Ransomware on the Move: RA World, KillSec, 8Base, Medusa

Published on
April 2, 2024

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

RA World

RA World, a notorious ransomware group formerly known as the RA Group, has conducted multiple cyberattacks on prominent companies, including Pasco International, Schwarz & Grantz Hamburg GmbH, and Title Management.  

These attacks involved exfiltrating substantial amounts of sensitive data, including financial documents, business contracts, HR documents, and more. The group typically issues deadlines for ransom payment, with the most recent being March 26th.

Pasco International, renowned for crafting bespoke tenders for luxury superyachts, fell victim to RA World's attack, which compromised 270GB of data. Similarly, Schwarz & Grantz Hamburg GmbH, a prominent technical building equipment company, had 300GB of data compromised.  

Title Management, a financial management firm specializing in real estate services, also suffered an attack, resulting in 107GB of data being exfiltrated.

RA World's modus operandi involves exfiltrating data before deploying encryption malware, thereby crippling victims' systems. The group utilizes both TOR and non-TOR websites for leaking stolen data and employs tactics to thwart system recovery, such as eliminating Volume Shadow Copies and system backups.

Although specific details regarding the infection pathway remain undisclosed, RA World's tactics are consistent with other ransomware collectives. The group's attacks have been identified through submissions to file scanning services originating from various countries worldwide, including the Netherlands, France, the United Kingdom, and others.

Currently, the data leak sites associated with RA World ransomware list 23 victims across multiple countries, indicating the group's global reach and indiscriminate targeting.

KillSec

The newly emerged ransomware group, KillSec, has embarked on a spree of cyberattacks targeting prominent organizations worldwide, exhibiting audacity and sophistication beyond its nascent status.  

The Romanian Police Force fell victim to KillSec's assault, resulting in the exfiltration of 200,000 records, with a ransom of €1,500 ($1,600) paid to retrieve the data.  

Subsequently, Kerala Police's official website suffered a breach, with KillSec demanding a negotiable ransom of €2,500 for encrypted data access. This attack compromised critical systems, including LockedHouse and Offense Reporting Management.  

Additionally, Paschim Banga Gramin Bank faced a ransom demand of €10,000 after KillSec leaked sensitive data encompassing branch information and business policies.

KillSec's boldness is evident in their public announcements, branding themselves as a "cybersecurity team" and openly advertising their ransomware operations on Telegram since October 25, 2023. Utilizing TOR domains and nginx servers, the group ensures anonymity and operational efficiency. Notably, they demand payment in XMR (Monero), a privacy-focused cryptocurrency, complicating efforts to trace and apprehend them.  

These brazen attacks on high-profile entities like the Romanian Police and Paschim Banga Gramin Bank highlight KillSec's alarming capabilities despite being a fledgling group. The sophistication displayed in their tactics underscores the evolving and pervasive threat posed by ransomware groups like KillSec in the cybersecurity landscape.

8Base

The 8Base ransomware group has orchestrated a series of devastating attacks on prominent organizations, including Filexis AG Treuhand, Östenssons Livs, and Springfield Sign.  

These breaches involve the exfiltration of sensitive data such as invoices, receipts, accounting documents, personal information, and more. Each victim has been issued a ransom deadline, with Filexis AG and Östenssons Livs facing a March 27 deadline.  

Filexis AG, an independent partner specializing in real estate and trust services, and Östenssons Livs, a renowned food chain in western Östergötland, have both fallen victim to 8Base's ransom demands.  

Additionally, Springfield Sign, a full-service signage company, has also been targeted, with a significant amount of confidential information compromised.

The 8Base ransomware group emerged in March 2022 and has quickly risen to prominence, displaying a significant increase in activity throughout 2023. While their ransom demands are not explicitly stated, they engage in double extortion tactics, exfiltrating data for additional leverage.  

Operating with a high level of sophistication, 8Base employs advanced security evasion techniques and targets primarily Windows systems, focusing on sectors such as business services, manufacturing, finance, and information technology.  

Despite not maintaining a Ransomware-as-a-Service (RaaS) program openly, 8Base is believed to collaborate with vetted affiliate attackers privately. Their attacks typically involve customized Phobos ransomware with SmokeLoader, accompanied by the wiping of Volume Shadow Copies (VSS) to prevent data rollback.  

Overall, 8Base's approach underscores the pervasive threat posed by ransomware groups and the urgency for robust cybersecurity measures.

Medusa

Henry County in Illinois has been attacked by the Medusa ransomware group. The county’s leadership was alerted to the attack and shut down access to multiple impacted systems. The county is still able to receive 911 calls and dispatch emergency services despite the attack.  

Medusa gave the county eight days to pay a $500,000 ransom. Henry County is an Illinois county government on the border with Iowa. Its population is 49,284, and its county seat is Cambridge.  

Medusa also attacked Accipiter Capital Management. The attack involves critical data, including certificates, PII documents, forms, confidential information, and financial data. A ransom demand of $300,000 has been given, with a deadline of 27 March.  

Accipiter Capital Management (Accipiter) is a Florida-based hedge fund manager founded by Gabriel Hoffman in 2002. The firm invests in the public equity markets of the United States with a primary focus on the healthcare industry.  

Regina Dental Group was also attacked by the Medusa ransomware gang, which released a sample of exfiltrated data, including invoices, patients’ data, financial documents, and more. A ransom of $100,000 has been demanded, and a deadline of 31 March has been given.  

Regina Dental Group is dedicated to providing its patients with an excellent dental experience at one of six locations across Saskatchewan. It focuses on evidence-based diagnosis, patient education, and working with patients to build a treatment plan that aligns with their oral health goals.  

Medusa is a RaaS that made its debut in the summer of 2021 and has evolved to be one of the more active RaaS platforms. Attack volumes were inconsistent in the first half of 2023, with a resurgence of attack activity in the last half of 2023.  

The attackers restart infected machines in safe mode to avoid detection by security software as well preventing recovery by deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to thwart encryption rollback.  

Medusa ramped up attacks in the latter part of 2022 and has been one of the more active groups in the first quarter of 2023 but appears to have waned somewhat in the second quarter. Medusa typically demands ransoms in the millions of dollars, which can vary depending on the target organization’s ability to pay.  

The Medusa RaaS operation (not to be confused with the operators of the earlier MedusaLocker ransomware) typically compromises victim networks through malicious email attachments (macros), torrent websites, or through malicious ad libraries.  

Medusa can terminate over 280 Windows services and processes without command line arguments (there may be a Linux version as well, but it is unclear at this time.) Medusa targets multiple industry verticals, especially healthcare and pharmaceutical companies, and public sector organizations too.  

Medusa also employs a double extortion scheme where some data is exfiltrated prior to encryption, but they are not as generous with their affiliate attackers, only offering as much as 60% of the ransom if paid.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

See Halcyon in action

Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!

1
2
3
Let's get started
1
1
2
3
1
1
2
2
3
Back
Next
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.