The infamous cyber crime group known as Scattered spider ransomware strains such as RansomHub and Do it in its arsenal, Microsoft showed.
Scattered spider designation given to a threat actor known for sophisticated social engineering schemes to compromise targets and create resilience for subsequent exploitation and data theft. It also has a history of targeting VMWare ESXi servers and deploying BlackCat ransomware.
It overlaps with clusters of activity tracked by the wider cyber security community under the aliases 0ktapus, Octo Tempest and UNC3944. Last month it was reported that a key member of the group had been arrested in Spain.
According to an analysis by Broadcom-owned Symantec last month, RansomHub, which appeared in early February of this year, was assessed as a rebranding of another ransomware strain called Knight.
“RansomHub is a Ransomware as a Service (RaaS) used by a growing number of threat actors, including those who have historically used other (sometimes defunct) ransomware (such as BlackCat), making it one of the most common ransomware families. today,” Microsoft said.
The Windows maker said it also observed the deployment of RansomHub as part of post-compromise activities by Manatee Tempest (aka DEV-0243, Evil Corp or Indrik Spider) after initial access gained by Mustard Tempest (aka DEV-0206 or Purple Vallhund) via FakeUpdates (aka Socgholish) infection.
It should be noted here that Mustard Tempest is initial access broker which has in the past used FakeUpdates in attacks that led to behavior reminiscent of the ransomware behavior associated with Evil Corp. These intrusions are also notable in that the FakeUpdates were delivered through an existing Crimson Robin infection.
The development comes amid the emergence of new ransomware families, such as FakePenny (attributed to Moonstone Sleet), The fog (distributed by Storm-0844, who also distributed Akira), and ShadowRootthe latter of which targeted a Turkish business using fake PDF invoices.
“As the ransomware threat continues to grow, expand, and evolve, users and organizations are encouraged to follow security best practices, especially credential hygiene, the principle of least privilege, and zero trust,” Microsoft said.
