HQ/EMEAFind out how we can help your business
The Scattered Spider cybercriminal group has added Qilin ransomware to its set of weapons for cyberattacks.
Microsoft revealed earlier this year that the financially motivated threat actor had added RansomHub and Qilin to its ransomware payloads in its campaigns. Moreover, this threat group gained traction a couple of years ago after launching a cybercriminal campaign which targeted over 130 high-profile organisations.
Some of these big-time organisations include Microsoft, Binance, CoinBase, T-Mobile, Verizon Wireless, AT&T, Slack, X, Epic Games, and Riot Games.
In addition, this notorious gang also encrypted MGM Resorts’ systems after joining BlackCat/ALPHV ransomware as an affiliate in mid-2023, which researchers linked to the RansomHub ransomware-as-a-service.
The Scattered Spider threat group commonly pose as IT employees to initiate its attacks.
The Scattered Spider group’s tactics, techniques, and procedures (TTPs) typically include impersonating IT employees to deceive customer care representatives into supplying credentials or establishing persistent access to targeted networks through remote access tools.
Additionally, the group also employs phishing, MFA bombing, and SIM-swapping tactics to gain initial network access to targeted entities. On the other hand, the Qilin ransomware operation, which Scattered Spider recently joined, first appeared in August 2022 under the name “Agenda” but was rebranded as Qilin one month later.
For the past few years, the Qilin ransomware operators have claimed over 130 companies on their dark web leak site. However, this group has been inactive for almost half a year but became active again around the end of 2023 after increasing its malicious operators.
Since December last year, Qilin has also been developing one of the most powerful and adaptable Linux encryptors for VMware ESXi virtual devices, which enterprise organisations prefer for their low resource requirements.
Like many other ransomware groups that target businesses, Qilin ransomware operators breach companies’ networks and extract data while moving laterally within the victims’ systems. After obtaining admin credentials and collecting sensitive data, they use the ransomware payloads to encrypt all network devices and use the stolen data to execute double-extortion attacks.
As of now, this group’s asking price for their ransom ranges from $25,000 to millions of dollars, depending on the victim’s size, making it one of the most hostile threats in the cybercriminal landscape today.
