Microsoft: Scattered Spider Widens Web With RansomHub & Qilin

Octo Tempest, a threat actor also known as Scattered Spider, has added RansomHub and Qilin to its repository for use in attacks, Microsoft's Threat Intelligence Team is warning.

The gang, which first arrived on the scene in 2022, is known for its social engineering techniques, which Microsoft describes as sophisticated, as well as identity compromises, targeting of VMware ESXi servers, and deployment of BlackCat ransomware. It was also infamously behind the massive ransomware attacks on Caesars Palace and MGM Entertainment last year.

Other tactics, techniques, and procedures (TTPs) the group is known to use include impersonating IT employees to deceive company staff into providing credentials or gaining persistence using remote access tools, as well as phishing, MFA bombing, and SIM swapping.

Qilin ransomware also surfaced in 2022 under a different name, "Agenda," but quickly rebranded. The group is known to have targeted and claimed more than 130 companies, demanding ransoms from as low as $25,000 and well into millions, and is developing a customizable Linux encryptor to target VMware ESXi servers, according to Microsoft. RansomHub, meanwhile, is a ransomware-as-a-service (RaaS) offering that is becoming increasingly favored by threat actors, "making it one of the most widespread ransomware families today," the tech giant said via X.

Octo Tempest accounts for a significant number of the investigations that the Microsoft team covers, it said, and has dominated incident response engagements it has received since first gaining attention through its "oktapus" campaign, which targeted over 130 well-known organizations.