The notorious cybercrime faction called Dispersed Arachnid has integrated ransomware variants such as RansomHub and Qilin into its arsenal, as disclosed by Microsoft.
Dispersed Arachnid is denoted as a threat actor recognized for its advanced social engineering tactics to infiltrate targets and establish persistence for subsequent exploitation and data pilferage. Additionally, it has a track record of focusing on VMWare ESXi servers and unleashing BlackCat ransomware.
It shares similarities with activity clusters monitored by the broader cybersecurity community under the names 0ktapus, Octo Tempest, and UNC3944. Recently, reports emerged of a crucial member of the group being apprehended in Spain.
RansomHub, which made its debut earlier in February, has been evaluated as a rebranded version of another ransomware strain named Knight, as per an analysis from Broadcom-owned Symantec last month.
“RansomHub is a ransomware-as-a-service (RaaS) payload utilized by a growing number of threat actors, including those that have previously employed different (at times obsolete) ransomware payloads (such as BlackCat), rendering it one of the most prevalent ransomware lineages currently,” expressed Microsoft stated.
The tech giant also noted instances of RansomHub being deployed in post-compromise operations by Manatee Tempest (aka DEV-0243, Evil Corp, or Indrik Spider) subsequent to initial access obtained by Mustard Tempest (aka DEV-0206 or Purple Vallhund) through FakeUpdates (aka Socgholish) infections.
It should be highlighted that Mustard Tempest is an initial access broker that has previously leveraged FakeUpdates in assaults that exhibit behaviors resembling pre-ransomware actions linked with Evil Corp. These breaches were also notable for the delivery of FakeUpdates through existing Raspberry Robin infections.
This development coincides with the rise of new ransomware families like FakePenny (attributed to Moonstone Sleet), Fog (propagated by Storm-0844, which has also distributed Akira), and ShadowRoot, the latter of which has been observed targeting Turkish businesses using counterfeit PDF invoices.
“With the escalating, expanding, and evolving ransomware menace, it’s advisable for users and organizations to adhere to security best practices, notably credential hygiene, principle of least privilege, and Zero Trust,” advised Microsoft.
About Author
