Article Details
Scrape Timestamp (UTC): 2024-07-17 05:57:23.945
Source: https://thehackernews.com/2024/07/scattered-spider-adopts-ransomhub-and.html
Original Article Text
Click to Toggle View
Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks. The infamous cybercrime group known as Scattered Spider has incorporated ransomware strains such as RansomHub and Qilin into its arsenal, Microsoft has revealed. Scattered Spider is the designation given to a threat actor that's known for its sophisticated social engineering schemes to breach targets and establish persistence for follow-on exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware. It shares overlaps with activity clusters tracked by the broader cybersecurity community under the monikers 0ktapus, Octo Tempest, and UNC3944. Last month, it was reported that a key member of the group was arrested in Spain. RansomHub, which arrived on the scene earlier this February, has been assessed to be a rebrand of another ransomware strain called Knight, according to an analysis from Broadcom-owned Symantec last month. "RansomHub is a ransomware-as-a-service (RaaS) payload used by more and more threat actors, including ones that have historically used other (sometimes defunct) ransomware payloads (like BlackCat), making it one of the most widespread ransomware families today," Microsoft said. The Windows maker said it also observed RansomHub deployed as part of post-compromise activity by Manatee Tempest (aka DEV-0243, Evil Corp, or Indrik Spider) following initial access obtained by Mustard Tempest (aka DEV-0206 or Purple Vallhund) through FakeUpdates (aka Socgholish) infections. It's worth mentioning here that Mustard Tempest is an initial access broker that has, in the past, utilized FakeUpdates in attacks that have led to actions resembling pre-ransomware behavior associated with Evil Corp. These intrusions were also notable for the fact that FakeUpdates was delivered via existing Raspberry Robin infections. The development comes amid the emergence of fresh ransomware families like FakePenny (attributed to Moonstone Sleet), Fog (distributed by Storm-0844, which has also propagated Akira), and ShadowRoot, the last of which has been observed targeting Turkish businesses using fake PDF invoices. "As the threat of ransomware continues to increase, expand, and evolve, users and organizations are advised to follow security best practices, especially credential hygiene, principle of least privilege, and Zero Trust," Microsoft said.
Daily Brief Summary
Scattered Spider, a sophisticated cybercrime group, has incorporated RansomHub and Qilin ransomware into its operations, as reported by Microsoft.
The group is known for advanced social engineering, targeting VMWare ESXi servers, and previously using BlackCat ransomware.
RansomHub, identified as a rebrand of the Knight ransomware strain, is becoming a prevalent tool among various cybercriminal groups.
Microsoft has also noted that RansomHub was deployed by Manatee Tempest following initial access facilitated by Mustard Tempest through FakeUpdates infections.
Connections have been made between these activities and notorious groups like Evil Corp, emphasizing the collaborative and overlapping nature of modern cybercriminal enterprises.
The arrest of a prominent member of Scattered Spider in Spain last month highlights ongoing efforts to combat such cybercrime networks.
The rise of new ransomware families such as FakePenny, Fog, and ShadowRoot signals an expanding and evolving threat landscape.
Microsoft advises adherence to security best practices like credential hygiene, least privilege principle, and Zero Trust framework to combat these threats.