Halcyon Threat Insights 007: July 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for July 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Ransomware Prevented by Industry Vertical  

The IT, Finance and Education sectors were the most targeted industry verticals in July 2024:  

• Information & Technology: 37% (+3% mo/mo)

• Finance & Insurance: 27% (+14% mo/mo)

• Education: 9% (-4% mo/mo)

• State & Local Government: 7% (-2% mo/mo)

• Manufacturing: 5% (-4% mo/mo)

• Healthcare & Pharmaceutical: 4% (-1% mo/mo)

• Retail Trade: 3% (+1% mo/mo)

• Professional, Scientific & Technical Services: 2% (-3% mo/mo)

• Transportation & Warehousing: 2% (-1% mo/mo)

• Arts, Entertainment & Recreation: 2% (-7% mo/mo)

• Other: 1% (Flat mo/mo)

• Accommodations & Food Services: .5% (+.5% mo/mo)

• Mining: .5% (+.5% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Trojans  

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified in July include:

Trojan.chapak/jaik: Allows remote attackers to gain unauthorized access and control. This Trojan can be used to steal sensitive information, download additional malware and ransomware, or conduct other harmful operations. It often spreads through deceptive methods, such as malicious email attachments, compromised websites, or bundled software downloads. Trojan.Chapak/Jaik poses a serious risk to system security and can lead to data theft, system instability, and further infections.

Trojan.msil/msilperseus: A malicious Trojan written in Microsoft's Intermediate Language (MSIL), targeting systems running on the .NET framework. Once installed, it can execute a range of harmful actions, including stealing sensitive information, logging keystrokes, and downloading additional malware and ransomware. This Trojan often disguises itself as legitimate software to evade detection and can spread through phishing emails, malicious downloads, or compromised websites. Its flexibility and stealth make it particularly dangerous, as it can be customized to perform various malicious activities. Trojan.MSIL/MSILPerseus poses a significant threat to both personal and enterprise security, often leading to severe data breaches and system compromise.

Trojan.zeppelin/zapchast: A highly destructive Trojan that primarily targets Windows systems. Once infiltrated, it typically functions as a backdoor, allowing attackers to gain remote control over the infected device. Known for its adaptability, Zeppelin/Zapchast can be used to deploy ransomware, steal sensitive data, or facilitate further malware infections. It often spreads through phishing campaigns, malicious attachments, or compromised software downloads. The Trojan is designed to evade detection by security tools, making it a significant threat to both individual users and organizations. Its presence on a system can lead to severe data loss, financial damage, and operational disruptions.

Trojan.blacklotus/agentb: A highly advanced and stealthy Trojan designed to infiltrate and compromise systems, often bypassing security measures with ease. It typically acts as a backdoor, providing cybercriminals with remote access and control over the infected device. This Trojan is particularly dangerous due to its ability to evade detection by disabling security features and altering system files. It spreads through phishing emails, malicious links, and compromised software, and can be used to steal sensitive data, deploy additional malware, or launch further attacks. The presence of Trojan.BlackLotus/AgentB on a system can result in significant security breaches and data loss.

Trojan.killav/avkill: Designed to disable or disrupt the functionality of antivirus programs and security software on infected systems. By targeting and terminating processes associated with antivirus tools, it renders the system vulnerable to further attacks. This Trojan often acts as a precursor to more severe malware and ransomware infections, allowing cybercriminals to install additional malicious software undetected. It can be spread through various methods, including email attachments, malicious downloads, or compromised websites, and poses a significant threat to computer security by undermining protective measures.

Ransomware Payloads  

Halcyon also detected and blocked an array of ransomware payloads that could have significantly disrupted target organizations and their operations:    

Ransomware.phobos: A dangerous form of ransomware that typically spreads through compromised Remote Desktop Protocol (RDP) connections, phishing emails, or malicious downloads. The encryption used by Phobos is strong, making data recovery difficult without the decryption key. Phobos primarily targets businesses, leading to significant data loss, operational downtime, and financial harm if backups are not available.

