Octo Tempest Expands Arsenal with RansomHub and Qilin Ransomware Variants

Microsoft Intelligence unveiled new updates on the activities associated with the proficient threat group Octo Tempest, overlapping with Scattered Spider. On X, the group is noted as "our most closely tracked ransomware threat actor." In the second quarter of 2024, this financially motivated cybercrime gang incorporated RansomHub and Qilin ransomware payloads into their campaigns. Octo Tempest, known for its effective social engineering techniques and identity compromise methods, continues to target VMWare ESXi servers. This group's proficiency in deploying ransomware as a service (RaaS) like RansomHub has made them a significant focus of not only Microsoft but also the United States Federal Bureau of Investigation (FBI), as stated in May 2024.

The gang's attack strategies include phishing, MFA bombing, SIM swapping, and impersonating IT employees to gain credentials. These methods allow them to establish persistence on their targets' networks, conduct extensive reconnaissance, and deploy ransomware payloads, ultimately executing double-extortion attacks by leveraging stolen data. The impact of these attacks has been severe, with sectors such as healthcare and major corporations like Microsoft, Binance, and T-Mobile being targeted. The FBI and CISA have highlighted the group's tactics in recent advisories, emphasizing their use of remote access tools and social engineering to infiltrate target networks.

Tracking by BleepingComputer identified that the Qilin gang has claimed over 130 companies on its dark web leak site and has been linked to significant disruptions, such as the attack on Synnovis, a pathology services provider, which affected several NHS hospitals in London. Development of the Qilin ransomware has continually advanced since its emergence in August 2022, noted for its advanced and customizable Linux encryptors designed to target VMware ESXi virtual machines.