Ransomware on the Move: Akira, Cactus, Hunters International, RansomHub
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...
Ransomware attacks surged during the week of July 28 to August 4, 2024, with four notable groups—Akira, Cactus, Hunters International, and RansomHub—leading the charge once more. These groups targeted a broad spectrum of industries, exploiting weaknesses across sectors such as manufacturing, business services, retail, and healthcare services . Their varied tactics reflect the evolving landscape of cyber threats, where no organization is safe from attack.
Akira made significant moves by targeting Industrias Peñoles and Braspress, leading to severe data breaches. These attacks highlight Akira’s continued focus on high-value sectors like manufacturing and logistics, demonstrating the group's ability to disrupt critical operations and compromise sensitive information.
Meanwhile, Cactus ransomware successfully infiltrated Dahl Valve Limited and Chubb Bulleid, further establishing its threat in both the manufacturing and legal industries.
Hunters International, with its ties to the now-defunct Hive group, focused on organizations like LRN Corporation and Khandelwal Laboratories. These attacks reveal a strategic approach, targeting sectors where the impact of a breach can be particularly devastating, such as healthcare and education.
RansomHub, a newer player, executed significant breaches at Normandy Diesel and Bahia Principe Hotels & Resorts, showcasing the expanding threat to industries including automotive services and hospitality.
Akira
Akira is a ransomware family that first emerged in March 2023, rapidly becoming a prominent threat across multiple sectors. Operating as a Ransomware-as-a-Service (RaaS) platform, Akira enables affiliates to launch attacks, sharing the ransom proceeds—typically ranging from $200,000 to over $4 million. The group is believed to have ties to the now-defunct Conti ransomware gang, with notable similarities in their code.
Akira’s ransomware is written in Golang, a programming language known for its cross-platform capabilities, allowing the group to target both Windows and Linux systems, including VMware ESXi virtual machines.
Active in regions such as Europe, North America, and Australia, Akira primarily targets small to medium-sized businesses across sectors like manufacturing, technology, education, pharmaceuticals, and government.
Akira's attacks typically involve the exfiltration of large amounts of sensitive data, which is then used to extort victims by threatening to publish it unless a ransom is paid.
For instance, Industrias Peñoles, a leading Mexican mining and metallurgical company, suffered a breach on July 30, 2024, where Akira infiltrated its systems and exfiltrated sensitive data, including financial records and proprietary business information. Despite this, Peñoles managed to maintain operational continuity by relying on backup systems.
Another attack targeted Macadam Europe, a company specializing in vehicle inspections and fleet management. The Akira group exfiltrated 50 GB of sensitive data, including HR records, non-disclosure agreements, and customer databases, posing significant operational and reputational risks.
Significant Attacks Claimed by Akira
- Braspress, a leading logistics company in Brazil, was severely impacted by a ransomware attack. The attack compromised 280 servers within the company’s data center, disrupting operations across nearly 3,000 trucks and 9,000 employees spread over 114 branches nationwide. Despite the extensive disruption, Braspress chose not to negotiate with the attackers, opting instead to restore its systems using recent backups. This incident highlighted the resilience required by companies facing sophisticated ransomware threats, as well as the significant challenges in maintaining operational continuity under such attacks.
- Find Great People (FGP), a talent acquisition and human resources consulting firm, was another victim of Akira's ransomware attacks. The breach, which resulted in the compromise of approximately 32GB of sensitive data, included confidentiality agreements, client data, and personal employment documents. The attack posed severe legal and financial risks, particularly because of the sensitive nature of the compromised data. This breach underscored the vulnerabilities that firms in the business services sector face, especially those responsible for handling critical personal and corporate information.
Cactus
Cactus is a ransomware group that first emerged in March 2023, quickly becoming a significant player in the ransomware landscape. Operating as a Ransomware-as-a-Service (RaaS), Cactus provides its affiliates with sophisticated tools to carry out attacks, often exploiting vulnerabilities such as the ZeroLogon flaw (CVE-2020-1472).
The group's techniques include using custom scripts to disable security tools and deploy their ransomware, which is known for its unique encryption methods. Cactus targets organizations across various sectors, including manufacturing, legal services, and business services, focusing on those that manage critical and confidential data.
Cactus's attacks typically involve the exfiltration of substantial amounts of sensitive information, which the group then uses in double extortion schemes.
For instance, Dahl Valve, a Canadian manufacturer of plumbing and heating valves, experienced a breach where 80GB of data, including personally identifiable information (PII), corporate documents, and financial records, was exfiltrated.
These incidents underscore the significant operational and reputational risks posed by Cactus's tactics.
Significant Attacks Claimed by Cactus
- Chubb Bulleid, a prominent law firm with an estimated revenue of $14 million, was targeted by the Cactus ransomware group, resulting in a major data breach disclosed on July 31, 2024. The attack led to the exposure of a wide array of sensitive and confidential information, including litigation files, corporate data, non-disclosure agreements, contracts, employee records, financial documents, and internal correspondence. The leak has potentially jeopardized confidential client information and critical business records, raising serious concerns about client confidentiality and the firm's operational integrity.
