Halcyon Threat Insights 006: June 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for June 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Ransomware Prevented by Industry Vertical  

Information & Technology, Educations, and Finance & Insurance were the most targeted industry verticals in June 2024:

• Information & Technology: 34% (+1% mo/mo)

• Education: 13% (-10% mo/mo)

• Finance & Insurance: 10% (-5% mo/mo)

• Manufacturing: 10% (+5% mo/mo)

• Arts, Entertainment & Recreation: 9% (+6% mo/mo)

• State & Local Government: 9% (+3% mo/mo)

• Professional, Scientific & Technical Services: 5% (-1% mo/mo)

• Healthcare & Pharmaceutical: 5% (-1% mo/mo)

• Retail Trade: 2% (flat mo/mo)

• Transportation & Warehousing: 1% (flat mo/mo)

• Other: 1% (-1% mo/mo)

• Construction: .6% (+.6% mo/mo)

• Utilities: .4% (+.4% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload. ‍

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credential, exfiltrating sensitive data and more. Some of the trojans identified in June include: ‍

Trojan.cryptowall/androm: Trojan.Cryptowall/Androm is often delivered through phishing emails or compromised websites. Cryptowall, a type of ransomware, encrypts a victim's files and demands a ransom payment in cryptocurrency for their decryption. Androm, also known as Andromeda, is a botnet malware that can be used to download and execute additional malicious payloads, including ransomware like Cryptowall. Together, they form a potent threat, combining data encryption extortion with the capability to further spread and download other harmful software, making them a significant concern for cybersecurity. ‍

Trojan.hesperbot/foreign: Trojan.Hesperbot/Foreign is a highly advanced banking Trojan designed to steal sensitive financial information from infected systems. Hesperbot employs various tactics such as keylogging, screen capturing, and creating fake banking websites to capture login credentials and other personal data. It often spreads through phishing emails and malicious attachments, targeting users across different countries, hence the designation "Foreign." This malware is particularly dangerous due to its ability to bypass security measures and its focus on financial theft, posing a significant risk to individuals and organizations' financial security. ‍

Trojan.badrabbit/diskcoder: Trojan.BadRabbit/Diskcoder is a notorious ransomware variant which surfaced in 2017 and primarily spreads through fake Adobe Flash updates on compromised websites. Once executed, it quickly encrypts the victim's files and modifies the bootloader, displaying a ransom note upon reboot and demanding payment in Bitcoin. Diskcoder is a component of this malware, responsible for encrypting the system's disk and rendering it inaccessible. The combination of file encryption and disk coding makes BadRabbit/Diskcoder a particularly disruptive and damaging threat. ‍

Trojan.cosmu/zombie: Trojan.Cosmu/Zombie is a versatile and dangerous malware strain designed to covertly infiltrate computer systems and create a network of compromised devices, commonly referred to as a botnet or "zombie" network. Cosmu acts as a downloader and installer for additional malicious payloads, often used for stealing sensitive information, launching distributed denial-of-service (DDoS) attacks, or distributing spam emails. The "Zombie" designation highlights its ability to turn infected machines into remotely controlled bots that can be manipulated without the user's knowledge. This Trojan spreads through deceptive methods such as phishing emails, malicious downloads, and exploit kits, posing a significant threat to both individual users and organizations. ‍

Trojan.cosmu/xpiro: Trojan.Cosmu/Xpiro is a sophisticated malware variant known for its stealth and persistence in compromising computer systems. Xpiro, a component of the Cosmu family, acts as a multi-functional Trojan, capable of downloading and executing additional malicious payloads, stealing sensitive information, and creating backdoors for remote access. This malware often spreads through infected software, malicious email attachments, and exploit kits, embedding itself deeply within the system to evade detection by antivirus programs. Once installed, Xpiro can manipulate system processes, exfiltrate data, and facilitate further cyberattacks, making it a formidable threat to both personal and enterprise cybersecurity. ‍

Ransomware: Payloads

‍Halcyon also detected and blocked an array of ransomware payloads that could have significantly disrupted target organizations and their operations:

‍Ransomware.agenda/qilincrypt: Ransomware.Agenda/QilinCrypt, often referred to as QilinCrypt, targets organizations by infiltrating their networks through phishing emails, malicious attachments, or exploiting vulnerabilities. Once inside, it encrypts critical data and systems, rendering them inaccessible until a ransom is paid, usually in cryptocurrency. QilinCrypt is known for its sophisticated encryption algorithms and ability to evade detection, making it particularly challenging for cybersecurity defenses. The impact of an Agenda/QilinCrypt attack can be devastating, leading to significant financial losses and operational disruptions for the affected entities.

