Ransomware on the Move: Kairos, Argonauts, RansomHub, Akira

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Kairos, Argonauts, RansomHub, and Akira…

Major ransomware groups, including Kairos, Argonauts, RansomHub, and Akira, intensified their attacks on critical industries this week. Using aggressive double extortion tactics, they targeted healthcare, manufacturing, technology, and government sectors, stealing sensitive data to pressure victims into paying ransoms:

• Kairos emerged, focusing on healthcare and engineering firms

• Argonauts, another newcomer, concentrated on Italian technology and manufacturing organizations, signaling a rise in regional activity

• RansomHub demonstrated versatility through breaches of diverse targets such as the Minneapolis Park and Recreation Board and Bologna FC

• Akira’s unprecedented surge in registered claims this week has raised questions about its reporting patterns

In victim statements, breaches at critical infrastructure organizations including Alder Hey Children's NHS Foundation Trust, the City of Coppell, and Spain's National Tax Agency reveal persistent vulnerabilities in public sector systems.  

This week's mini feature examines Akira's surge in reported claims, analyzing their announcement patterns and their implications for both victims and the cybersecurity community.

Weekly Highlights: Kairos

Kairos, a ransomware group that surfaced in November 2024, traces its activity back to June or July 2024, according to threat forums and victim reports. The group operates a data-leak site, employing double extortion tactics to combine data theft with threats of public exposure.  

By November 2024, Kairos had claimed responsibility for six attacks, including at least one confirmed breach.

Kairos’s early activity targeted healthcare organizations, with a significant attack on The Physical Medicine & Rehabilitation Center, P.A. (PMRC) in July 2024, exposing sensitive patient data such as names, Social Security numbers, medical records, financial details, and insurance information.  

While Kairos maintains operational secrecy, evidence from threat forums and victim reports indicates a systematic and growing extortion operation.

Tacoma Engineers Inc., a Canadian structural engineering and building consulting firm, fell victim to Kairos ransomware, resulting in the theft of 64 GB of sensitive data, including internal documents and client records.  

The attackers, identified as KillSec, published sample screenshots of the stolen data on their dark web portal to validate the breach.

• More attacks from Kairos

Weekly Highlights: Argonauts

Argonauts, an emerging ransomware group, has claimed responsibility for cyberattacks against ten organizations as of late November 2024. Eight of these victims are in Italy's technology and manufacturing sectors, with two located in Asia.

The group encrypts data and demands ransoms. They have released stolen data samples from two affected companies, Ivy Life Sciences and Zacros, containing personally identifiable information, internal documents, and other sensitive files.

While Argonauts has listed additional victims on their dark web blog, these posts are "locked" with no specific details, providing only vague references to the compromised organizations.

Ivy Life Sciences was attacked by the group BianLian, now operating as Argonauts. The attackers breached the company’s systems and threatened to sell over 200GB of sensitive data, including cell therapy technology, patented innovations, user data, and hospital collaboration details.  

After Ivy Life Sciences refused to pay the ransom, the attackers escalated by offering the stolen data for sale.

• More attacks from Argonauts

From The Big Leagues: RansomHub

RansomHub, a Ransomware as a Service platform, has seen steady growth since its emergence in February 2024. The group employs double extortion tactics, encrypting victims' systems and stealing sensitive data. By October 2024, RansomHub had become the leading global ransomware threat.

This week, our database recorded 28 RansomHub attacks, primarily targeting manufacturing, healthcare services, and government sectors. Their operations have affected organizations across the spectrum, from large corporations to small family-owned businesses, heightening public concern about ransomware threats.

RansomHub featured prominently in our Halcyon Malicious Quartile Q3 report, which details the group's trends. Below, we examine two significant attacks that showcase RansomHub's capabilities and the victims' responses:

The Minneapolis Park and Recreation Board was targeted by RansomHub, with the breach discovered on November 26. The attack compromised 235GB of sensitive data and forced a complete shutdown of phone lines.  

The stolen information includes financial documents, insurance certificates, commercial data, marketing materials, and employee personal data.  

While program registration systems remained intact, MPRB's IT department quickly implemented protective measures and continues assessing the breach's scope.  

The public must now use email for administrative inquiries, though emergency services remain available via 911. MPRB, which manages Minneapolis's vast urban park system, is working to restore services while thanking the public for their patience.

Bologna FC suffered a RansomHub attack that reportedly compromised about 200GB of sensitive data. The stolen information allegedly includes sponsorship contracts, financial records, and personal data of players, fans, and employees.  

The breach also exposed transfer strategies, medical records, and confidential stadium operations information. The data encompasses commercial strategies and business plans, including documents potentially violating FIFA and UEFA financial fair play regulations.  

After RansomHub released data samples, Bologna FC 1909 S.p.a. confirmed the cyberattack and warned that possessing or sharing the stolen data constitutes a criminal offense.

• More attacks from RansomHub

From The Big Leagues: Akira

Akira was the most active group this week, launching a renewed wave of attacks. Operating as a Ransomware as a Service platform, Akira employs double extortion tactics, encrypting files and stealing sensitive data to coerce ransom payments ranging from $200,000 to $4 million.

This week, Akira's activities were reported to have reached new heights, with nearly 40 claimed attacks, more than double its most active week to date. Two weeks ago, their escalating operations were documented as marking the group's largest spike in activity for 2024.  

The group primarily targeted manufacturing, construction, and real estate sectors. While our database recorded 37 attacks this week, most claims offered only vague details.

Traffics GmbH, a major travel technology company, fell victim to an Akira ransomware attack. The attackers released roughly 2.3 GB of internal corporate documents on their darknet site via torrent, including sensitive corporate correspondence, employee and customer contact information, and signed contracts with major companies.  

