Ransomware on the Move: Akira, Medusa, Play, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:  

‍

As ransomware threats continue to escalate, cybersecurity professionals are increasingly challenged to defend against sophisticated attacks targeting a vast array of industries. From small businesses to multinational corporations, no sector is immune to cybercriminals exploiting vulnerabilities to extract ransoms.

‍

In the last week of July 2024, four ransomware groups—Akira, Medusa, Play, and RansomHub—were particularly active, showcasing the diverse tactics and strategies threat actors use to achieve their objectives. Business services, construction, manufacturing, and hospitality were among the most impacted industries during this period.

‍

The Akira group has made headlines with attacks on companies such as Environmental Design International and Empereon Constar, where they exfiltrated large volumes of sensitive data. This highlights their focus on high-value targets across various sectors, notably business services and manufacturing.

‍

Meanwhile, the Medusa group targeted organizations like Vivara and Coffrage LD, revealing vulnerabilities in industries ranging from retail to construction. These incidents starkly remind us of the critical importance of strong cybersecurity measures to protect against data breaches and operational disruptions.

‍

Adding complexity to the threat landscape, the Play and RansomHub ransomware groups were also highly active. Play ransomware targeted companies such as The Computer Merchant and Williams Construction, using sophisticated infiltration techniques to breach systems and demand ransoms, significantly impacting the business services and construction industries.

‍

Similarly, RansomHub orchestrated major breaches affecting the Castelli Group and AutoCorp Group Holding, underscoring the growing threat to the real estate and automotive sectors.

‍

Akira

‍

Akira is a rapidly evolving ransomware group that first appeared in March 2023. This group is believed to be affiliated with the defunct Conti ransomware gang, as indicated by similarities in their code. Akira targets both Windows and Linux-based VMware ESXi systems and employs double extortion tactics, stealing data before encrypting files and demanding ransom payments between $200,000 and over $4 million for decryption and data deletion.

‍

Victims are directed to a dark web site featuring a retro 1980s-style interface to negotiate ransom terms. Akira's emergence underscores the ongoing evolution of ransomware threats, with their aggressive approach posing significant risks across various sectors, including government, manufacturing, technology, and education. As of January 2024, Akira has targeted over 250 organizations, collecting approximately $42 million in ransoms.

‍

Akira's attacks typically result in the exfiltration of large volumes of sensitive data, significantly impacting affected organizations. For example, Win Systems, a prominent provider of casino solutions, suffered a breach involving 10 GB of sensitive data, including passports, identification cards, credit card details, and crucial client and casino information. This breach jeopardizes the privacy and operational integrity of the company, which reported over $100 million in revenue in 2023.

‍

In another attack, siParadigm Diagnostic Informatics experienced the exfiltration of 141 GB of data, including personal information such as passports, non-disclosure agreements, medical records, and financial data. This breach highlights the acute vulnerabilities faced by the healthcare industry, where the protection of sensitive information is paramount.

‍

Significant Attacks

• Empereon Constar, a major business process outsourcing company, was targeted by Akira, resulting in the exfiltration of 800 GB of sensitive data, including SQL databases with client information and employee files. This breach, involving a company with over 4,000 employees and more than $50 million in revenue, underscores the critical need for robust cybersecurity measures in the business services sector.

• Environmental Design International (EDI), a professional engineering firm based in Chicago, also fell victim to Akira, with 60 GB of sensitive data, including non-disclosure agreements and financial data, being compromised. This attack highlights the vulnerability of firms involved in significant infrastructure projects and the importance of cybersecurity to protect against sophisticated threats.

• See more of Akira’s Recent Ransomware Attacks here

Medusa

‍

Medusa is a ransomware group that emerged in late 2022, operating as a Ransomware-as-a-Service (RaaS) platform. Unlike MedusaLocker, Medusa has quickly gained notoriety for its targeted attacks across multiple sectors, including education, healthcare, and government services. This ransomware targets both Windows and Linux systems, disabling shadow copies to hinder data recovery and killing applications to avoid detection.

‍

Victims are directed to a dark web site for ransom negotiations, often facing demands that range from hundreds of thousands to millions of dollars. Medusa’s rapid rise reflects the continued evolution of ransomware threats, posing a significant risk to organizations worldwide.

‍

Medusa's attacks typically involve the exfiltration of substantial amounts of sensitive data, creating severe risks for affected organizations. For instance, Vivara, a leading Brazilian jewelry company, was breached by Medusa, resulting in the exfiltration of 1.18 TB of sensitive data, including customer records and financial details. Similarly, Coffrage LD, a major construction firm in Québec, Canada, experienced an attack where 453.4 GB of data, including project details and financial information, was stolen. These incidents highlight Medusa’s capability to disrupt operations significantly and compromise critical data integrity.

‍

Significant Attacks

• American Golf Corporation, a prominent U.S. golf industry operator, was targeted by Medusa in July 2024. The attackers claimed to have exfiltrated 155 GB of sensitive data, including member and employee information, financial records, and internal communications. The ransom demand of $2 million underscores the high stakes involved in such breaches. This incident highlights the vulnerability of organizations with extensive digital operations and large datasets.