‍Ransomware.genie/trigona: Ransomware.Genie/Trigona is a diminishing variant that typically will infiltrate networks through phishing campaigns, malicious downloads, or exploiting security vulnerabilities. Trigona's advanced encryption methods and stealthy behavior make it difficult to detect and mitigate. The aftermath of a Genie/Trigona attack can be severe, resulting in significant data loss, financial damage, and operational downtime for individuals and organizations.

‍Ransomware.medusalocker/medusa: Ransomware.MedusaLocker/Medusa, also known simply as Medusa, typically spreads through phishing emails, malicious attachments, and exploit kits. MedusaLocker is particularly notorious for its robust encryption algorithms and ability to disable security features, making it a formidable threat. The impact of a MedusaLocker/Medusa attack can be devastating, leading to significant data loss, financial damage, and operational disruption for both individuals and organizations.

‍Ransomware.mole/dump: Ransomware.Mole/Dump is a variant known for its efficiency and speed, spreads through phishing emails, malicious attachments, and compromised websites. Once it infiltrates a system, it swiftly encrypts critical data and displays a ransom note. The "Dump" component refers to its ability to extract and exfiltrate sensitive information before encryption, adding an extra layer of threat. The dual impact of data theft and encryption makes Mole/Dump particularly damaging, leading to significant financial losses and operational disruptions for its victims.

‍Ransomware.blackhunt/imps: Ransomware.BlackHunt/IMPS infiltrates networks through methods such as phishing emails, malicious downloads, and exploiting system vulnerabilities. Known for its advanced encryption techniques and ability to disable security measures, IMPS makes detection and mitigation challenging. The consequences of a BlackHunt/IMPS attack are severe, often resulting in significant data loss, financial costs, and operational disruptions for both individuals and organizations. ‍

Recent Ransomware Attacks Statistics

Halcyon provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month on our Recent Ransomware Attacks website, including details on the attackers, victims, industry verticals, geolocations impacted and more. ‍

Ransomware Stats for June 2024:

Alleged Attacks Posted to Leaks Websites: 317

Confirmed Attacks Posted to Our Database: 277

Top 5 Industries Targeted:

• Manufacturing: 52 attacks

• Business Services: 29 attacks

• Construction: 29 attacks

• Transportation: 19 attacks

• Hospitals & Physicians Clinics: 18 attacks

Most Active Ransomware Groups:

• Play: 31 attacks

• RansomHub: 21 attacks

• Akira: 17 attacks

• Medusa: 17 attacks

• ElDorado: 15 attacks

• BlackSuit: 15 attacks

Recent Ransomware News:

• Halcyon Identifies New Ransomware Operator Volcano Demon Serving Up LukaLocker: Volcano Demon was successful in locking both Windows workstations and servers after utilizing common administrative credentials harvested from the network. Prior to the attack, data was exfiltrated to C2 services for double extortion techniques.

• Ransomware and Data Extortion Business Risk Report: Halcyon published a new study detailing the significant impact on businesses from ransomware and data extortion attacks over the past 24 months. According to the Ransomware and Data Extortion Business Risk Report, one-in-five (18%) suffered a ransomware infection 10 or more times in a 24-month period, one-in-five (18%) were infected 5-9 times, and 30% were infected 2-4 times.

• Ticketmaster Data for 500M+ Customers Up for Sale Following Breach: A threat group known as ShinyHunters apparently published a 1.3TB database of compromised Ticketmaster customer data on the relaunched BreachForums criminal forum and is asking for a $500,000 ransom.

• London Hospitals Get Disrupted by Ransomware Attack: Medical procedures have been canceled at multiple London hospitals and a critical emergency declared in the aftermath of a ransomware attack against pathology services provider Synnovis.

• Qilin: The Russian RaaS Group Who Crippled UK Healthcare: Ciaran Martin, former chief executive of the U.K.’s National Cyber Security Centre, that RaaS operators Qilin were behind the attack against pathology services provider Synnovis that delayed diagnostics testing and forced the cancellation of medical procedures.

