Microsoft: Octo Tempest Ransomware Group One of 'Most Dangerous'

Microsoft is tracking Octo Tempest, a financially motivated ransomware group that's becoming more aggressive, leading the company to call it "one of the most dangerous" financial criminal groups.

Octo Tempest is a growing concern for organizations across multiple industries. Also tracked as UNC3944 and 0ktapus, Octo Tempest recently became the rare English-speaking affiliate of Russian-speaking ransomware group BlackCat, according to a Microsoft blog. Historically, Eastern European ransomware groups refused to do business with native English-speaking criminals.

Octo Tempest leverages broad social engineering campaigns to compromise organizations across the globe with the goal of financial extortion. Monetization techniques observed across industries vary between cryptocurrency theft and data exfiltration for extortion and ransomware deployment.

Octo Tempest Origins

Octo Tempest was initially seen in early 2022 targeting mobile telecommunications and business process outsourcing organizations to initiate phone number ports, also known as SIM swaps, according to Microsoft. It monetized intrusions by selling SIM swaps to other criminals and performing account takeovers of high-net-worth individuals to steal their cryptocurrency.

In late 2022 to early 2023, Octo Tempest expanded its targeting to include cable telecommunications, email and technology organizations, according to Microsoft. During this period, it began monetizing intrusions by extorting victim organizations for data stolen during its intrusion operations and in some cases even resorting to physical threats.

"By June 2023, Octo Tempest started deploying ALPHV/BlackCat ransomware payloads (both Windows and Linux versions) to victims and lately has focused their deployments primarily on VMWare ESXi servers," Microsoft said. "Octo Tempest progressively broadened the scope of industries targeted for extortion, including natural resources, gaming, hospitality, consumer products, retail, MSPs, manufacturing, law, technology and financial services."

In recent campaigns, Microsoft observed Octo Tempest leverage a diverse array of tactics, techniques and procedures (TTPs) to navigate complex hybrid environments, exfiltrate sensitive data and encrypt data.

Using Impersonation to Gain Access

Octo Tempest commonly launches social engineering attacks targeting technical administrators, such as support and help desk personnel, who have permissions that could enable the threat actor gain initial access to accounts, according to Microsoft. The threat actor performs research on the organization and identifies targets to effectively impersonate victims, mimicking speech patterns on phone calls and understanding personal identifiable information (PII) to trick technical administrators into performing password resets and resetting multifactor authentication (MFA) methods. In addition, it has been observed impersonating newly hired employees in these attempts to blend into normal on-hire processes.

Octo Tempest compromises security personnel accounts within victim organizations to turn off security products and features, and attempt to evade detection throughout their compromise. Using compromised accounts, the threat actor leverages endpoint detection and response (EDR) and device management technologies to allow malicious tooling, deploy remote monitoring and management (RMM) software, remove or impair security products, data theft of sensitive files and deploy malicious payloads.

Numerous Causes for Concern

Patrick Tiquet, vice president of security and architecture at Keeper Security, said although this ransomware group has only been operating for a relatively short time, there are numerous causes for serious concern.

Keeper Security's Patrick Tiquet

"Octo Tempest is a well-organized and resourced group with the ability to recruit native English-speaking members, despite its affiliation with Russian ransomware-as-a-service (RaaS) operator BlackCat/ALPHV," he said. "Furthermore, its proven ability to carry out successful large-scale attacks against high-value targets make Octo Tempest a dangerous threat to organizations of all sizes. A cybersecurity strategy and prudent investment are essential to prevent intrusion from a cyberattack. Having knowledge about the size or affiliations of a criminal organization can help network defenders in the same way understanding a competitor can provide an advantage in business. But it’s also important to realize that they are going to attack no matter what you know, so a comprehensive security program is always essential."

Callie Guenther, senior manager of cyber threat research at Critical Start, said the multifaceted approach Octo Tempest employs is "particularly alarming."

Critical Start's Callie Guenther

"Beyond their technical prowess, they've mastered the art of social engineering, adapting their tactics to impersonate and blend seamlessly into targeted organizations," she said. "This, combined with their alignment with the formidable BlackCat ransomware group, amplifies their threat manifold. The real concern emerges when one realizes they've diversified from specific industries to a broader spectrum and are now unafraid to resort to outright physical threats, showcasing a concerning escalation in cybercriminal tactics."

Defending against Octo Tempest's financial pursuits involves a series of proactive and reactive measures, Guenther said.

"Cryptocurrencies, for instance, should be stored in offline cold wallets to minimize online exposure," she said. "Continual system updates and anti-ransomware solutions can thwart most ransomware deployments. Advanced network monitoring can detect anomalous data flows, indicative of potential data exfiltration attempts. In case of breaches or attacks, an established incident response strategy can guide immediate actions. Collaborative threat intelligence sharing with industry peers can also keep organizations abreast of emerging threats and countermeasures."