• The Royal Brighton Yacht Club, a prestigious sailing club in Australia, also fell victim to Medusa, resulting in the theft of over 94 GB of data, including personal and financial information of members and employees. The attack was facilitated by a compromised third-party remote support tool, leading to system encryption and a ransom demand of $100,000. This incident underscores the potential for operational disruptions in the hospitality and leisure sectors due to ransomware attacks and the vulnerabilities associated with third-party services.

• See more of Medusa’s Recent Ransomware Attacks here

Play

‍

The Play ransomware group, also known as PlayCrypt, emerged as a major cyber threat in June 2022. Initially targeting Latin America, the group quickly expanded its operations to North America, South America, and Europe, affecting a diverse range of industries, including IT, construction, government entities, and critical infrastructure.

‍

This malware exploits vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange to gain access to systems, appending the .play extension to encrypted files. Uniquely, Play ransomware does not include a ransom demand in its notes but directs victims to contact them via email. This approach highlights the group's sophistication and adaptability, posing a significant threat across the globe.

‍

Play ransomware's attacks typically involve the exfiltration of substantial amounts of sensitive data, significantly disrupting affected organizations. For instance, the attack on The Computer Merchant, a veteran-owned IT staffing firm, compromised private and personal confidential information, client documents, payroll records, and financial data.

‍

This breach posed severe risks to the company's operations and client relationships, highlighting vulnerabilities in its cybersecurity defenses. Similarly, Williams Construction, a reputable design-build construction firm, experienced a ransomware attack that exposed sensitive data, including client documents, contracts, and tax information, threatening operational continuity and client trust.

‍

Significant Attacks

• OfficeOps, a key player in providing business software and consulting services across the United States, was significantly impacted by a Play ransomware attack. Known for its expertise in ERP and B2B eCommerce, OfficeOps suffered a breach that exposed confidential information, including client documents and financial data. As a Microsoft Certified Partner, the company’s compromised data poses serious threats to its operations and client trust, necessitating immediate countermeasures to mitigate the damage. OfficeOps’ reputation for reliability and excellence underscores the critical need for robust cybersecurity strategies to protect against such sophisticated threats.

• Congoleum Corporation, established in 1886, is a prominent manufacturer in the flooring industry based in Mercerville, NJ. The Play ransomware group targeted Congoleum, compromising a significant volume of sensitive data, including private information, client documents, and financial records. The attackers have already published a portion of this data online, threatening to release more if their demands are unmet. This breach escalates the urgency for Congoleum to respond swiftly to protect its operations and maintain its longstanding reputation in the industry. The attack on Congoleum illustrates the vulnerability of even established companies to modern cyber threats, highlighting the importance of proactive cybersecurity measures.

• See more of Play’s Recent Ransomware Attacks here

RansomHub

‍

RansomHub is a ransomware family that emerged in 2024, operating as a Ransomware-as-a-Service (RaaS) platform and believed to have roots in Russia. This group distinguishes itself by writing its ransomware in Golang, a programming language gaining popularity for its cross-platform capabilities and robustness.

‍

RansomHub's malware targets both Windows and Linux systems, providing affiliates with tools to launch attacks in exchange for a share of the ransom—90% goes to affiliates, with 10% retained by the main group. The group targets sectors across the globe, including countries such as the United States, Brazil, Indonesia, and Vietnam, without a specific geographical pattern. Their attacks often focus on healthcare institutions, leveraging the critical nature of the data and services these organizations handle.

‍

RansomHub's attacks typically involve the exfiltration of substantial amounts of sensitive data, posing severe risks to affected organizations. For example, the Castelli Group, a real estate development and property management company based in Perth, Western Australia, suffered a breach where RansomHub exfiltrated approximately 300 GB of sensitive information.

‍

The compromised data included financial records and proprietary business data, demonstrating the group's capability to significantly disrupt operations and compromise critical data integrity. The Castelli Group’s vertically integrated business model and substantial market presence make it an attractive target for ransomware attacks seeking financial gain.

‍

Significant Attacks

• AutoCorp Group Holding, a prominent vehicle parts and insurance company in Thailand, was hit by a ransomware attack from the RansomHub group. This incident involved the encryption and exfiltration of sensitive data from its servers, including private documents, databases, and source code. RansomHub demanded a ransom payment to prevent the release of this confidential information, highlighting the group's aggressive tactics and the potential for operational and reputational damage.

• The Neurological Institute of Savannah, a leading healthcare facility specializing in neurology and neurosurgery, was also targeted by RansomHub. The attackers exfiltrated hundreds of gigabytes of sensitive data, including private patient information and employee details. They threatened to leak this data publicly if their demands were not met, posing severe reputational risks and potential legal actions from affected patients. This attack underscores the vulnerabilities in the healthcare sector, where the critical nature of services and the sensitivity of patient data make organizations prime targets for ransomware groups.

• See more of RansomHub’s Recent Ransomware Attacks here

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.