Ransomware.hiddentear/msil: An early open-source ransomware variant written in Microsoft's Intermediate Language (MSIL). Originally created as a proof-of-concept for educational purposes, it has been adapted by malicious actors into a fully functional ransomware threat. This ransomware spreads through phishing emails, malicious downloads, or compromised websites. Its open-source nature has led to numerous variants, making it a persistent threat.  

Ransomware.akira/ransomx: An aggressive ransomware variant known for targeting both individual users and organizations. Akira/RansomX is particularly dangerous due to its ability to disable security measures and exfiltrate sensitive data before encryption, which they threaten to leak if the ransom is not paid. This double-extortion tactic makes it a significant threat, leading to severe data loss, operational disruptions, and potential financial and reputational damage for victims.

Ransomware.rhysida/ajos: A highly disruptive form of ransomware that typically spreads through phishing emails, malicious downloads, or vulnerabilities in outdated software. Rhysida/Ajos is particularly dangerous because it often targets businesses and critical infrastructure, leading to significant operational disruptions and financial losses. Its encryption is strong, making recovery difficult without backups or the decryption key.

Ransomware.trigona/genie: A sophisticated ransomware variant that usually spreads through phishing emails, malicious downloads, or exploiting software vulnerabilities. The encryption used is robust, making data recovery nearly impossible without the decryption key. Trigona/Genie is particularly threatening to businesses, as it can lead to severe operational disruptions, data loss, and financial damage.

Recent Ransomware Attacks Statistics

Halcyon provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month on our Recent Ransomware Attacks website, including details on the attackers, victims, industry verticals, geolocations impacted and more.

Ransomware Stats for July 2024:

• Alleged Attacks Posted to Leaks Websites: 393

• Confirmed Attacks Posted to Our Database: 342

• Top 5 Industries Targeted:

• Manufacturing: 59 attacks

• Healthcare: 48

• Business Services: 38 attacks

• Construction: 32 attacks

• Education: 21

Most Active Ransomware Groups:

• RansomHub: 36 attacks

• LockBit: 32

• Hunters International: 25

• Akira: 25 attacks  

• Play: 19 attacks

Recent Ransomware News:

• Dark Angels Ransomware Gang Nets Record $75M Ransom Payment: The ransomware operation Dark Angels has reportedly set a new record by receiving a $75 million ransom payment from an unnamed Fortune 50 company. This amount is the highest ever recorded, surpassing the previous record of $40 million paid by the insurance firm CNA to the Evil Corp ransomware group.

• Play Ransomware Debuts Linux Variant that Targets VMware ESXi: The Play ransomware gang is the latest to develop a dedicated Linux locker for encrypting VMware ESXi virtual machines. Researchers who identified this new variant report that the locker first verifies if it's operating in an ESXi environment before execution, and it can avoid detection on Linux systems.

• NCPA, Providers in 22 States Sue Change Healthcare/Optum/UHG Over Ransomware Attack: The National Community Pharmacists Association (NCPA) and over three dozen healthcare providers from 22 U.S. states have filed a lawsuit against Change Healthcare, Optum, and UnitedHealth Group following a severe ransomware attack in February 2024.  

• Los Angeles Superior Court Shuttered by Ransomware Attack: The Los Angeles Superior Court, the largest unified trial court in the U.S., was closed following a ransomware attack. The attack led to the shutdown of all 36 courthouse locations in the county as court personnel and security experts worked to repair the severely impacted network systems.

• UK Authorities Arrest Teen for 2023 MGM Ransomware Attack: A 17-year-old from Walsall, England, has been arrested by the West Midlands Police Department on suspicion of orchestrating a ransomware attack that crippled MGM Resorts in Las Vegas last year.

