Threat actors often attack VMware ESXi servers since they accommodate many virtual machines, which link to a variety of systems via one breach.
Compromising an ESXi server can bring the targeted services down. Additionally, valuable resources and data are stored in the ESXi servers, which makes them lucrative targets for hackers.
Cybersecurity researchers at Microsoft Threat Intelligence recently discovered that Octo Tempest, which is known for Attacking VMWare ESXi servers, has recently added RansomHub and Qilin to its arsenal.
In early to mid-2024, the ransomware group Octo Tempest expanded its harmful activities. This group, which the cybersecurity researchers at Microsoft Threat Intelligence watch very closely, started using two new types of ransomware called RansomHub and Qilin.
Protect Your Business Emails From Spoofing, Phishing & BEC with AI-Powered Security | Free Demo
Octo Tempest is known for several dangerous tactics, such as using clever tricks to fool people into giving away information, stealing people’s online identities, finding ways to stay hidden in computer systems for a long time, often attacking VMWare ESXi servers, frequently using ransomware called BlackCat.
Octo Tempest is responsible for many cyber attacks researchers have investigated and helped fix. Their new use of RansomHub and Qilin makes them an even bigger threat than before.
RansomHub, a rapidly growing ransomware-as-a-service (RaaS) payload, is becoming one of the most widespread ransomware families.
It’s being adopted by various threat actors, including those previously using other ransomware like BlackCat.
Manatee Tempest deployed RansomHub following Mustard Tempest’s initial access via FakeUpdates and Socgholish.
Other active ransomware families include:-
- Qilin
- BlackSuit
- LockBit
- Medusa
- Black Basta
- Play
Besides this, a new ransomware, Fog, emerged this quarter, and was used by Storm-0844, which previously favored Akira.
Storm-0844 is a group of malicious actors that first enter through VPN clients with potentially breached accounts.
They do so via their employed open-source tools such as ADFind, Rubeus, and Advanced IP Scanner for network surveillance, lateral movement, and stage data exfiltration rclone.
The new ransomware called “FakePenny” can be traced back to the North Korean group Moonstone Sleet associated with. This actor also uses an insidious tank game as one of its tactics.
The Octo Tempest and Storm-0501 concentrate mainly on identity compromise. The latter has been using open-source platforms such as “AADInternals” in its attempts to establish domain federations, culminating in Embargo ransomware.
Different hackers use several tactics and tools, which demonstrates how this cyber-threat environment has become more sophisticated across many actor groups.
Ransomware actors misuse remote management tools, such as Storm-1811’s exploitation of Quick Assist, leading to Black Basta attacks.
To combat this growing threat, users should stick to security best practices like credential hygiene, least privilege, and Zero Trust.
Join our free webinar to learn about combating slow DDoS attacks, a major threat today.