Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders. In Manatee Tempest’s initial partnerships with another threat actor, Mustard Tempest, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional Manatee Tempest ransomware payloads developed in-house, such as PhoenixLocker and Macaw. Around November 2021, Manatee Tempest started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload is likely an attempt to avoid attribution to their group, which could discourage payment due to their sanctioned status.
Track down your adversaries in the free cybersecurity detective game. Play now.
Follow Microsoft Security