Microsoft Links Scattered Spider Hackers to Qilin Ransomware Attacks
Summary:
Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns. This group, which surfaced in early 2022, gained notoriety with their 0ktapus campaign, targeting over 130 high-profile organizations, including Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.
The English-speaking gang has also encrypted MGM Resorts' systems after joining BlackCat/ALPHV ransomware as an affiliate in mid-2023 and has been linked by Symantec to the RansomHub ransomware-as-a-service. In November, the FBI and CISA issued an advisory highlighting Scattered Spider's tactics, techniques, and procedures (TTPs), which include impersonating IT employees to trick customer service staff into providing credentials, and using remote access tools for persistence on targets' networks. Other tactics for initial network access include phishing, MFA bombing (also known as MFA fatigue), and SIM swapping.
Security Officer Comments:
The Qilin ransomware operation, initially surfaced in August 2022 under the name "Agenda" and rebranded a month later, has claimed over 130 companies on its dark web leak site. The group's activity picked up towards the end of 2023, and since December 2023, Qilin has been developing an advanced and customizable Linux encryptor to target VMware ESXi virtual machines, favored by enterprise organizations for their light resource needs.
Qilin operators infiltrate company networks, extract data as they move through systems, obtain admin credentials, and collect sensitive data before deploying ransomware payloads to encrypt all network devices. They use the stolen data for double-extortion attacks. Ransom demands from Qilin have ranged from $25,000 to millions of dollars, depending on the victim's size. Last month, the CEO of the UK's National Cyber Security Centre (NCSC) linked Qilin to a ransomware attack on pathology services provider Synnovis in early June, which impacted several major NHS hospitals in London, forcing them to cancel hundreds of operations and appointments.
Suggested Corrections:
https://www.bleepingcomputer.com/ne...d-spider-hackers-to-qilin-ransomware-attacks/
https://x.com/MsftSecIntel/status/1812932749314978191
Microsoft has reported that the Scattered Spider cybercrime gang, also known as Octo Tempest, UNC3944, and 0ktapus, has added Qilin ransomware to its arsenal and is now using it in attacks. In the second quarter of 2024, Octo Tempest, a financially motivated threat actor, incorporated RansomHub and Qilin into its ransomware campaigns. This group, which surfaced in early 2022, gained notoriety with their 0ktapus campaign, targeting over 130 high-profile organizations, including Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.
The English-speaking gang has also encrypted MGM Resorts' systems after joining BlackCat/ALPHV ransomware as an affiliate in mid-2023 and has been linked by Symantec to the RansomHub ransomware-as-a-service. In November, the FBI and CISA issued an advisory highlighting Scattered Spider's tactics, techniques, and procedures (TTPs), which include impersonating IT employees to trick customer service staff into providing credentials, and using remote access tools for persistence on targets' networks. Other tactics for initial network access include phishing, MFA bombing (also known as MFA fatigue), and SIM swapping.
Security Officer Comments:
The Qilin ransomware operation, initially surfaced in August 2022 under the name "Agenda" and rebranded a month later, has claimed over 130 companies on its dark web leak site. The group's activity picked up towards the end of 2023, and since December 2023, Qilin has been developing an advanced and customizable Linux encryptor to target VMware ESXi virtual machines, favored by enterprise organizations for their light resource needs.
Qilin operators infiltrate company networks, extract data as they move through systems, obtain admin credentials, and collect sensitive data before deploying ransomware payloads to encrypt all network devices. They use the stolen data for double-extortion attacks. Ransom demands from Qilin have ranged from $25,000 to millions of dollars, depending on the victim's size. Last month, the CEO of the UK's National Cyber Security Centre (NCSC) linked Qilin to a ransomware attack on pathology services provider Synnovis in early June, which impacted several major NHS hospitals in London, forcing them to cancel hundreds of operations and appointments.
Suggested Corrections:
- making secure offsite backups.
- running up-to-date security solutions and ensuring that your computers are protected with the latest security patches against vulnerabilities.
- Restrict an attacker's ability to spread laterally through your organisation via network segmentation.
- using hard-to-crack unique passwords to protect sensitive data and accounts, as well as enabling multi-factor authentication.
- encrypting sensitive data wherever possible.
- reducing the attack surface by disabling functionality that your company does not need.
- educating and informing staff about the risks and methods used by cybercriminals to launch attacks and steal data.
https://www.bleepingcomputer.com/ne...d-spider-hackers-to-qilin-ransomware-attacks/
https://x.com/MsftSecIntel/status/1812932749314978191