According to Microsoft security experts, one of the most dangerous groups of cybercriminals out there has added two more ransomware payloads to its arsenal.
Microsoft cybersecurity researchers described in a thread on X/Twitter how Octo Tempest, a group renowned for its “sophisticated social engineering techniques, identity compromise, and persistence,” is now using Qilin and RansomHub.
Microsoft researchers noted in the thread that Octo Tempest typically targets VMware ESXi servers and attempts to install the BlackCat ransomware; therefore, the addition of the new payloads, which were reportedly introduced in the second quarter of 2024, may be attributable to the demise of BlackCat.
New, But Dangerous
An affiliate broke into Change Healthcare earlier in 2024 and successfully extracted USD 22 million from the business. The money, however, never made it to the affiliate who made the breach; instead, BlackCat maintainers took possession of it, shut down the entire business, and vanished.
After being left in possession of gigabytes of private data, the affiliate evolved into RansomHub, one of Octo Tempest’s two payloads today. Assuming responsibility for the attacks on Christie’s, Rite Aid, and NRS Healthcare, RansomHub is becoming quite a prominent player in the ransomware scene, despite being a relatively new player in the field.
Microsoft further stated that Manatee Tempest was seen deploying RansomHub in post-compromise activity after Mustard Tempest gained access via FakeUpdates/Socgholish infections.
The first details about Octo Tempest were revealed by Microsoft in October 2023 when it released a thorough analysis of the threat actor and showed that the hackers are native English speakers who are driven by money, have a wealth of knowledge, experience, and no morality.
When Octo Tempest was initially founded in the beginning of 2022, its primary goals were to sell SIM swaps and steal accounts from cryptocurrency millionaires. A few months later, the group increased the scope of its activities and began phishing, social engineering, and password resetting massively for service providers that had been compromised.
Octo Tempest: Not A New Name
Microsoft has been tracking activity related to the financially motivated threat actor Octo Tempest since 2023, and noted it as one of the most dangerous financial criminal groups, due to the latter’s extensive range of tactics, techniques, and procedures (TTPs).
“Octo Tempest is a financially motivated collective of native English-speaking threat actors known for launching wide-ranging campaigns that prominently feature adversary-in-the-middle (AiTM) techniques, social engineering, and SIM swapping capabilities,” the tech giant commented in October 2023, while adding, “Octo Tempest, which overlaps with research associated with 0ktapus, Scattered Spider, and UNC3944, was initially seen in early 2022, targeting mobile telecommunications and business process outsourcing organisations to initiate phone number ports (also known as SIM swaps). Octo Tempest monetised their intrusions in 2022 by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.”
From late 2022 to early 2023, Octo Tempest expanded their targeting to include cable telecommunications, email, and technology organisations. During this period, Octo Tempest started monetising intrusions by extorting victim organisations for data stolen during their intrusion operations and sometimes even resorting to physical threats.
“In mid-2023, Octo Tempest became an affiliate of ALPHV/BlackCat, a human-operated ransomware as a service (RaaS) operation, and initial victims were extorted for data theft (with no ransomware deployment) using ALPHV Collections leak site. This is notable in that, historically, Eastern European ransomware groups refused to do business with native English-speaking criminals,” Microsoft Security stated.
“By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers. Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, managed service providers, manufacturing, law, technology, and financial services,” it added further.
While Octo Tempest leverages a diverse array of TTPs to navigate complex hybrid environments, exfiltrate sensitive data, and encrypt data, it also uses tradecraft that many organisations don’t have in their typical threat models, such as SMS phishing, SIM swapping, and advanced social engineering techniques.