Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks

Jul 17, 2024NewsroomCybercrime / Ransomware

The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed.

Scattered Spider is the designation given to a threat actor that’s known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware.

Cybersecurity

It shares overlaps with activity clusters tracked by the broader cybersecurity community under the monikers 0ktapus, Octo Tempest, and UNC3944. Last month, it was reported that a key member of the group was arrested in Spain.

RansomHub, which arrived on the scene earlier this February, has been assessed to be a rebrand of another ransomware strain called Knight, according to an analysis from Broadcom-owned Symantec last month.

“RansomHub is a ransomware-as-a-service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today,” Microsoft said.

The Windows maker said it also observed RansomHub deployed as part of post-compromise activity by Manatee Tempest (aka DEV-0243, Evil Corp, or Indrik Spider) following initial access obtained by Mustard Tempest (aka DEV-0206 or Purple Vallhund) through FakeUpdates (aka Socgholish) infections.

It’s worth mentioning here that Mustard Tempest is an initial access broker that has, in the past, utilized FakeUpdates in attacks that have led to actions resembling pre-ransomware behavior associated with Evil Corp. These intrusions were also notable for the fact that FakeUpdates was delivered via existing Raspberry Robin infections.

The development comes amid the emergence of fresh ransomware families like FakePenny (attributed to Moonstone Sleet), Fog (distributed by Storm-0844, which has also propagated Akira), and ShadowRoot, the last of which has been observed targeting Turkish businesses using fake PDF invoices.

“As the threat of ransomware continues to increase, expand, and evolve, users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust,” Microsoft said.

Found this article interesting? Follow us on Twitter and LinkedIn to read more exclusive content we post.