now leveraging RansomHub and Qilin.
In the thread, Microsoft researchers indicated that Octo Tempest typically targets VMWare ESXi servers and aims to deploy the BlackCat ransomware. The addition of the new payloads, which were apparently introduced in Q2 2024, could therefore be due to the fact that BlackCat is now defunct.
New, but dangerous
Earlier this year, an affiliate breached Change Healthcare and managed to extort $22 million from the company. However, the money never reached the breaching affiliate, but was instead scooped up by BlackCat administrators, who shut down the entire operation and disappeared.
The affiliate, who left behind gigabytes of sensitive information, later became RansomHub, one of two payloads now used by Octo Tempest. Although a relatively new player in the ransomware game, RansomHub is making quite a name for itself, taking credit for the attacks on Christie’s, Rite Aid, and NRS Healthcare.
Microsoft reported that RansomHub was observed in post-breach activity by Manatee Tempest, after Mustard Tempest first gained access to it via FakeUpdates/Socgholish infections.
Microsoft first brought Octo Tempest to light in October 2023, when it published an in-depth analysis of the threat actor, noting that the hackers are native English speakers, financially motivated, have extensive knowledge and experience, and are unscrupulous.
Octo Tempest was first formed in early 2022 and at the time was mainly focused on selling SIM swaps and stealing accounts from people who were rich in cryptocurrencies. A few months later, the group expanded its activities and started phishing, social engineering, and resetting massive amounts of passwords from compromised service providers.
