Ransomware on the Move: BlackSuit, Everest, Akira, Meow

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the #ransomware gangs on the move last week: BlackSuit, Everest, Meow, Akira...  

Ransomware activity for the week of November 11–17 revealed persistent targeting of critical industries, with notable campaigns by Everest, Meow, and Akira ransomware groups leading the charge.  

Ransomware attacks continued to hit the healthcare sector, particularly Hospitals and Physicians Clinics, both totaling to 12 incidents this week. The manufacturing sector also remained a prime target. Internationally, ransomware actors expanded their reach, with several attacks targeting government entities, reflecting a growing interest in public sector disruption.

Among this week’s events:

• Everest focused heavily on dental clinics, with targeted efforts against Value Dental Center, Asaro Dental Aesthetics, and Artistic Family Dental.  

• Meow group raised eyebrows with questionable breach claims

• Akira faced scrutiny over duplicate entries

BlackSuit

BlackSuit demonstrated its operational prowess this week, executing a slurry of 14 attacks, making it one of the most active ransomware groups in recent days. BlackSuit utilizes payloads compatible with Windows and Linux systems.  

The group exploits initial access through vectors like phishing campaigns. Its activities target industries including healthcare, education, and manufacturing, with recorded victims in the US, Canada, Brazil, and the UK.

This week, their aggressive publication of breaches and consistent activity on victim leak sites indicates a surge in its operational tempo. The group’s increase in campaigns during the past months suggests potential updates to its methods, tools, or vulnerability exploits:

• Billy Heroman's, a major retail business specializing in floral arrangements and plant services in Baton Rouge, Louisiana, became a victim of BlackSuit ransomware. The attack resulted in the exfiltration of 73.41GB of data, encompassing over 70,000 files from critical directories, including: accounting records, financial budgets, contracts, and human resources documentation. This breach exposes significant operational and financial data, threatening the company's $19.6 million annual revenue and undermining client confidentiality. Billy Heroman’s plays a key role in the local retail industry, offering plantscape maintenance services.  

• The Marysville Exempted Village School District in Ohio is another notable target of BlackSuit ransomware claims this week. The group claims to have exfiltrated 121GB of data from the district’s network, a breach acknowledged by the district on October 26, 2024. This acknowledgment followed disruptions to IT systems that forced the cancellation of classes. Although district officials reassured families that the attackers did not access sensitive personal information, BlackSuit asserts that they accessed a substantial volume of administrative and educational directories. In response to the attack, Marysville activated its incident response plan, which involved notifying state and federal law enforcement and engaging cybersecurity experts to contain and investigate the breach. The group has not disclosed the ransom amount, and the specific entry vector remains under investigation. but initial findings might suggest a significant compromise of internal systems, likely affecting the district’s ability to deliver services and manage resources.

• More Attacks from BlackSuit

Akira

Akira stood out as one of the most active ransomware groups this week, showcasing a renewed wave of operations with several significant attacks. Akira operates as a Ransomware-as-a-Service (RaaS) platform. It employs double extortion tactics, encrypting files and exfiltrating sensitive data to coerce ransom payments ranging from $200,000 to $4 million.  

This week marked Akira’s biggest spike in activity for 2024, with 15 attacks in one day, including 5 new entries added to Halcyon’s Attack Lookout (HAL) database. While some attack claims included duplicates of prior incidents, Akira continues to assert dominance as one of the top groups in the Ransomware Malicious Quartile report.

The group used personalized ransom notes and detailed file trees on its dark web victim site as proof of these breaches, which adds to their validity. This surge in activity highlights Akira’s continued focus on large-scale data exfiltration.

• Dumont Printing, a well-established commercial printing company based in California, became a victim of Akira ransomware. The attack resulted in a breach of sensitive employee and customer data, which claims to include contact information and driver licenses. While the exact size of the data breach remains undisclosed, the exposed information presents severe risks to the privacy and security of affected individuals. Dumont Printing, founded in 1950 and renowned for its services in graphic design, printing, finishing, and mailing, now faces significant challenges in addressing the repercussions of the breach.

• Followmont Transport Pty Ltd, a leading transportation company based in Australia, also fell victim to Akira ransomware, with the group claiming to have exfiltrated 230GB of sensitive data. The stolen files reportedly include non-disclosure agreements, personally identifiable information, medical records, and financial documents. The breach was detected in October 2024, prompting Followmont to immediately notify the authorities. Despite the exfiltration claims, Followmont’s systems remain fully operational, and the company has implemented enhanced monitoring to prevent further activity. Followmont has prioritized the verification of Akira’s claims and assured stakeholders of ongoing efforts to safeguard its systems. The company has maintained regular communication with employees and external partners, while advising against accessing Akira’s dark web leak site to avoid additional risks.