• Ransomware Attacks on Healthcare Break Records: Cybersecurity firm Recorded Future noted at least 44 ransomware attacks targeting healthcare organizations in April, more victims from that sector than they have ever previously tracked in a single month.

• Black Basta Ransomware Gang Exploits Microsoft Windows Zero-Day: Black Basta ransomware operators exploited a privilege escalation bug in the Microsoft Windows Error Reporting Service (CVE-2024-26169), and there is evidence they may have been targeting the zero-day prior to a patch being released in March.

• KillSec Offers RaaS Platform with DDoS and Data Stealer Tools for $250: Ransomware operators KillSec have rolled out a new platform offering that touts an advanced locker written in C++, a denial-of-service (DoS) tool, and an advanced infostealer for harvesting sensitive data.

Emerging Ransomware Groups

• Arcus Media: The ransomware operators employ a variety of tactics and techniques to infiltrate and compromise systems. Initial access is often gained through phishing emails containing malicious attachments or links, tricking users into executing the ransomware payload. Once inside, these attackers use malicious scripts for execution, initiating the ransomware's damaging effects.  

• APT73: The group employs double extortion tactics, encrypting files and threatening to leak data to pressure victims into paying ransoms. They use various communication channels, including Telegram, Tox, and Twitter, to communicate with victims and coordinate their operations. Additionally, they maintain a data leak site where they publicize victim data to further coerce ransom payments, leveraging the fear of reputational and operational damage.

• Dan0n: Dan0n's tactics and techniques include prioritizing the theft of sensitive data over encryption, reflecting their emphasis on data exfiltration. Initially maintaining a no negotiation policy, they have shown flexibility upon negotiation. They also utilize a victim portal, providing detailed ransom demands and a chat interface for victim communication. These methods underscore their sophisticated approach to ransomware, making them a significant threat in the cybersecurity landscape.

• Space Bears: Their tactics include maintaining data leak sites on both the Onion network and Clearnet, where they host stolen data to further coerce ransom payments. They leverage double extortion by threatening to release this data unless their demands are met. Additionally, Space Bears employs a unique corporate theming in their operations, using corporate stock images and a "wall of shame" to publicly disgrace victims, adding another layer of pressure and reputational risk.

Threat Actor Spotlight: Hunters International

Hunters International operates as a Ransomware-as-a-Service (RaaS), emerging from the remnants of the Hive ransomware group. It utilizes a sophisticated platform that leverages Hive's infrastructure and capabilities, including data exfiltration and double extortion techniques.

The latest variant of Hunters International reverses an earlier tactic of storing the decryption key in a separate file and adopts the simpler and more common practice of including the key within the encrypted file.  

Initially casting a wide net, Hunters International appears to be refining its focus on industries that are more likely to pay ransoms, such as healthcare, financial services, and critical infrastructure, given their need for quick recovery and the sensitivity of their data.  

The group has evolved from Hive's technology, focusing on enhancing the efficiency of their attacks and the reliability of their extortion schemes. They have improved the encryption methods to avoid common decryption techniques and have integrated mechanisms for more effective data exfiltration.

The Hunters payload is written in Rust, a secure programming language that offers some advanced capabilities for security tool evasion and has been observed delivering both Windows and Linux variants.

As a newer entrant in the ransomware scene, Hunters International has quickly escalated its attack frequency, targeting a broad range of industries and geographies, indicating a significant operational capacity.

The group demands ransoms by employing double extortion tactics; they encrypt the victim's data and additionally threaten to leak it unless the ransom is paid. The exact figures of their demands have varied widely, adapting to the perceived ability of the victim to pay.

Hunters International operates under a profit-sharing model with its affiliates, like other RaaS operations. They offer a portion of the ransom proceeds to affiliates who successfully deploy their ransomware, encouraging widespread dissemination of their malware.

Hunters International has targeted various sectors, including healthcare, finance, and critical infrastructure, with notable attacks on defense contractors and large corporations.

Notable victims include Toyota Brazil, NanoLumens, Integrated Control, Frederick Wildman and Sons, Kablutronik SRL, Caxton and CTP Publishers and Printers. ‍

‍

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.