Trace Id is missing

Nation State Actor

Pistachio Tempest

A close-up of a planet
Pistachio Tempest (formerly DEV-0237) is a group associated with impactful ransomware distribution. Microsoft has observed Pistachio Tempest use varied ransomware payloads over time as the group experiments with new ransomware as a service (RaaS) offerings, from Ryuk and Conti to Hive, Nokoyawa, and, most recently, Agenda and Mindware. Pistachio Tempest’s tools, techniques, and procedures have also shifted over time, but are primarily marked by their use of access brokers to gain initial access via existing infections from malware such as Trickbot and BazarLoader. After gaining access, Pistachio Tempest uses other tools in their attacks to complement their use of Cobalt Strike, such as the SystemBC RAT and the Sliver framework. Common ransomware techniques (such as using PsExec to deploy ransomware widely in environments) are still a major part of the Pistachio Tempest playbook. The outcomes also remain the same: ransomware, exfiltration, and extortion.

Also known as:                                                                   Industries targeted:

 

FIN12                                                                                    Healthcare

                                         

                                                                                              Software and  Technology                                                                                                   

                                                                                   

 

 

Microsoft Threat Intelligence: Recent Pistachio Tempest Articles

The many lives of BlackCat ransomware

Hive ransomware gets upgrades in Rust

Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself