Halcyon Threat Insights 004: April 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for April 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively.

Ransomware Prevented by Industry Vertical

Information Technology, Education and Finance were the most targeted industry verticals in April 2024:

• Information & Technology 31% (-1% mo/mo)
• Education 25% (+12% mo/mo)
• Finance & Insurance 9% (+2% mo/mo)
• State & Local Government 8% (-1% mo/mo)  
• Manufacturing 6.2% (-4% mo/mo)
• Healthcare & Pharmaceutical 6% (-1% mo/mo)  
• Retail Trade 6% (flat mo/mo)
• Professional, Scientific & Technical Services 3% (-23 mo/mo)  
• Arts, Entertainment & Recreation 3% (-2% mo/mo)
• Transportation & Warehousing 1% (-4% mo/mo)
• Other 1% (-2% mo/mo)
• Construction 0.6% 0.1% (+0.5% mo/mo)
• Mining 0.2% (-0.2% mo/mo)
• Utilities 0% (-0.6% mo/mo)
• Accommodations & Food Services 0% (-0.4% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credential, exfiltrating sensitive data and more. Some of the trojans identified in April include:

Trojan.Doina

The Doina trojan has multiple functionalities that include acting as a dropper for other malware including ransomware encryption payloads. Despite being commonly associated with click fraud and crypto-mining campaigns, it has a high score on VirusTotal with repacked instances and includes modules for keylogging and is also used for reconnaissance by sending attackers information like credentials and browsing history. Doina can also allow remote access and script execution on targeted devices.

Trojan.Convagent

The Convagent trojan is a family of droppers used to install other malware variants and typically employed in click-fraud schemes. Convagent is a VMProtect-packed Trojan with anti-VM (virtual machine) capabilities to avoid sandboxing and other attempts at analysis. This family also has some capabilities that could be employed for more nefarious means, including recording user keystrokes, collecting information about infected devices, and possibly allowing remote access.  This malware is commonly associated with costly data destruction attacks and serious network performance disruptions.  

Trojan.Mediaarena

The Mediaarena trojan often acts as a dropper for other malware including ransomware encryption payloads, has a high score on VirusTotal and includes keylogger capabilities and can be leveraged for reconnaissance by sending attackers information like account credentials and user browsing history. Mediaarena can also allow remote access and script execution on targeted devices.  

Trojan.Bitman

The Bitman trojan family includes a number of advanced functions including a command and scripting interpreter that allows for command line arguments and process injection capabilities to inject malicious code and evade process-based security tools, as well as for abusing utilities to bypass security restrictions that limit use of the command-line interpreter. Bitman also enables privilege escalation and communicates with the C2 using application layer protocols to avoid detection/network filtering by blending in with existing network traffic.

Ransomware: Payloads

Ransomware.Teslacrypt

The TeslaCrypt ransomware family typically searches for and encrypts files related to gaming but is also capable of encrypting other file types. Decryption tools have been released for older versions of TeslaCrypt variants, but the developers have fixed flaws in newer variants making it more difficult to recover from an infection without the decryption key.  

Ransomware.MBRLock

The MBRLock ransomware is capable of running command line operations to create new system users with admin-level privileges and can overwrite the disk Master Boot Record (MBR) of the infected system, as well as disabling Windows Safe Mode. MBRLock contains obfuscated stackstrings and encodes data using XOR for obfuscation, enumerates registry values and Windows files, includes keylogging and screenshot capabilities, and communicates with the C2 using application layer protocols to avoid detection/network filtering by blending in with existing network traffic.

Ransomware.Thanos

Like MBRLock, Thanos ransomware is configured to overwrite the master boot record (MBR) results in a deeper infection than in other ransomware families. Thanos fires up a PowerShell script that loads additional PowerShell scripts and propagates the ransomware payload to other devices on the network leveraging stolen or brute-forced account credentials and disables User Account Control (UAC) before overwriting the master boot record.  

Ransomware.AvosLocker

AvosLocker attacks typically infect victims by way of compromised remote desktop protocol (RDP) and virtual private networks (VPN) accounts. Attackers have been observed exploiting the Zoho ManageEngine ServiceDesk Plus as well as ProxyShell vulnerabilities in the Microsoft Exchange server (like CVE-2021-34473, CVE-2021-34523, CVE-2021-31207) to gain initial access on the targeted network. AvosLocker is capable of issuing command line arguments that give the attacker the ability to turn on and off various functionalities to customize the ransomware payload to the selected target.

Threat Actor Spotlight: Play

Play (aka PlayCrypt) is a RaaS that emerged in the summer of 2022. The group accelerated the pace of attacks in the last half of 2023 to become one of most prolific threat actors in the RaaS space and has notably increased its activities in the first quarter of 2024.  

Play is noted for having similarities to the Hive and Nokoyawa ransomware strains. Play often compromises unpatched Fortinet SSL VPN vulnerabilities to gain access. In Q1-2024, the FBI issued a joint advisory in partnership with CISA asserting the Play gang had compromised over 300 organizations since emerging in June of 2022.

Play is an evolving RaaS platform known to leverage PowerTool to disable antivirus and other security monitoring solutions and SystemBC RAT for persistence.  

Play is known to leverage tools like Cobalt Strike for post-compromise lateral movement and SystemBC RAT executables and legitimate tools Plink and AnyDesk to maintain persistence, as well as Mimikatz and living-off-the-land binaries (LOLBins) techniques.  

Play has been observed leveraging Process Hacker, GMER, IOBit and PowerTool to bypass security solutions as well as PowerShell or command script to disable Windows Defender.  

Play also abuses AdFind for command-line queries to collect information from a target’s Active Directory. Play first introduced the intermittent encryption technique for improved evasion capabilities.  

Play also developed two custom data exfiltration tools - the Grixba information stealer and a Volume Shadow Copy Service (VSS) Copying Tool - that improve efficiency in exfiltrating sensitive information on the targeted network.  

Play has been observed leveraging exploits including ProxyNotShell, OWASSRF and a Microsoft Exchange Server RCE.

‍Play continued to increase attacks throughout Q1-2024 and is one of the most active ransomware groups today. The group broke a record at the beginning of March 2024—launching a massive attack that hit 16 victims simultaneously.

Play was observed running a worldwide campaign targeting managed service providers (MSPs) in August 2023 to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. Recent attacks have targeted construction and manufacturing companies.

‍‍Play employs tactics similar to both the Hive and Nokoyawa ransomware gangs and engages in double extortion by first exfiltrating victim data with the threat to post it on their “leaks” website. There is little information on how much Play demands for a ransom, but they have made good on their threats to leak the data of those who refuse payment.

Play ransomware gang has mainly focused attacks in Latin America, especially Brazil, but have also attacked outside of that region. Notable victims include Rackspace, City of Lowell, Geneva Software, Primoteq, Kenya Bureau of Standards, Cambridge Group, AlgoTech, Hill Internationa, CS Cargo, City of Oakland, Argentina's Judiciary, H-Hotels, Fedpol, Federal Office for Customs and Border Security (FOCBS), American Nuts, and Red River Title.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.