Ransomware on the Move: Helldown, Lynx, Medusa, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the #ransomware gangs on the move last week: Helldown, Lynx, Medusa, and RansomHub...

This week's ransomware activity showcased the persistent threat these groups pose to critical industries worldwide. Prominent sectors targeted included manufacturing, construction, healthcare, and government, with attackers exploiting specific vulnerabilities in organizations pivotal to supply chains, infrastructure, and public services:

• Helldown launched sophisticated attacks on entities such as Fuelco US in the energy sector and La Clinique Du Coureur in healthcare, exfiltrating sensitive operational data.  

• Lynx targeted organizations across manufacturing and logistics, including Siltech Corporation, known for its innovative silicone compounds, and Nebraskaland, a wholesale distributor in the food supply chain.  

• Medusa continued its aggressive campaigns, breaching Marisa S.A., a retail leader in Brazil, and Alliance Technical Group, a significant environmental services provider.  

• RansomHub leveraged its double extortion tactics to impact entities such as District 5 City Hall in Bucharest and Arco Excavation and Paving in the construction industry.

This week's activity underscores the precision with which ransomware groups exploit vulnerabilities in organizations pivotal to supply chains, infrastructure, and public services, leveraging sector-specific tactics to maximize disruption and pressure on their victims.

Helldown

Emerging in the third quarter of 2024, Helldown has swiftly gained notoriety for its focus on high-value sectors like IT services, telecommunications, and manufacturing.  

The group exploits vulnerabilities in Zyxel firewalls to access networks and employs encryption algorithms like AES, RSA, and Salsa20, ensuring victims cannot recover their data without decryption keys.  

Using a dual-extortion model, Helldown encrypts data while exfiltrating sensitive information to pressure victims into paying ransoms by threatening public exposure. Helldown's attacks are tailored to extract sensitive, business-critical data, amplifying the pressure on victims.  

Significant Attacks

• Helldown attacked Fuelco US, a Houston-based energy company generating $6 million annually, Helldown exfiltrated 183GB of operational and client-related data.  

• La Clinique Du Coureur, a Quebec-based provider of running injury prevention and rehabilitation, also suffered a breach involving 76GB of sensitive data at the hands of Helldown, including client health records and proprietary training materials.

• Valley Firm, a legal services provider specializing in civil defense litigation in South Texas, faced a ransomware attack where Helldown exfiltrated and leaked 35GB of sensitive data. This breach compromised critical client records, financial documents, and internal communications, significantly affecting the firm’s operational integrity and reputation.

• Compass Funding Solutions, a financial services company focusing on factoring for the transportation sector, experienced a breach involving 287GB of exfiltrated data. This included client transaction records and internal documentation, posing severe risks to the company’s operations. Compass’s annual revenue of $17.6 million underscores the potential impact of such an attack on its ability to provide cash flow solutions to its clients.

• See more of Helldowns recent ransomware attacks here

Lynx

Lynx, a Ransomware-as-a-Service (RaaS) group that emerged on July 29, 2024, has already carried out over 22 attacks targeting manufacturing, construction, and logistics sectors.  

Believed to be a rebranding of the INC ransomware, Lynx operates primarily in Windows environments. The group employs phishing campaigns and malicious downloads to gain initial access, appending the .lynx extension to encrypted files while erasing shadow copies to obstruct recovery efforts.

Lynx’s operations are characterized by its focus on high-value data, often crippling supply chains and industrial processes.  

Significant Attacks

• Lynx claimed an attack on Nebraskaland, a Bronx-based distributor of meat and seafood products with $10 million in annual revenue, Lynx encrypted critical systems and exfiltrated supply chain and distribution data.  

• Lynch also attacked Siltech Corporation, a Canadian manufacturer specializing in silicone compounds. Lynx exfiltrated critical R&D data from its facilities, threatening the integrity of Siltech’s patented innovations and jeopardizing its competitive standing in the industry.

• WIMCO Corp., a general contractor in North Carolina, suffered a Lynx ransomware attack that encrypted critical operational data. This disruption significantly hindered internal processes and client services. Phishing emails were reportedly used to deliver the ransomware payload, with attackers demanding a significant cryptocurrency ransom.

• DZS Inc., a telecommunications solutions provider based in Plano, Texas, also fell victim to Lynx. The attackers infiltrated DZS’s network infrastructure, exfiltrating sensitive client and proprietary data. Lynx released samples of the stolen data, highlighting the scale of the breach and the risks posed to the telecommunications sector.

• See more of Lynx's recent ransomware attacks here

Medusa

Medusa ransomware, active since late 2022, operates as a Ransomware-as-a-Service (RaaS) group, enabling affiliates to execute sophisticated attacks on industries such as education, healthcare, and government.  

Medusa’s tactics include disabling critical services, erasing shadow copies, and exfiltrating data for double extortion. In 2024, the group has escalated its operations, targeting global organizations and leveraging dark web leak sites to intensify pressure on victims.

Significant Attacks

• Alliance Technical Group, a leading U.S.-based environmental services provider generating $300 million annually, was hit by Medusa, who exfiltrated 1.2TB of data, potentially including proprietary testing protocols and client compliance reports.  

• Howell Electric Inc., a California-based electrical contractor, was also targeted by Medusa, which exfiltrated 189.9GB of sensitive business and project data, exposing operational blueprints and client information.

• Marisa S.A., one of Brazil’s largest retail chains specializing in women’s apparel, experienced a ransomware attack that disrupted its digital infrastructure. Medusa claimed responsibility, prompting Marisa to isolate systems and suspend certain operations to mitigate the impact. The company maintained store operations while evaluating the breach's full scope.

• Whitaker Construction Group, a prominent civil construction firm, was targeted by Medusa on November 5, 2024. The group claimed to have exfiltrated sensitive operational data, threatening public release within ten days unless demands were met. This incident highlights vulnerabilities in construction firms reliant on digital tools for project management.

• See more of Medusa’s recent ransomware attacks here

RansomHub

Active since February 2024, RansomHub has emerged as a prominent Ransomware-as-a-Service (RaaS) operation. Known for its aggressive affiliate model, the group combines encryption with extensive data exfiltration, amplifying the pressure on victims.  

With over 210 claimed attacks by August 2024, RansomHub targets high-value sectors, including government, healthcare, and manufacturing. RansomHub’s focus on exfiltrating sensitive data like financial records and proprietary information has disrupted critical services.  

Significant Attacks

• Northwest Health Porter, a major healthcare provider in Indiana, lost 199GB of patient and operational data to RansomHub, significantly straining its services and exposing confidential patient information.  

• Schweiker GmbH, a German manufacturer of building components, suffered a breach involving 198GB of proprietary data, with RansomHub publicly releasing the stolen data when ransom negotiations failed.

• District 5 City Hall in Bucharest, Romania, faced a large-scale ransomware attack. RansomHub infiltrated municipal servers, disrupting public services and the telephone network. A $5 million ransom was demanded, and threatening messages were displayed on affected systems. City officials collaborated with national cybersecurity agencies to contain the breach, although operations at headquarters were significantly disrupted.

• Arco Excavation and Paving, a Bentonville-based construction firm, was targeted by RansomHub in November 2024. Attackers exfiltrated 104GB of sensitive project and client data, issuing a public release threat within a week if demands were unmet. This breach disrupted operations and jeopardized the company’s reputation, showcasing the construction sector's vulnerability to ransomware. See more of Play's recent ransomware attacks here

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.