One of the most dangerous cybercrime groups has expanded its arsenal to include two additional ransomware payloads, Microsoft security experts have revealed.
A thread on X/Twitter posted by Microsoft cybersecurity researchers described how Octo Tempest, known for its “sophisticated social engineering, identity compromise, and persistence techniques,” is now using RansomHub and Qilin.
In the thread, Microsoft researchers added that Octo Tempest typically targets VMWare ESXi servers and looks to deploy the BlackCat ransomware, so the addition of the new payloads, which were apparently introduced in Q2 2024, could be due to the fact that BlackCat is now dormant.
New, but dangerous
Earlier this year, an affiliate violated Change Healthcare's rights and successfully extorted the company for $22 million. However, the money never reached the affiliate who committed the violation, but was instead collected by BlackCat's maintainers, who shut down the entire operation and disappeared.
The affiliate, left with gigabytes of sensitive information, later became RansomHub, one of two payloads currently used by Octo Tempest. Although a relatively young player in the ransomware game, RansomHub is making a name for itself, claiming responsibility for attacks on Christie's, Rite Aid, and NRS Healthcare.
Microsoft added that RansomHub was observed to be deployed in post-compromise activity by Manatee Tempest, following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.
Microsoft first revealed Octo Tempest in October 2023, when it published an in-depth analysis of the threat actor that noted that the hackers are native English speakers, financially motivated, have extensive knowledge, a lot of experience, and zero scruples.
Octo Tempest was formed in early 2022 and at the time was primarily focused on selling SIM card swaps and stealing accounts belonging to crypto-rich individuals. A few months later, the group expanded its operations and began phishing, social engineering, and resetting huge amounts of hacked service provider passwords.
