Get all your news in one place.
100’s of premium titles.
One app.
Start reading
TechRadar
TechRadar
Sead Fadilpašić

Microsoft warns one of the most dangerous cybercrime crews around has expanded its arsenal

ID theft.

One of the most dangerous cybercrime crews around,has expanded its arsenal to include two additional ransomware payloads, Microsoft security experts have revealed.

A thread on X/Twitter posted by cybersecurity researchers at Microsoft outlined how Octo Tempest, known for its “sophisticated social engineering techniques, identity compromise, and persistence," is now utilizing RansomHub and Qilin. 

In the thread, Microsoft’s researchers added Octo Tempest usually targets VMWare ESXi servers and looks to deploy the BlackCat ransomware - so the addition of the new payloads, which was apparently introduced in the second quarter of 2024, could be due to the fact that BlackCat is now defunct.

New, but dangerous

Earlier this year, an affiliate breached Change Healthcare and managed to extort the company for $22 million. However, the money never reached the affiliate who made the breach, and was instead picked up by BlackCat maintainers, who shut the whole operation down and disappeared.

The affiliate, which was left holding gigabytes of sensitive information, later became RansomHub, one of the two payloads now used by Octo Tempest. Even though it’s a relatively young player in the ransomware game, RansomHub is making quite a name for itself, assuming responsibility for the attacks on Christie’s, Rite Aid, and NRS Healthcare.

Microsoft added that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest, following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.

Microsoft first lifted the lid on Octo Tempest in October 2023, when it published an in-depth analysis of the threat actor which noted the hackers are native English, financially motivated, with extensive knowledge, plenty of experience, and zero scrupules. 

Octo Tempest was first formed in early 2022 and at the time it was oriented mostly towards selling SIM swaps and stealing accounts belonging to people rich in cryptocurrencies. A few months later, the group expanded its operations and started phishing, social engineering, as well as resetting huge amounts of passwords of hacked service providers.

More from TechRadar Pro

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.