Scattered Spider Adopts RansomHub and Qilin Ransomware for Cyber Attacks

The cybercrime group known as Scattered Spider has incorporated ransomware strains like RansomHub and Qilin into its arsenal, according to a recent revelation by Microsoft. This move marks a significant escalation in their tactics and capabilities, posing heightened threats to organizations worldwide.

Who is Scattered Spider?

Scattered Spider is a sophisticated threat actor renowned for its adept social engineering schemes, which it uses to breach targets, establish persistence, and facilitate follow-on exploitation and data theft. The group has a notorious history of targeting VMware ESXi servers and deploying BlackCat ransomware. Within the broader cybersecurity community, Scattered Spider is also tracked under various monikers, including Gold Harvest, 0ktapus, Octo Tempest, and UNC3944. Recently, a key member of this group was arrested in Spain, highlighting the global reach and serious implications of their activities.

The New Ransomware Arsenal: RansomHub and Qilin

RansomHub:

  • Background: Introduced earlier in February, RansomHub has been identified as a rebrand of the Knight ransomware strain, according to Symantec's analysis.
  • RaaS Model: RansomHub operates as a ransomware-as-a-service (RaaS) payload. This model allows various threat actors to use the ransomware, contributing to its rapid spread. Notably, RansomHub has been adopted by groups that previously utilized other ransomware payloads, such as the now-defunct BlackCat.
  • Deployment: Microsoft observed RansomHub being deployed in post-compromise activities by Manatee Tempest (also known as DEV-0243, Evil Corp, or Indrik Spider). These deployments often follow initial access obtained by Mustard Tempest (DEV-0206 or Purple Vallhund) through FakeUpdates (Socgholish) infections.

Qilin:

  • Details: While specific details about Qilin's integration into Scattered Spider's operations are less clear, its inclusion signifies the group's continuous evolution and diversification of tactics.

Scattered Spider is known for its sophisticated social engineering tactics to breach security perimeters. Once inside, they establish a foothold and proceed with data theft and further exploitation. Their ability to target and compromise VMware ESXi servers highlights their technical proficiency and focus on high-value targets.

Connections with Other Cyber Threats

Scattered Spider's activities overlap with various other threat actors and malware strains:

  • Mustard Tempest: Known as an initial access broker, Mustard Tempest has utilized FakeUpdates in attacks leading to pre-ransomware behaviour linked with Evil Corp. These attacks often leverage existing infections, such as those from Raspberry Robin.
  • New Ransomware Families: The emergence of ransomware strains like FakePenny (attributed to Moonstone Sleet), Fog (distributed by Storm-0844 and also propagating Akira), and ShadowRoot (targeting Turkish businesses) further complicates the ransomware landscape. These new threats indicate a rapidly evolving environment where ransomware developers continuously innovate to bypass defences.

Security Recommendations

In light of the escalating ransomware threat, Microsoft advises organizations to adopt robust security practices:

  • Credential Hygiene: Regularly update and manage credentials to prevent unauthorized access.
  • Principle of Least Privilege: Ensure that users have only the minimum level of access necessary for their roles to reduce potential damage from breaches.
  • Zero Trust Model: Implement a Zero Trust architecture, which assumes no implicit trust within the network and enforces strict identity verification for all users and devices.

The adoption of RansomHub and Qilin ransomware by Scattered Spider underscores the group's persistent evolution and the increasing complexity of the ransomware threat landscape. Organizations must remain vigilant and proactive in their cybersecurity measures to defend against these sophisticated attacks.