Cyber-crime super-crew Scattered Spider falls in love with RansomHub and Qilin

The Scattered Spider cybercrime group is now using RansomHub and Qilin ransomware variants in its attacks, illustrating a possible power shift among hacking groups.

This is all according to the incident response engagements from the second quarter of the year involving Microsoft, which has described the group as one of the most sophisticated and threatening of its kind currently in operation.

Scattered Spider – which hit Las Vegas casinos last year among many other victims, and is tracked as Octo Tempest by Microsoft, or the gazillion other aliases it has depending on who's doing the talking – accounts for "a significant bulk of [Microsoft's] investigations." 

Before the Feds crippled it in December, Scattered Spider used to rely on the ransomware payload of ALPHV/BlackCat – formerly the biggest dog in the ransomware kennel (along with LockBit) – so the adoption of RansomHub and Qilin by a group like Scattered Spider demonstrates how seriously the new guard is being taken.

Microsoft said in a threat intelligence update/Xeet this week that RansomHub is being adopted by an ever-increasing number of cybercriminals, including by those who also used to rely on ALPHV's malware code. It's "one of the most widespread ransomware families" in circulation today, Redmond added.

"Notably, RansomHub was observed being deployed in post-compromise activity by Manatee Tempest following initial access by Mustard Tempest via FakeUpdates/Socgholish infections," Redmond said.

RansomHub first emerged in February 2024 as a rebrand of the Knight ransomware crew and has claimed responsibility for high-profile attacks on the likes of Christie's, Frontier Communications, and US pharmacy chain Rite Aid since then.

Cybercriminal outfits like RansomHub, Qilin, Akira, and Play have stepped in to gobble up the market share left behind by ALPHV/BlackCat, which exit scammed shortly after receiving its Change Healthcare ransom payment, and LockBit – which still lives on but has largely been abandoned by affiliates since Operation Cronos shut parts of the network down.

Microsoft said that BlackSuit, Medusa, and Black Basta were also ransomware families of concern as well.

New kids on the block

RansomHub itself spun up for the first time earlier this year but has already claimed the new number-one spot from its more established competitors. Microsoft is now tracking two newer ransomware families that it says it has cropped up in the past few months. 

Fog is one of these variants, the first sightings of which date back to May, according to a crew at security shop Arctic Wolf.

In its first month, the team said every one of its victims was based in the US, and the vast majority (80 percent) of attacks targeted the education sector. The other 20 percent hit recreation industries.

Arctic Wolf fell short of it giving it "ransomware group" status, as it's too new to determine what kind of organizational structure it has. The most popular business model is ransomware-as-a-service (RaaS), so it's possible Fog could be its own operation with affiliates, but nothing's certain yet.

Microsoft first spotted Fog in May as well, but has also attributed its activity to a group tracked as Storm-0844. Microsoft names groups "Storm" when they're still under development and haven't yet formed a clear identity.

That said, Storm-0844 is known to Microsoft as the group that deployed the Akira ransomware strain, and in the two months since Fog entered the scene, Storm-0844 appears to now favor the newer variant over Akira, which is a well-established operation. 

• Rite Aid admits 2.2 million people’s data stolen by criminals
• Cops cuff 22-year-old Brit suspected of being Scattered Spider leader
• Cylance clarifies data breach details, except where the data came from
• Snowflake customers not using MFA are not unique – over 165 of them have been compromised

This could be based on various factors or a combination of them. More reliable encryption is a possible explanation for the change in tooling, as is the fact that researchers have developed a number of decryptors for Akira ransomware variants. There is also the possibility that Fog offers a better cut of any ransom payments, which is always an attractive prospect for a financially motivated criminal group.

FakePenny ransomware is another of these variants that has emerged in the past quarter, with notable deployers including Moonstone Sleet, otherwise known as North Korean state-sponsored scumbags.

Both FakePenny and MoonstoneSleet are fresh faces in the threat landscape, with Microsoft tracking the latter for less than a year. The criminal group has been spotted, in typical fashion for the hermit nation, trying to raise funds by defrauding Western economies through malware and ransomware payments in the region of $6.6 million a pop. ®