Microsoft warns one of the most dangerous cybercrime crews around has expanded its arsenal

ID theft
Image credit: Pixabay (Image credit: Future)

One of the most dangerous cybercrime crews around,has expanded its arsenal to include two additional ransomware payloads, Microsoft security experts have revealed.

A thread on X/Twitter posted by cybersecurity researchers at Microsoft outlined how Octo Tempest, known for its “sophisticated social engineering techniques, identity compromise, and persistence," is now utilizing RansomHub and Qilin. 

In the thread, Microsoft’s researchers added Octo Tempest usually targets VMWare ESXi servers and looks to deploy the BlackCat ransomware - so the addition of the new payloads, which was apparently introduced in the second quarter of 2024, could be due to the fact that BlackCat is now defunct.

New, but dangerous

Earlier this year, an affiliate breached Change Healthcare and managed to extort the company for $22 million. However, the money never reached the affiliate who made the breach, and was instead picked up by BlackCat maintainers, who shut the whole operation down and disappeared.

The affiliate, which was left holding gigabytes of sensitive information, later became RansomHub, one of the two payloads now used by Octo Tempest. Even though it’s a relatively young player in the ransomware game, RansomHub is making quite a name for itself, assuming responsibility for the attacks on Christie’s, Rite Aid, and NRS Healthcare.

Microsoft added that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest, following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.

Microsoft first lifted the lid on Octo Tempest in October 2023, when it published an in-depth analysis of the threat actor which noted the hackers are native English, financially motivated, with extensive knowledge, plenty of experience, and zero scrupules. 

Octo Tempest was first formed in early 2022 and at the time it was oriented mostly towards selling SIM swaps and stealing accounts belonging to people rich in cryptocurrencies. A few months later, the group expanded its operations and started phishing, social engineering, as well as resetting huge amounts of passwords of hacked service providers.

More from TechRadar Pro

TOPICS

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.