Ransomware on the Move: Akira, Meow, Qilin, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: Akira, Meow, Qilin, and RansomHub...

‍

During the week of September 23-30, 2024, ransomware activity surged, with groups like Akira, Meow, Qilin, and RansomHub launching high-impact attacks across key sectors such as manufacturing, healthcare, and construction.  

• Akira maintained its aggressive stance, carrying out significant breaches, including one at Schäfer, dein Bäcker, a German bakery chain, where 14 GB of sensitive data was exfiltrated, and another at Concord Management Services, a construction firm that lost 23 GB of financial and personal records.

• Meow, another prominent actor, focused its efforts on sensitive sectors such as healthcare and legal services, notably targeting Community Hospital of Anaconda and stealing 540 GB of critical patient data. Meanwhile, Lee Hoffoss Injury Lawyers suffered a breach involving 14 GB of confidential legal information.

• Qilin's breach of Canstar Restorations led to the exfiltration of 287 GB of sensitive data.  

• RansomHub struck critical industries such as infrastructure and production, attacking Markdom Plastic Products and McAbee Construction.

‍

Akira

‍

Akira ransomware has been a significant player in the cybersecurity landscape since its emergence in March 2023. The group, known for employing sophisticated techniques and aggressive double-extortion tactics, targets various industries, including healthcare, finance, and education.  

‍

Operating under a Ransomware-as-a-Service (RaaS) model, Akira allows affiliates to use its tools to launch their own ransomware campaigns. Akira's hybrid encryption schemes, combined with its ability to exploit vulnerabilities in VPN software and login credentials, have made it a formidable force, with over 250 attacks recorded to date.  

‍

The group has reportedly generated more than $42 million in ransom payments, cementing its position as a major ransomware threat. Recent attacks illustrate Akira’s continued focus on exfiltrating sensitive data.

‍

Significant Attacks:

• ATG Communications Group, a Canadian telecommunications company, suffered an attack by Alira that compromised sensitive files, including credit card information, employee data, and confidential business agreements.  

• Another significant Akira attack targeted Avi Resort & Casino, where 17 GB of sensitive operational data related to guest services was exfiltrated. These incidents underscore Akira’s ability to exploit vulnerabilities across various industries, from telecommunications to hospitality.

• Concord Management Services, a U.S.-based company specializing in construction projects, became one of the most prominent victims of the Akira ransomware group in September 2024. Akira claims to have exfiltrated 23 GB of highly sensitive data, including Social Security Numbers (SSNs), personal addresses, and phone numbers of employees. The stolen data also extends to confidential financial documents and critical business agreements, posing severe risks to both employees and the organization. Furthermore, Akira’s dark web site revealed that the breach involved not just Concord’s data, but also files from two other companies, indicating a broader, multi-company impact. The potential fallout includes substantial operational disruption, financial losses, and reputational damage.

• Lawrie Insurance Group, a major independent insurance brokerage in Canada, also suffered a substantial breach in September 2024 at the hands of Akira. The group claims to have stolen 48 GB of sensitive corporate and client data, including detailed financial records, employee files, and private client information. As one of the largest brokerages in Canada, Lawrie Insurance’s client base spans various industries, meaning the breach could have widespread consequences. The group’s direct threat to release this stolen data if ransom demands are not met poses significant privacy, security, and legal risks, not only for the brokerage itself but for its numerous clients, whose confidential information is now at risk of exposure. The incident is particularly concerning due to the nature of the insurance sector, which handles a vast amount of sensitive personal and financial data.

• See more of Akira’s recent ransomware attacks here

‍

Meow

‍

Meow Ransomware has reemerged as a major threat in 2024, following its ties to the Conti v2 variant. The group primarily targets organizations in the U.S., utilizing advanced encryption algorithms like ChaCha20 and RSA-4096.  

‍

Known for aggressive double extortion, Meow exfiltrates sensitive data before encrypting files and pressures victims to pay ransom under the threat of public data exposure on their leak site. The group has focused on sectors such as healthcare, legal services, and financial institutions, often infiltrating networks via vulnerabilities in Remote Desktop Protocol (RDP) systems and phishing tactics.

‍

Significant Attacks:

• Alvan Blanch Development Company Ltd., a British manufacturing firm specializing in agricultural machinery was hit by Meow. Meow claims to have exfiltrated 255 GB of sensitive data, including employee information, client contracts, personal data, and financial records, exposing the company to potential operational and reputational risks.  

• Moeller Door & Window, a small family-owned business based in Ohio also fell victim to Meow. The attack compromised 12 GB of internal data, highlighting the vulnerabilities faced by small businesses in sectors that are traditionally not considered high-risk targets. Both companies are grappling with the fallout of having critical data stolen and encrypted by Meow Ransomware.

