The infamous cybercriminal group known as Scattered Spider has incorporated ransomware variants such as RansomHub And Qilin in its malware arsenal, Microsoft revealed.
Scattered Spider is the designation which was given to a notorious cyber criminal group for its sophisticated social engineering schemes to breach targets and establish persistence for further exploration and data theft and has also a history of attacks on VMWare ESXi servers and distribution of the BlackCat ransomware.
It shares similarities with activity clusters monitored by the broader cybersecurity community under the names 0ktapus, Octo Tempest and UNC3944 and last month, It has been reported that a key member of the group has been arrested in Spain.
RansomHub: When It Came Out and How Much Scattered Spider Started Using It
RansomHub, which first appeared on the scene in February, has been identified as a rebranding of another ransomware variant called Knight, according to an analysis by Symantec, owned by Broadcom, last month.
“RansomHub is a ransomware-as-a-service (RaaS) payload used by an increasing number of cybercriminals, including those who have historically used other (sometimes deprecated) ransomware payloads (such as BlackCat), making it one of the most widespread ransomware families today.“, he has declared Microsoft about RansomHub on the X.com website (formerly known as “Twitter”).
Microsoft Windows maker said it had also observed the use of RansomHub as part of post-compromise activities by Manatee Tempest (also known as DEV-0243, Evil Corp, or Indrik Spider) after the initial access gained by Mustard Tempest (also known as DEV-0206 or Purple Vallhund) through infections of FakeUpdates (also known as Socgholish).
It is worth mentioning that Mustard Tempest is a initial access broker that, in the past, used FakeUpdates in attacks that resulted in actions similar to pre-ransomware behavior associated with Evil Corp and that these intrusions were also notable for the fact that FakeUpdates was distributed via existing infections of Raspberry Robin.
RansomHub and Qilin Hide Well: Beware of Fake PDFs
The development comes amid the emergence of new ransomware families such as FakePenny (attributed to Moonstone Sleet), Fog (distributed by Storm-0844, which also propagated the notorious Akira ransomware) and ShadowRoot, the latter of which has been observed attacking Turkish companies using fake invoice PDFs.
“As the ransomware threat continues to grow, expand, and evolve, users and organizations are advised to follow security best practices, particularly credential hygiene, the principle of least privilege, and the Zero Trust model.“, Microsoft said.
Defending Yourself From Ransomware Like RansomHub and Qilin
The effect of ransomware is seen very often only when the damage is already done, for this reason, it is necessary to do (needless to say…), that thing that is always recommended more or less everywhere but nobody ever does: backup.
In fact, making a backup allows you to get your data back as they are even once the damage has been done, this is if real-time protection does not work.
Among other things, it should be said that to defend against attacks such as Qilin or RansomHub, it is essential to implement robust security measures; these include regularly updating software, using multi-factor authentication (MFA), Continuous monitoring of networks for suspicious activity and training of staff on phishing and social engineering techniquesso you shouldn’t even do the thing that many people do without thinking: clicking on obviously misleading links.
Unfortunately (and it’s bad to say), if there was more attention towards what you do with PCs and phones, these problems would not exist (or would be much less than what we are used to hearing).
#RansomHub #Qilin #Malware #Scattered #Spider