Ransomware on the Move:  BianLian, Helldown, Meow, RansomHub

Published on
August 27, 2024

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: BianLian, Helldown, Meow, and RansomHub

In the week spanning August 12 to August 18, 2024, the cybersecurity landscape saw an uptick in ransomware activities, with some of the most prolific ransomware groups intensifying their operations. The frequency and sophistication of these attacks highlight the persistent and evolving threat that ransomware continues to pose to organizations across multiple sectors.

Among the most active were four notorious ransomware groups: BianLian, Helldown, Meow, and RansomHub. Their targets spanned a wide range of industries such as manufacturing, business services, and construction.

Notable victims included Mohawk Valley Cardiology PC and Benson Kearley IFG, both attacked by BianLian, while Helldown set its sights on Zyxel Networks and Hug-Witschi AG. Meow disrupted operations at Lennartsfors AB and Zydus Pharmaceuticals, and RansomHub targeted Regent Caravans and Manotherm.

As these ransomware groups continue to refine their techniques, the attacks during this period underscore the importance of strong cybersecurity measures and constant vigilance among organizations. The fallout from these incidents serves as a reminder of the critical need for proactive defense strategies in an increasingly hostile cyber environment.

BianLian


BianLian has quickly established itself as a dominant force in the ransomware threat landscape. Originally emerging as a banking trojan, the group has evolved into a sophisticated ransomware operation, expanding its reach across North America and Europe, with a particular focus on the United States, United Kingdom, and Canada. BianLian is notorious for targeting sectors rich in high-value data, including healthcare, finance, manufacturing, and professional services. Unlike traditional ransomware models that primarily rely on data encryption, BianLian favors exfiltration-based extortion, threatening to release sensitive information unless a ransom is paid. This approach, combined with their use of compromised Remote Desktop Protocol (RDP) credentials and custom backdoors, has solidified their reputation as a formidable threat actor.

BianLian's attacks frequently involve the theft of significant amounts of sensitive data, which they use to coerce their victims. A notable incident involved Southwest Family Medicine Associates, a healthcare provider in Dallas, Texas, where the group exfiltrated 400 GB of sensitive data, including patient records and personal information. Similarly, PBC Companies, a construction firm in California, suffered a breach that resulted in the theft of 300 GB of critical project information and business data. These cases illustrate the severe operational and reputational damage that BianLian's attacks can inflict.

Significant Attacks Claimed by BianLian

See more of BianLian’s recent ransomware attacks here

Helldown


Helldown, a relatively new but highly aggressive ransomware group, has rapidly made a name for itself within the cybersecurity landscape. Known for its sophisticated encryption techniques, such as AES, Salsa20, and RSA, Helldown operates with a high degree of anonymity, utilizing the dark web and cryptocurrencies to mask its activities. The group is particularly feared for its ability to infiltrate networks by exploiting vulnerabilities and disabling security measures, making it a formidable adversary in various sectors, including IT services, telecommunications, and manufacturing. Helldown’s strategy involves exfiltrating large volumes of sensitive data and threatening to release it publicly unless a ransom is paid, a tactic that has proven both effective and destructive.

During the week of August 12-18, 2024, Helldown executed several high-profile attacks, compromising significant amounts of sensitive data. For instance, KBO Fire & Security Ltd, a UK-based company specializing in fire and security solutions, was targeted, resulting in the exfiltration of critical business data. Similarly, XPERT Business Solutions GmbH, a Vienna-based company specializing in legal technology solutions, suffered a breach where 32 GB of sensitive data was stolen. These attacks underscore Helldown’s capacity to cause substantial operational disruptions and financial losses, affecting companies that are leaders in their respective industries.

Significant Attacks Claimed by Helldown

See more of Helldown’s recent ransomware attacks here

Meow


Meow Ransomware, a group that surfaced in late 2022, has grown increasingly notorious in 2024 for its aggressive targeting of organizations, primarily within the United States. Associated with the Conti v2 ransomware variant, Meow Ransomware employs various sophisticated infection methods, including phishing emails, exploit kits, and vulnerabilities in Remote Desktop Protocol (RDP). The group is particularly known for encrypting files using a combination of ChaCha20 and RSA-4096 algorithms. Meow Ransomware has seen a resurgence in activity, maintaining a data leak site where they list victims who have refused to pay the demanded ransom. Their operations frequently focus on industries with sensitive data, such as healthcare, making them a persistent threat in the cybersecurity landscape.

Meow Ransomware’s attacks generally involve the exfiltration of substantial amounts of sensitive data, which they then leverage to pressure victims into paying ransoms. A recent attack on Lennartsfors AB, a Swedish company specializing in off-road and on-road transport equipment, saw the group steal 17 GB of sensitive organizational data. This breach included employee information, client data, and financial records, severely disrupting the company’s operations. Similarly, Rostance Edwards, a UK-based accountancy firm, was compromised by Meow Ransomware, resulting in the theft of 7 GB of data. The stolen data encompassed client information, personal data, and financial records, posing a significant risk to both the firm’s reputation and its clients' privacy.

Significant Attacks Claimed by Meow

See more of Meow’s recent ransomware attacks here

RansomHub


RansomHub, a relatively new ransomware group, has quickly gained notoriety in the cybersecurity landscape since its emergence in early 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, RansomHub offers a revenue-sharing model where affiliates receive 90% of the ransom, with the remaining 10% allocated to the core group. Believed to have roots in Russia, RansomHub targets a wide range of industries globally, including the United States, Brazil, Indonesia, and Vietnam. Their ransomware strains, written in Golang, are noted for their efficiency and cross-platform capabilities, enabling the group to execute sophisticated attacks on both Windows and Linux systems.

RansomHub's operations are characterized by the rapid encryption of files and the exfiltration of large volumes of sensitive data, which they use as leverage to demand substantial ransoms. In a recent attack on NRcollecties.nl, a Netherlands-based luxury goods and jewelry company, RansomHub exfiltrated over 8 gigabytes of sensitive data, including documents, databases, and source code. The attackers threatened to release this data if their ransom demands were not met, putting significant pressure on the company. Another incident involved Allan McNeill Chartered Accountants, a New Zealand-based firm, where RansomHub managed to steal 30 gigabytes of data, including potentially sensitive financial information, posing a significant risk to the firm's clients and operations.

Significant Attacks by RansomHub

See more of RansomHub’s recent ransomware attacks here

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.