• More Attacks from Akira

Impact, Response, and Statements

This week saw a range of public statements and responses from ransomware victims, reflecting the growing pressure on organizations across critical industries to address and communicate the impact of these attacks.  

Verified incidents logged in Halcyon’s Attack Lookout (HAL) involved victims from the United States, Israel, Australia, Egypt, Mexico, Bangladesh, and Argentina. These statements varied widely, from denials of breaches to acknowledgments of ransomware attacks, alongside public disclosures on the depth of data compromises.

Notably, attackers continued to target critical infrastructure, including healthcare, government, and telecommunications sectors.

American Associated Pharmacies (AAP)

The Embargo ransomware group has targeted American Associated Pharmacies (AAP), a cooperative representing over 2,000 independent pharmacies in the United States. The attackers claim to have exfiltrated and encrypted 1.469TB of data and set a ransom deadline for November 20. Embargo alleges that AAP previously paid $1.3 million for decryption keys but now demands an additional $1.3 million to prevent the publication of the stolen data.

In response, AAP has taken steps to mitigate the breach's impact, including restoring limited ordering capabilities on its API Warehouse platform and resetting all user passwords for both its sites. These measures reflect a comprehensive breach response effort, although the group’s persistent demands underline the ongoing risks organizations face even after partial recovery.

Egyptian Tax Authority

The Egyptian Tax Authority, a critical governmental body established to build trust within the country’s tax community has reportedly been targeted by the MoneyMessage ransomware group. The attackers claim to have exfiltrated 500GB of sensitive data from the authority's systems. However, the Egyptian Tax Authority has publicly denied these assertions, maintaining that its advanced security measures have successfully safeguarded its data against unauthorized access.

While no breach confirmation has been provided, the incident raises critical questions about the resilience of public sector organizations to sophisticated ransomware campaigns. This denial also reflects broader trends in government responses, where reputational concerns often influence the communication of cyber incidents.

Government of Mexico

The Government of Mexico is grappling with another ransomware attack, this time perpetrated by RansomHub ransomware. The attackers assert that they have stolen 313GB of sensitive data, including government contracts, insurance documents, financial records, and other confidential files. RansomHub has leaked a sample of the compromised data, reportedly containing sensitive and confidential information, including personal details from a government employee database.  

The breach has been officially acknowledged by the Government, and it’s been indicated that a formal report on the hacking is forthcoming. The targeted office, known as the presidential legal counsel, handles numerous non-criminal legal matters for the federal government.

Cooperativa Telefónica de El Calafate (COTECAL)

Brain Cipher has taken responsibility for a cyberattack on Cooperativa Telefónica de El Calafate (COTECAL), a telecommunications provider in Argentina. The attack involved a ransom demand of $80,000 in cryptocurrency, accompanied by a 48-hour ultimatum.

The incident caused significant disruptions to internet and TV services, although connectivity has gradually been restored for most users. Despite Brain Cipher’s claim of exfiltrating 150GB of data, COTECAL has publicly refused to comply with the ransom demand. The company continues to face operational challenges, as its management system remains affected. In response, COTECAL has reassured users that their technical team is working diligently to resolve the situation and fully restore services.

Weekly Mini: Did Meow Rehash Old BlackSuit Claims?

A recent surge of claims from Meow has raised questions about the authenticity of their breach announcements. Analysis uncovered a troubling pattern: several of Meow’s claimed attacks match previously confirmed breaches attributed to BlackSuit ransomware throughout this year.

The overlap was further validated by a public statement from victim Herron Todd White, as reported to Cyberdaily, which explicitly identified Meow’s claims as duplicates of prior BlackSuit breaches. Below are some of the notable matches from our database between Meow’s recent announcements and BlackSuit’s earlier activity:

• Karl Malone Toyota (BlackSuit, August 29, 2024): This attack compromised 132GB of data across critical directories, including payroll, QuickBooks, sales, and other essential business documents. The data was reportedly valuable for potential fraudulent schemes, as suggested by the attackers.

• Herron Todd White (BlackSuit, April 27, 2024): Announced on BlackSuit’s dark web leak site, this attack involved the encryption of valuable company data, although specific details on the breach’s scope were not disclosed.

• Zyloware Eyewear (BlackSuit, October 25, 2024): In this case, 127GB of data was compromised, causing significant operational disruptions and potentially harming the company’s reputation.

This discovery shows the potential role of Meow as a data broker, leveraging existing data from past breaches to bolster their attack claims. While it is common for ransomware groups to recycle data or exaggerate their capabilities, the situation with Meow is notable for being confirmed.

Despite these revelations, Meow remains a serious threat, particularly to small and medium-sized businesses (SMBs). Their activity reflects a dangerous evolution in ransomware operations, where groups prioritize publicizing claims to sustain pressure on victims and maintain visibility within the ransomware ecosystem.

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.