While Traffics protected its end customers' booking and payment data, the compromised email server created phishing risks. Traffics has warned customers and partners about suspicious emails allegedly from the company, especially those containing links or requesting sensitive information.  

They are working with cybersecurity experts and authorities to investigate and strengthen security measures. The company has advised customers to update passwords for Traffics-linked accounts and monitor for unusual activity. Their security team has provided an email address for inquiries.

• More attacks from Akira

Impact, Response, and Statements

Major ransomware attacks hit critical infrastructure sectors this week, severely disrupting operations and damaging institutional reputations. A prominent NHS trust, a Texas municipality, and Spain's tax authority all suffered significant breaches and released public statements.  

These incidents show ransomware's systemic threat to vital services, revealing how public organizations struggle to protect sensitive data while maintaining essential operations.

NHS Alder

Alder Hey Children's NHS Foundation Trust, one of the UK's largest children's hospitals, confirmed an attack attributed to the INC Ransom group. Claims were made that hospital systems were breached and sensitive data, including patient records, donor reports, and procurement information from 2018 to 2024, was stolen. Screenshots of the allegedly stolen data were published online by the attackers as evidence.

The breach reportedly occurred through a shared digital gateway service, impacting systems at Liverpool Heart and Chest Hospital and, to a lesser extent, Royal Liverpool University Hospital. Investigations are ongoing to assess the full scope of the compromise.

Alder Hey reported that hospital services remain operational, with patients advised to attend appointments as scheduled. Security measures were implemented, and system restoration processes were initiated.  

The British National Crime Agency and Information Commissioner's Office are supporting the investigation, while individuals are being notified. Alder Hey acknowledged the risks of potential data publication and committed to transparency throughout the review process.

The City of Coppell, Texas

The City of Coppell, Texas, reported a RansomHub attack that allegedly resulted in the theft of 442 GB of sensitive data, including accounting documents, invoices, scans, and budget information. This incident caused significant service disruptions for the city’s population of over 50,000 residents.

The attack was first reported on October 23, with widespread outages affecting internet services, municipal WiFi, library systems, and platforms for permits, inspections, and court operations.  

By November 1, phone systems were restored, followed by library services and utility billing platforms by mid-November. Officials eased the impact by extending payment deadlines and waiving late fees for utilities.

City operations were reported to have normalized by November 20. It was disclosed that one compromised server contained potentially outdated individual and vendor information. Investigations into the breach are ongoing.

Agencia Tributaria De España (Spanish Tax Agency)

Agencia Tributaria de España (Spanish Tax Agency) was allegedly targeted by the Trinity ransomware group in an attack reported on December 1, 2024.  

Trinity claimed to have stolen 560 GB of taxpayer data, demanding 38 million dollars in ransom and threatening to disclose the information publicly if payment was not made by December 31.  

The AEAT denied any breach, asserting that their systems remained secure with no encrypted devices or evidence of data theft, though this position has faced public skepticism.

Regardless of the veracity of Trinity's claims, this incident points to vulnerabilities in public sector cybersecurity. A confirmed breach of taxpayer records would severely affect privacy and public trust in Spain's government.

Vermilion Parish School Board

The Vermilion Parish School Board was reportedly targeted by the Rhysida ransomware group in a cyberattack. The attackers claimed to have accessed sensitive data and demanded 15 Bitcoin, approximately 1.4 million dollars, threatening to release the data if payment was not made by December 4, 2024.

The attack was discovered on October 7, prompting a complete network shutdown. Some facilities, including Abbeville High School and LeBlanc Elementary, restored limited phone service on the same day. The district is still addressing the attack's immediate effects and potential data exposure.

Weekly Mini: What Makes Akira's Claims So Similar?

Akira has reported nearly 40 attacks this week, raising questions about their level of activity and the legitimacy of their claims. As previously reported, only one victim has come forward with a statement confirming a data breach.  

Most of these attacks follow similar patterns in their claims, varying only slightly in the types of allegedly extracted data with sector specific differences such as patient information for healthcare organizations.  

Like Akira, the ransomware group Play has also adopted a low profile approach, providing only basic company information, website details, and generic placeholders for data claims.

Akira's claims follow a distinct pattern that can be broken down into the following:

• Introduction of the Victim: Each claim opens with a brief company description, industry or organizational distinctions.

• General Statement About the Breach: The group cites data thefts, often using vague descriptions like "a lot of data" rather than specific amounts.

• List of Allegedly Exfiltrated Data: Claims combine broad categories like "internal financial documents" with sector-specific items such as "medical records."

• Offer for Public Distribution or Sale: Akira emphasizes easy access to stolen data. “We have made the process of downloading company data as simple as possible for our users”

• Download Instructions: Akira provides instructions on downloading data if it’s been uploaded.

Akira Attacks:

• Bennett Porter Wealth Management Insurance: This multi-family office reportedly fell victim to Akira, compromising over 50 GB of sensitive data, including financial records, customer contact details, personal employee information, and other personally identifiable information.

• Lotus Concepts Management: A Denver-based hospitality and nightlife operator allegedly breached by Akira. The attack reportedly exposed employee information, medical records, internal financial data, and customer contacts, all made available for download.

• Cauduro Sports LTDA: A clothing manufacturer reportedly targeted by Akira, with attackers claiming access to customer and employee contacts, email addresses, phone numbers, and internal financial records. The group stated the data is easily accessible for download.

It remains uncertain whether Akira is significantly expanding operations, growing more secretive, or exaggerating its claims.  

The surge in reports, coupled with the lack of confirmed breaches, underscores the need for scrutiny. Although analyzing Akira’s communication patterns might eventually provide operational insights, their approach remains ambiguous.

‍

‍Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.