In a recent update, Microsoft has revealed that the Scattered Spider cyber-crime gang, also known as Octo Tempest, has incorporated Qilin ransomware into their suite of attack tools. This development marks a significant evolution in the gang's tactics and capabilities.
Expansion of Ransomware Arsenal
Microsoft reported on Monday that during the second quarter of 2024, the financially motivated threat actor Octo Tempest, their most closely tracked ransomware group, expanded its ransomware payloads by adding RansomHub and Qilin. This group, which emerged in early 2022 and is also known by the names UNC3944 and 0ktapus, gained notoriety through their 0ktapus campaign, which targeted over 130 high-profile organisations. These organisations included major names like Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, Twitter, Epic Games, Riot Games, and Best Buy.
Notable Incidents and Affiliations
The Scattered Spider gang, which operates primarily in English, has been linked to several significant cyber-attacks. In mid-2023, they encrypted systems at MGM Resorts after affiliating with the BlackCat/ALPHV ransomware group. Additionally, Symantec connected them to the RansomHub ransomware-as-a-service operation.
Advisory and Techniques
In November, the FBI and CISA issued an advisory detailing the tactics, techniques, and procedures (TTPs) used by Scattered Spider. These include impersonating IT employees to deceive customer service staff into providing credentials and gaining persistence on networks via remote access tools. They are also known for using phishing, MFA bombing (also known as MFA fatigue), and SIM swapping to gain initial network access.
The Emergence of Qilin Ransomware
The Qilin ransomware operation first appeared in August 2022 under the name "Agenda" but was rebranded as Qilin a month later. Over the past two years, the Qilin gang has claimed responsibility for attacking over 130 companies on their dark web leak site. Their activity significantly increased towards the end of 2023.
Advanced Threats and Techniques
Since December 2023, Qilin has been developing one of the most advanced and customisable Linux encryptors, specifically targeting VMware ESXi virtual machines favoured by enterprise organisations for their efficient resource usage. Like many other ransomware groups, Qilin operators infiltrate company networks, extract data, and then deploy ransomware payloads to encrypt all network devices. They utilise the stolen data to conduct double-extortion attacks, demanding ransoms in exchange for both decryption keys and the promise not to release sensitive information.
Impact and Recent Attacks
Qilin ransom demands have ranged from $25,000 to millions of dollars, depending on the size and scope of the victim. In a recent high-profile case, the CEO of the UK's National Cyber Security Centre (NCSC) linked Qilin to a ransomware attack on Synnovis, a pathology services provider. This attack, which occurred in early June, affected several major NHS hospitals in London, leading to the cancellation of hundreds of operations and appointments.
To Sum Up
The integration of Qilin ransomware by the Scattered Spider gang underscores the evolving threat landscape in cyber security. Organisations must remain vigilant and adopt robust security measures to protect against these sophisticated attacks. Continuous monitoring, employee training, and up-to-date defences are essential to mitigate the risks posed by such advanced cyber threats.
