Microsoft warns one of the most dangerous cybercrime crews around has expanded its arsenal

Octo Tempest is now using RansomHub and Qilin

When you purchase through links on our site, we may earn an affiliate commission.Here’s how it works.

One of the most dangerous cybercrime crews around,has expanded its arsenal to include two additionalransomwarepayloads,Microsoftsecurity experts have revealed.

Athreadon X/Twitter posted by cybersecurity researchers at Microsoft outlined how Octo Tempest, known for its “sophisticated social engineering techniques, identity compromise, and persistence," is now utilizing RansomHub and Qilin.

In the thread, Microsoft’s researchers added Octo Tempest usually targets VMWare ESXi servers and looks to deploy the BlackCat ransomware - so the addition of the new payloads, which was apparently introduced in the second quarter of 2024, could be due to the fact that BlackCat is now defunct.

New, but dangerous

Earlier this year, an affiliate breached Change Healthcare and managed to extort the company for $22 million. However, the money never reached the affiliate who made the breach, and was instead picked up by BlackCat maintainers,who shut the whole operation down and disappeared.

The affiliate, which was left holding gigabytes of sensitive information, later became RansomHub, one of the two payloads now used by Octo Tempest. Even though it’s a relatively young player in the ransomware game, RansomHub is making quite a name for itself, assuming responsibility for the attacks on Christie’s, Rite Aid, and NRS Healthcare.

Microsoft added that RansomHub was observed being deployed in post-compromise activity by Manatee Tempest, following initial access by Mustard Tempest via FakeUpdates/Socgholish infections.

Microsoftfirst lifted the lid on Octo Tempest in October 2023, when it published an in-depth analysis of the threat actor which noted the hackers are native English, financially motivated, with extensive knowledge, plenty of experience, and zero scrupules.

Are you a pro? Subscribe to our newsletter

Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!

Octo Tempest was first formed in early 2022 and at the time it was oriented mostly towards selling SIM swaps and stealing accounts belonging to people rich in cryptocurrencies. A few months later, the group expanded its operations and started phishing, social engineering, as well as resetting huge amounts of passwords of hacked service providers.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

This new phishing strategy utilizes GitHub comments to distribute malware

Should your VPN always be on?

GoPro Max 2 hit by further delays – 2025 is the earliest we’ll see the 360-degree action cam