- Denkai America, a manufacturing company specializing in the production of copper foils for industries like printed circuit boards and energy storage, fell victim to a Cactus ransomware attack, also disclosed on July 31, 2024. The breach exposed a wide range of sensitive materials, including business documents, customer information, internal communications, confidential financial records, employee files, and contractual agreements. With an estimated revenue of $18.1 million, Denkai America is now dealing with the significant repercussions of this data breach, which has yet to be fully addressed by the company.
Hunters International
Hunters International is a ransomware group that emerged in the third quarter of 2023, rapidly gaining attention as a significant threat in the cyber landscape. This group operates as a Ransomware-as-a-Service (RaaS) platform, enabling affiliates to execute ransomware attacks by leveraging Hunters International's infrastructure and malware.
The group's ransomware code shows a 60% overlap with that of the notorious Hive ransomware, indicating a possible evolution or rebranding from the now-disrupted Hive operation. Hunters International primarily focuses on data exfiltration, followed by extortion, demanding ransoms in exchange for the safe return of stolen data.
Their operations have been detected across various regions, including the United States, the United Kingdom, Germany, and Namibia, targeting a diverse range of industries without a specific focus.
The attacks orchestrated by Hunters International typically involve the theft of substantial amounts of sensitive data, which is then used as leverage in their extortion tactics.
For example, Khandelwal Laboratories Pvt. Ltd., a prominent Indian pharmaceutical company, fell victim to a breach where 126.5 GB of sensitive data, including proprietary formulations and patient information, was exfiltrated.
Another significant case involved LRN Corporation, an American firm specializing in ethics and compliance training, which saw its data and systems compromised, leading to severe operational disruptions.
These breaches highlight the substantial financial and reputational risks companies face when targeted by Hunters International, particularly when sensitive or proprietary information is involved.
Significant Attacks Claimed by Hunters International
- Kleven Construction Inc., a company specializing in underground utility installation, including directional drilling and fiber optic cable placement, was significantly impacted by a ransomware attack. The attackers claimed to have exfiltrated 124.5 GB of data, including vital records from the company's accounting, IT, and medical departments. This breach posed substantial risks to the company's operations and the privacy of its stakeholders, emphasizing the severity of the ransomware threat posed by Hunters International.
- Crownlea Group, a family-owned conglomerate known for supplying over 10,000 products to various industries across the UK and Europe, experienced a major ransomware attack that resulted in a significant data breach. The attackers exfiltrated 415.3 GB of sensitive information, including passports and driving licenses from individuals across different countries. The incident not only jeopardized the company’s reputation but also highlighted the far-reaching impact of Hunters International's tactics, especially when critical personal information is involved.
RansomHub
RansomHub is a relatively new player in the ransomware landscape, having quickly established itself as a formidable threat since its emergence. Operating as a Ransomware-as-a-Service (RaaS) group, RansomHub follows a profit-sharing model where affiliates receive 90% of the ransom proceeds, leaving the remaining 10% to the core group.
RansomHub's ransomware strains are notably written in Golang, a programming language that has been gaining popularity among cybercriminals due to its cross-platform capabilities. The group has shown no particular industry focus, instead targeting a wide array of sectors across various countries, including the United States, Brazil, Indonesia, and Vietnam.
Healthcare institutions have been among their notable targets, with Change Healthcare being attacked by RansomHub after a previous hit by the ALPHV group.
The attacks carried out by RansomHub are characterized by large-scale data exfiltration, which the group uses to exert pressure on their victims through extortion. For instance, one of their significant breaches targeted Normandy Diesel, a specialized automotive company based in France. RansomHub successfully exfiltrated 280GB of sensitive data, including invoices, contracts, financial records, and private information.
Normandy Diesel, despite being a small enterprise with an estimated annual revenue of $1.08 million, was thrust into a precarious position due to this breach, which threatened the company’s operations and client trust.
Another example is the attack on Bahia Principe Hotels & Resorts, a leading hospitality chain known for its all-inclusive vacation experiences across the Caribbean and Spain. In this breach, RansomHub exfiltrated approximately 1230GB of data, posing significant risks to both the company's operations and the privacy of its clientele.
The stolen data likely includes sensitive customer information, booking details, and financial records, which could severely impact the reputation and operational continuity of Bahia Principe, a brand recognized for its luxury offerings and customer service.
Significant Attacks Claimed by RansomHub
- RetailData, a prominent provider of observational intelligence and auditing solutions, suffered a ransomware attack that led to the exfiltration of 1TB of sensitive data. Founded in 1988, RetailData has been instrumental in providing accurate pricing and market data to businesses, aiding them in making strategic decisions. The stolen data likely includes financial records, proprietary business strategies, and sensitive client information, which poses a significant threat to the company's operations and reputation. This breach underscores the risks faced by organizations that handle large volumes of critical data, especially in sectors reliant on timely and precise market intelligence.
- Labor Koblenz, a leading German laboratory specializing in environmental analysis, food safety, and pharmaceutical testing, was targeted by RansomHub in a sophisticated ransomware attack. The attackers managed to infiltrate the lab's internal network, but due to effective emergency protocols, patient care continued uninterrupted, and no health data was leaked. However, the breach may have compromised sensitive operational data, including testing results and compliance-related information. Labor Koblenz's swift response, including collaboration with a BSI-certified security provider and law enforcement, highlights the importance of strong cybersecurity measures, particularly in industries that are critical to public health and safety.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!