• Lee Hoffoss Injury Lawyers, a prominent personal injury law firm based in Lake Charles, Louisiana, was attacked by Meow. The attackers claim to have exfiltrated 14 GB of sensitive information, including client medical records, Social Security numbers, internal financial documents, payment details, legal agreements, and attorney correspondence with insurance companies. The firm's reliance on digital communication and sensitive client data made it an ideal target for Meow’s extortion tactics. The stolen data, now advertised for sale at $20,000, could severely impact the firm's clients and its reputation, with potential legal consequences stemming from the exposure of confidential information.

• MacGillivray Law, the largest injury and disability law firm in Atlantic Canada, was also targeted by Meow. Over 110 GB of confidential data, including client information, business contracts, employee personal records, SQL databases, and legal documents, were exfiltrated in the attack. MacGillivray Law, with offices in Halifax, New Glasgow, Moncton, and St. John's, is known for handling high-profile injury claims. The data breach poses significant legal, reputational, and financial risks to the firm, with the attackers threatening to release the stolen information on their leak site, exposing sensitive details related to ongoing litigation and internal financial operations.

• See more of Meow’s recent ransomware attacks here

‍

Qilin

‍

Qilin Ransomware, initially launched as Agenda ransomware in 2022, has evolved into a significant cyber threat, operating under a Ransomware-as-a-Service (RaaS) model. Its transition to Rust-based malware in 2023 has increased its ability to evade detection across multiple platforms, including Windows, Linux, and VMware ESXi environments.  

‍

Qilin employs double extortion, threatening to release encrypted data if ransom demands are not met. The group has been linked to over 150 attacks across 25 countries, focusing on sectors such as healthcare, education, and large enterprises.

‍

Significant Attacks:

• Akira hit Canstar Restorations, a major Canadian property restoration company, where 287 GB of sensitive data was exfiltrated. Canstar, a leader in fire and water restoration services, operates multiple offices across Western Canada, making the breach particularly disruptive.

• Keller Williams Realty Group, the largest real estate franchise in the U.S., experienced a breach in which Qilin exfiltrated significant amounts of real estate transaction records and client information.

• Detroit PBS, a non-commercial public television station in Michigan, became one of Qilin's most notable targets in late September 2024. The attackers claim to have compromised 573 GB of sensitive data, which impacts the station's ability to serve its audience. Detroit PBS, known for its diverse educational programming, operates independently with substantial community support. This breach threatens the integrity of the station’s data and its viewer-supported operations.

• Kravit, Hovel & Krawczyk SC, a boutique law firm based in Wisconsin, specializing in high-stakes litigation, also fell victim to Qilin. The group claims to have exfiltrated 510 GB of sensitive legal documents related to client cases, including personal information and business contracts. The firm’s reputation for handling complex legal disputes could be significantly impacted by the potential exposure of this data, raising privacy and security concerns for its clients.

• See more of Qilin’s recent ransomware attacks here

‍

RansomHub

‍

RansomHub, emerging in February 2024, has quickly positioned itself as an aggressive force within the ransomware landscape. Operating as a Ransomware-as-a-Service (RaaS) group, RansomHub allows affiliates to use its advanced malware to carry out high-impact attacks.  

‍

Focusing on sectors such as healthcare, financial services, and government, the group employs swift and efficient encryption techniques, leveraging data exfiltration to pressure victims into paying substantial ransoms. By September 2024, RansomHub had listed over 210 victims on its dark web leak site, a reflection of the group's expanding operations.

‍

Significant Attacks:  

• RansomHub hit Rocky Mountain Gastroenterology (RMG), a leading healthcare provider in Denver, where 200 GB of sensitive data, including patient medical records and financial information, was exfiltrated.  

• Markdom Plastic Products Ltd, a Canadian manufacturer with annual revenues of $16.7 million, was also attacked by RansomwHub resulting in 160 GB of proprietary data being stolen. Both cases underscore how RansomHub focuses on organizations with valuable data, leveraging the threat of exposure to extract ransoms.

• Usina Coruripe, a prominent Brazilian company in the sugar and ethanol industry, discovered a ransomware attack by RansomHub. The attackers claim to have stolen 50 GB of sensitive data, including proprietary company information. Usina Coruripe produces around 470 million liters of ethanol annually and is a leader in sugar production, employing over 9,000 individuals. The company faces severe operational risks if the data is published, as the group has threatened to release the stolen information in the coming weeks.

• The TOKIWA Group, a diversified Japanese conglomerate, was also targeted by RansomHub in late September. The group claimed responsibility for the attack, encrypting critical data and threatening to expose the company unless a ransom is paid. The incident has led to significant operational disruptions for the TOKIWA Group, which operates in sectors including construction, hospitality, and energy, with annual revenue exceeding 11.5 billion yen.

• See more of RansomHub’s recent ransomware attacks here

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile