Microsoft warns users that one of the most dangerous cybercrime crews has dangerous new tool in arsenal

Microsoft security experts have revealed that Octo Tempest, one of the most dangerous cybercrime groups, has expanded its capabilities to include two new ransomware payloads, RansomHub and Qilin.

This information was shared on X/Twitter by Microsoft’s cybersecurity researchers, who detailed the group’s advanced techniques in social engineering, identity compromise, and persistence.

Octo Tempest, which typically targets VMWare ESXi servers, had been known for deploying BlackCat ransomware. However, with BlackCat now defunct, the group introduced these new payloads in the second quarter of 2024.

Earlier this year, an affiliate associated with Octo Tempest breached Change Healthcare and extorted $22 million from the company. The money, however, was intercepted by the BlackCat maintainers, who then shut down the operation and disappeared, leaving the affiliate holding gigabytes of sensitive information.

This incident led to the creation of RansomHub, one of the new ransomware payloads now used by Octo Tempest. Despite being relatively new, RansomHub has quickly made a name for itself, being linked to attacks on Christie’s, Rite Aid, and NRS Healthcare.

Microsoft’s researchers observed that RansomHub is often deployed in post-compromise scenarios by Manatee Tempest after initial access is gained by Mustard Tempest via FakeUpdates/Socgholish infections.

Microsoft first highlighted Octo Tempest in October 2023 with an in-depth analysis that revealed the hackers are native English speakers, financially motivated, and possess extensive knowledge and experience.

The group, formed in early 2022, initially focused on SIM swaps and stealing accounts rich in cryptocurrencies. They later expanded their operations to include phishing, social engineering, and resetting large numbers of passwords for hacked service providers.

The introduction of RansomHub and Qilin marks a significant evolution in Octo Tempest’s threat landscape. Their shift from VMWare ESXi servers to these new ransomware payloads indicates their adaptability and continuous drive to exploit vulnerabilities for financial gain. This expansion in their arsenal poses a heightened risk to organisations, emphasising the need for robust cybersecurity measures.

Organisations are advised to regularly update and patch their systems to prevent the exploitation of known vulnerabilities. Implementing strong access controls can reduce the risk of compromise. Educating employees on phishing and social engineering tactics can help prevent initial access by cybercriminals. Using comprehensive security solutions can detect and mitigate threats before they cause significant damage. Ensuring that data backups are frequent and stored securely can aid in recovery in the event of a ransomware attack.

These steps are essential for organisations to protect themselves against the evolving threat posed by groups like Octo Tempest and their expanding ransomware arsenal. The landscape of cyber threats is constantly changing, and staying informed and proactive is critical to maintaining security.