Financially Motivated Threat Actor Manatee Tempest

Manatee Tempest (formerly DEV-0243) is a threat actor that is a part of the ransomware as a service (RaaS) economy, partnering with other threat actors to provide custom Cobalt Strike loaders. In Manatee Tempest’s initial partnerships with another threat actor, Mustard Tempest, the group deployed a custom ransomware payload known as WastedLocker, and then expanded to additional Manatee Tempest ransomware payloads developed in-house, such as PhoenixLocker and Macaw. Around November 2021, Manatee Tempest started to deploy the LockBit 2.0 RaaS payload in their intrusions. The use of a RaaS payload is likely an attempt to avoid attribution to their group, which could discourage payment due to their sanctioned status.