Ransomware on the Move: RansomHub, Lynx, LockBit, Play

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: RansomHub, Lynx, LockBit, and Play.

‍

Ransomware attacks have surged during the week of August 5 to August 11, 2024, with four prominent groups—RansomHub, Lynx, LockBit, and Play—leading the charge. These groups targeted a wide range of industries, exploiting vulnerabilities in sectors such as construction, manufacturing, and retail. Their varied tactics showcase the increasingly sophisticated and relentless nature of cyber threats, leaving no organization immune to attack.

‍

RansomHub made significant strides by targeting the Jefferson County Clerk's Office and Natural Curiosities, leading to severe operational disruptions and threats of data exposure. These attacks underscore RansomHub’s growing focus on critical services and small to medium-sized businesses, demonstrating their ability to compromise sensitive information and demand high ransoms. Meanwhile, LockBit continued its dominance by infiltrating companies like Sullivan Steel Services and QES Pavements, further cementing its reputation as a top-tier threat actor in the ransomware landscape.

‍

The Lynx group, a new but rapidly rising player in the ransomware scene, proved to be both dangerous and prolific, quickly ascending to the top ranks of threat actors this week. Their attacks on DDM Concut and Miller Boskus Lack Architects, focusing on the industrial and architectural sectors, showcased their capability to inflict significant damage. Additionally, the Play ransomware group expanded its operations, targeting firms such as TelPro, Inc., and Nilorngruppen AB, demonstrating its ability to disrupt businesses across technology and branding industries. These incidents reflect the broadening scope of ransomware attacks, with each group employing distinct strategies to maximize their impact.

‍

These events highlight the ongoing evolution of ransomware threats, with attackers continually adapting their methods to exploit new vulnerabilities. The need for organizations to remain vigilant and proactive in their cybersecurity efforts has never been more critical, as these attacks demonstrate the far-reaching consequences of falling victim to such sophisticated adversaries.

‍

RansomHub

RansomHub is a relatively new yet rapidly emerging ransomware group that has quickly positioned itself among the most dangerous cyber threat actors in 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, the group allows affiliates to launch attacks, retaining 90% of the ransom proceeds while the remaining 10% goes to the core group. With suspected roots in Russia, RansomHub's operations are notable for their use of Golang, a versatile programming language that facilitates cross-platform attacks on both Windows and Linux systems. The group has demonstrated a global reach, targeting diverse industries across countries including the United States, Brazil, Indonesia, and Vietnam, with victims ranging from healthcare institutions to manufacturing firms and government bodies.
‍

RansomHub's attack strategy involves the exfiltration of substantial amounts of sensitive data, which is then leveraged to extort victims by threatening to publish the stolen information. For instance, Natural Curiosities, a Los Angeles-based art house, suffered a breach in which all company files and webmails were compromised. Similarly, Allium Interiors, an interior design company in Auckland, New Zealand, faced the exfiltration of 31 gigabytes of data, including webmails and proprietary source code. Another notable attack targeted Pierre Diamonds in Australia, leading to the theft of 3 gigabytes of sensitive data, which included critical business documents and customer information.
‍

Significant Attacks Claimed by RansomHub

• Jefferson County Clerk's Office, a critical government entity in Kentucky with substantial public service responsibilities, was severely impacted by a RansomHub attack, leading to significant system outages disclosed on August 7, 2024. The attack forced the temporary closure of eight branches across Louisville, severely disrupting essential services such as vehicle registrations, housing deeds, and marriage and notary licenses. Although no personal data was compromised due to the office's use of dedicated servers for sensitive information, the breach exposed vulnerabilities in public sector cybersecurity and highlighted the operational challenges of restoring services after such an attack.
• Lowe-Martin Group, a prominent Canadian business services company with an estimated annual revenue of $78.9 million, experienced a major ransomware breach orchestrated by RansomHub on July 14, 2024. The attack resulted in the theft of over 2 terabytes of highly sensitive client data, significantly disrupting the company's operations. RansomHub exploited the breach to publicly criticize Lowe-Martin's cyber insurance provider, Boxx Insurance, for allegedly failing to support the company during the crisis, citing technicalities to deny coverage. This incident not only spotlighted the complexities of relying on cyber insurance in ransomware situations but also emphasized the profound financial and reputational risks posed by such breaches.
• Hudson Civil Engineering, a leading Australian firm specializing in infrastructure products and services, was targeted by RansomHub in an attack disclosed on August 7, 2024. The cybercriminals exfiltrated 112 gigabytes of sensitive data, including proprietary business documents and operational data, and threatened to release the information on the dark web if their ransom demands were not met. The attack posed severe risks to the company’s operations and reputation, particularly given its critical role in Tasmania's civil construction, mining, and infrastructure sectors. 

