Microsoft warns of new ransomware threats: How to stay safe
What's the story
Microsoft has issued a warning about the cybercrime group Octo Tempest, known for its advanced social engineering techniques and identity compromise.
The tech giant's cybersecurity researchers revealed on X that the group has expanded its arsenal to include two new ransomware payloads, RansomHub and Qilin.
This development comes after the defunct status of BlackCat ransomware, previously deployed by Octo Tempest.
Cyber attacks
Octo tempest targets VMWare ESXi servers
Octo Tempest is notorious for targeting VMWare ESXi servers.
The group introduced RansomHub and Qilin in the second quarter of 2024, following the shutdown of BlackCat ransomware.
Earlier this year, an affiliate linked to Octo Tempest breached Change Healthcare and demanded a $22 million ransom.
However, the money was intercepted by BlackCat maintainers who subsequently ceased operations and vanished, leaving the affiliate with gigabytes of sensitive information.
Ransomware threat
RansomHub gains notoriety following high-profile attacks
The creation of RansomHub followed the BlackCat incident, and it has quickly gained notoriety after attacks on Christie's, Rite Aid, and NRS Healthcare.
Microsoft researchers noted that RansomHub is often deployed in post-compromise scenarios by Manatee Tempest once initial access is secured by Mustard Tempest via FakeUpdates/Socgholish infections.
Octo Tempest was first highlighted by Microsoft in October 2023 for its advanced cybercrime techniques.
Cybercrime evolution
Octo Tempest's evolution marks significant cyber threat
Formed in early 2022, Octo Tempest initially focused on SIM swaps and stealing cryptocurrency-rich accounts before expanding their operations to include social engineering, phishing, and resetting passwords for hacked service providers.
The introduction of RansomHub and Qilin marks a significant evolution in the group's threat landscape.
Their shift from VMWare ESXi servers to these new ransomwares indicates their aim to exploit vulnerabilities for financial gain.
Preventive measures
Tips for organizations to protect themselves against the evolving threat
Organizations should regularly update and patch their systems to prevent the exploitation of known vulnerabilities.
Strong access controls should be implemented to reduce the risk of compromise, while educating employees on phishing and social engineering tactics can prevent initial access by cybercriminals.
Using comprehensive security solutions can detect and mitigate threats preemptively.
Ensuring frequent and secure data backups can aid recovery in the event of a ransomware attack.