Pierluigi Paganini July 17, 2024

Microsoft said that in Q2 2024, the Octo Tempest cybercrime gang added RansomHub and Qilin ransomware to its arsenal.

In the second quarter of 2024, financially motivated threat actor Octo Tempest (aka Scattered Spider, UNC3944, and 0ktapus), added RansomHub and Qilin ransomware to its arsenal and used them in its campaigns.

Octo Tempest has been active since early 2022, it made the headlines with the 0ktapus campaign that is suspected of hacking into hundreds of organizations over the past two years, including Twilio, LastPass, DoorDash, and Mailchimp.

The Octo Tempest is known for its advanced social engineering, identity compromise, and persistence tactics. The gang frequently targets VMWare ESXi servers and deploys BlackCat ransomware.

RansomHub is a ransomware as a service (RaaS) that was employed in the operations of multiple threat actors. Microsoft reported that RansomHub was observed being deployed in post-compromise activity by the threat actor tracked as Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.

​The Qilin ransomware operation has been active since August 2022 and the Qilin group claimed the hack of over 130 companies.

Like many other ransomware groups, Qilin operators carry out attacks with a double-extortion model.

Recently, Qilin ransomware operators hit pathology services provider Synnovis, NHS England confirmed the attack had a severe impact of multiple London hospitals, forcing them to cancel more than hundreds of scheduled operations.

Pierluigi Paganini

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

(SecurityAffairs – hacking, ransomware)