Summarize

Simplifying... Inshort

Cybercrime group Octo Tempest, known for targeting VMWare ESXi servers, has evolved its tactics, introducing new ransomware threats, RansomHub and Qilin.
These threats have already hit high-profile targets, marking a significant shift in the group's operations.
To stay safe, organizations are advised to regularly update systems, educate employees on phishing tactics, and ensure secure data backups.

Was a long read? Making it simpler...

Next Article

Microsoft is advising caution against ransomware threats from Octo Tempest

Microsoft warns of new ransomware threats: How to stay safe

By Akash Pandey

Jul 18, 2024

05:29 pm

What's the story

Microsoft has issued a warning about the cybercrime group Octo Tempest, known for its advanced social engineering techniques and identity compromise. The tech giant's cybersecurity researchers revealed on X that the group has expanded its arsenal to include two new ransomware payloads, RansomHub and Qilin. This development comes after the defunct status of BlackCat ransomware, previously deployed by Octo Tempest.

Cyber attacks

Octo tempest targets VMWare ESXi servers

Octo Tempest is notorious for targeting VMWare ESXi servers. The group introduced RansomHub and Qilin in the second quarter of 2024, following the shutdown of BlackCat ransomware. Earlier this year, an affiliate linked to Octo Tempest breached Change Healthcare and demanded a $22 million ransom. However, the money was intercepted by BlackCat maintainers who subsequently ceased operations and vanished, leaving the affiliate with gigabytes of sensitive information.

Ransomware threat

RansomHub gains notoriety following high-profile attacks

The creation of RansomHub followed the BlackCat incident, and it has quickly gained notoriety after attacks on Christie's, Rite Aid, and NRS Healthcare. Microsoft researchers noted that RansomHub is often deployed in post-compromise scenarios by Manatee Tempest once initial access is secured by Mustard Tempest via FakeUpdates/Socgholish infections. Octo Tempest was first highlighted by Microsoft in October 2023 for its advanced cybercrime techniques.

Cybercrime evolution

Octo Tempest's evolution marks significant cyber threat

Formed in early 2022, Octo Tempest initially focused on SIM swaps and stealing cryptocurrency-rich accounts before expanding their operations to include social engineering, phishing, and resetting passwords for hacked service providers. The introduction of RansomHub and Qilin marks a significant evolution in the group's threat landscape. Their shift from VMWare ESXi servers to these new ransomwares indicates their aim to exploit vulnerabilities for financial gain.

Preventive measures

Tips for organizations to protect themselves against the evolving threat

Organizations should regularly update and patch their systems to prevent the exploitation of known vulnerabilities. Strong access controls should be implemented to reduce the risk of compromise, while educating employees on phishing and social engineering tactics can prevent initial access by cybercriminals. Using comprehensive security solutions can detect and mitigate threats preemptively. Ensuring frequent and secure data backups can aid recovery in the event of a ransomware attack.