See more of RansomHub’s recent ransomware attacks here

‍
‍

Lynx

Lynx is a recently discovered ransomware group that has quickly evolved into a notable threat within the cyber landscape of 2024. Operating within a Ransomware-as-a-Service (RaaS) model, Lynx facilitates affiliates in executing sophisticated attacks, typically encrypting files and appending the ".LYNX" extension. This group has shown a rapid increase in activity, leveraging advanced encryption techniques that make data recovery nearly impossible without the attackers' decryption key. Lynx's strategy includes double extortion, where they not only encrypt victims' data but also threaten to leak it unless a ransom is paid. Despite its recent emergence, Lynx has demonstrated significant potential to become a major player in the ransomware scene, targeting a wide range of sectors, including manufacturing, finance, and architecture, through phishing emails and malicious downloads.
‍

Lynx’s attacks often involve the exfiltration of substantial amounts of sensitive data, used as leverage to extract ransoms. DDM CONCUT, a leading American manufacturer of diamond tools, was one such victim, with the attackers claiming to have accessed critical operational and customer data, which they showcased on their dark web portal. Similarly, Miller Boskus Lack Architects, a design firm specializing in architecture and interior design, was targeted by Lynx, which demanded a ransom of $5 million. 
‍

Significant Attacks Claimed by Lynx

• Miller Boskus Lack Architects, a design firm with an estimated annual revenue of less than $5 million, was targeted by Lynx in an attack discovered on August 8, 2024. The attackers demanded a $5 million ransom, threatening to leak sensitive data categorized under "Income." This breach poses serious risks to the firm’s reputation and client trust, especially given its prominent role in the Architecture, Engineering & Design industry.
• Reef Capital Partners, a UK-based financial services firm specializing in private equity real estate transactions and private credit, fell victim to a Lynx attack, publicly disclosed on July 31, 2024. The group provided a sample of the compromised data as proof, pressuring the company to negotiate the removal of the public breach announcement. With an estimated revenue of $7.6 million, this attack highlights the severe financial and reputational risks that Lynx poses to firms in the finance sector.
• The Pyle Group, a Canadian firm specializing in wealth management, experienced a Lynx ransomware attack that resulted in the breach of 118.8 GB of sensitive information. Initially attributed to Lynx, the breach was later also claimed by the Medusa ransomware group on August 15, 2024. This dual attribution underscores the complexity of the current cyber threat environment, with the incident potentially impacting the firm’s operations and client relationships.

See more of Lynx’s recent ransomware attacks here
‍

‍

LockBit

LockBit is an infamous ransomware group that has established itself as a formidable force within the cybercrime landscape. Operating under a Ransomware-as-a-Service (RaaS) model, LockBit enables affiliates to launch sophisticated attacks, often targeting industries such as manufacturing, healthcare, and finance. The group is notorious for its double extortion tactics, where it encrypts data and simultaneously threatens to leak sensitive information unless a ransom is paid. LockBit's use of advanced encryption techniques, including RSA-2048 and AES-256, makes it exceedingly difficult for victims to recover their data without paying the demanded ransom.

LockBit's attacks have resulted in the exfiltration of significant amounts of sensitive data, which the group leverages to coerce victims. For example, Sullivan Steel Services, a supplier of specialty steel products, was targeted, raising concerns about the potential exposure of critical supply chain information. Additionally, QES Pavements, a provider of pavement engineering services, faced a ransomware attack that threatened the security of their specialized data and operations. 
‍

Significant Attacks Claimed by LockBit

• Kronos Corporate Group, a European management consulting firm specializing in procurement and supply chain solutions, was attacked by LockBit on August 13, 2024. The ransomware disrupted the company's operations and raised concerns about the security of sensitive data. As a major player in the consulting sector, the attack on Kronos highlights the severe risks that ransomware poses to global business operations.
• Clinica Tezza, a prominent healthcare provider in Lima, Peru, was targeted by LockBit. This attack endangered sensitive patient data and disrupted critical medical services, underscoring the growing threat of ransomware to healthcare institutions and the potential impact on public health infrastructure.

See more of LockBit’s recent ransomware attacks here
‍

‍

Play 

Play ransomware, also known as PlayCrypt, has established itself as a significant threat within the cybersecurity landscape since its emergence in June 2022. The group operates under a Ransomware-as-a-Service (RaaS) model, allowing affiliates to launch attacks using their sophisticated tools. Initially focusing on Latin America, the group has expanded its operations to North America, South America, and Europe, targeting various industries such as IT, transportation, construction, materials, government entities, and critical infrastructure. Play ransomware is known for its strategic exploitation of vulnerabilities, including RDP servers, FortiOS vulnerabilities, and Microsoft Exchange flaws, making it a formidable adversary in the digital threat environment.
‍

Play ransomware's attacks often involve the exfiltration of substantial amounts of sensitive data, which is then used as leverage to demand ransoms. One notable example is the attack on Credible Group, a Canadian manufacturer of high-quality furniture, where a significant amount of sensitive information, including client documents and financial records, was compromised. Similarly, Nilorngruppen AB, a Swedish company specializing in branding and product identification solutions, suffered a breach that disrupted operations and potentially exposed critical business data. These incidents highlight the severe impact that Play ransomware can have on businesses, affecting their operational integrity and client trust.
‍

Significant Attacks Claimed by Play Ransomware

• TelPro, Inc., a prominent technology consulting firm with an estimated revenue of $50 million, was targeted by the Play ransomware group, resulting in a significant data breach disclosed on August 16, 2024. The attack led to the exposure of a broad range of sensitive and confidential information, including private client documents, budgets, payroll records, accounting details, contracts, tax information, and financial data. This breach has severely jeopardized the confidentiality of both the company and its clients, raising substantial concerns about the security of sensitive information and the overall integrity of TelPro, Inc.’s operations.
• Alternate Energy, Inc., a leading renewable energy provider with an estimated revenue of $75 million, fell victim to a Play ransomware attack, also disclosed on August 16, 2024. The breach compromised an extensive array of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, accounting information, contracts, tax documents, and financial information. The exposure of such critical information poses a severe threat to the company's operations and client privacy, necessitating urgent measures to mitigate the damage and restore security.
  ‍

See more of Play’s recent ransomware attacks here

‍Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.