Cyber security news for all

More

    Scattered Spider Embraces RansomHub and Qilin Ransomware for Cyber Attacks

    The nefarious cyber syndicate known as Scattered Spider has augmented its offensive toolkit with the inclusion of ransomware strains RansomHub and Qilin, as divulged by Microsoft.

    Scattered Spider is the nomenclature for a threat actor distinguished by its adept social engineering tactics to infiltrate targets and establish persistence for subsequent exploitation and data exfiltration. It boasts a history of assaulting VMware ESXi servers and unleashing BlackCat ransomware.

    The group exhibits operational parallels with activity clusters identified by the broader cybersecurity community under aliases such as 0ktapus, Octo Tempest, and UNC3944. Notably, a pivotal member of the ensemble was apprehended in Spain last month.

    RansomHub, which made its debut earlier in February, has been appraised as a rebranding of a prior ransomware variant known as Knight, as per an analysis conducted by Broadcom-owned Symantec last month.

    “RansomHub is a ransomware-as-a-service (RaaS) payload employed by an increasing number of threat actors, including those who have historically utilized other (sometimes obsolete) ransomware payloads (like BlackCat), rendering it one of the most pervasive ransomware families today,” Microsoft stated.

    The Windows manufacturer further reported observing RansomHub being deployed as part of post-compromise activities by Manatee Tempest (also known as DEV-0243, Evil Corp, or Indrik Spider) subsequent to initial access obtained by Mustard Tempest (also referred to as DEV-0206 or Purple Vallhund) through FakeUpdates (also known as Socgholish) infections.

    It is pertinent to mention that Mustard Tempest is an initial access broker that has previously leveraged FakeUpdates in incursions leading to actions reminiscent of pre-ransomware behavior associated with Evil Corp. These breaches were notable for the deployment of FakeUpdates via existing Raspberry Robin infections.

    This development coincides with the emergence of novel ransomware families like FakePenny (ascribed to Moonstone Sleet), Fog (distributed by Storm-0844, which has also propagated Akira), and ShadowRoot, the latter of which has been observed targeting Turkish enterprises using counterfeit PDF invoices.

    “As the menace of ransomware continues to intensify, proliferate, and transform, users and organizations are urged to adhere to security best practices, particularly credential hygiene, the principle of least privilege, and Zero Trust,” Microsoft advised.

    Recent Articles

    Related Stories