• CDK Global Named in Multiple Lawsuits Following Ransomware Attack: At least eight suits have been filed, including a proposed class action by Omar Aviles, an employee of Asbury Automotive Group. The lawsuits allege CDK failed to adequately protect customer data, exposing tens of thousands of individuals' personal information, including Social Security numbers and financial details.

• Clay County in Indiana Issues Disaster Declaration Following Ransomware Attack: Clay County, Indiana Emergency Management Agency officials issued a disaster declaration following a disruptive ransomware attack on county networks which has halted operations at the Clay County Courthouse and Clay County Probation/Community Corrections facilities.  

• CISA Director Says Ransom Payment Ban Unlikely: The Director of CISA (Cybersecurity and Infrastructure Security Agency) Jen Easterly said it is unlikely the U.S. government would issue a formal ban on ransom payments to ransomware operators despite the fact that such a ban would diminish the financial incentives for further attacks.

Emerging Ransomware Groups

In June and July 2024, the ransomware landscape saw the emergence of several significant actors targeting diverse industries. Notable groups such as BrainCipher, Mad Liberator, RansomCortex, SenSayQ, and Cicada3301, employed distinct tactics, techniques, and procedures (TTPs) to attack high-profile organizations:  

• BrainCipher and Mad Liberator are ransomware operators known for deploying ransomware payloads and engaging in data exfiltration. BrainCipher's attack on Indonesia's National Data Center disrupted crucial services, while Mad Liberator's breach of the Italian Ministry of Culture highlighted their dual focus on encryption and data theft. The way these groups use encryption and phishing shows just how important it is to have strong cybersecurity measures to protect sensitive information.  

• RansomCortex operates as a Ransomware-as-a-Service (RaaS) provider, offering tools and infrastructure to affiliate attackers. This business model has lowered entry barriers for cybercriminals, leading to increased ransomware incidents. RansomCortex's attacks on healthcare facilities in Brazil and Canada exemplify the growing threat posed by collaborative and scalable ransomware operations.

• Cicada3301 functions as a data extortion group, focusing on stealing and selling sensitive information rather than using ransomware payloads. This group has caused long-term damage through identity theft and corporate espionage by leaking stolen data.

• SenSayQ combines traditional ransomware tactics with innovative techniques, making it increasingly challenging for organizations to defend against their attacks.
  

Threat Actor Spotlight: INC Ransom

INC uses common TTPs such as leveraging compromised RDP (Remote Desktop Protocol) credentials to gain access and move laterally in a targeted environment. Initial infections have been observed via phishing and exploitation of a vulnerability in Citrix NetScaler (CVE-2023-3519).  

INC has been observed delivering ransomware using legitimate tools like WMIC and PSEXEC and uses other Living-off-the-Land (LOTL) techniques, abusing applications Including MSPaint , WordPad, NotePad, MS Internet Explorer, MS Windows Explorer, and AnyDesk for lateral movement.  

INC has also been observed abusing tools like Esentutl for reconnaissance and MegaSync for data exfiltration. INC is written in C++ and uses AES-128 in CTR mode to encrypt files, and it also has a Linux version.  

It is unclear if INC employs any advanced security tool evasion techniques, and there are indications that they may attempt to delete Volume Shadow Copies (VSS) to hinder encryption rollback attempts.

‍INC did not emerge until the second half of 2023, but they appear to be ramping up operations as they refine their code and attack sequences. They instruct victims to log into a Tor portal with a unique user ID provided by the attackers. It is unclear what the average ransom demand is at this point.  

‍INC targets a wide array of industries, including manufacturing, retail, IT, hospitality, pharma, construction and the public sector. ‍INC practices double extortion and maintain a leaks site for double extortion, threatening to expose victim. INC has made good on threats to expose sensitive data if a target does not pay the ransom demand.

Notable victims include the Peruvian Army, NHS Scotland, Xerox, Trylon Corp, Ingo Money, BPG Partners Group, DM Civil, Nicole Miller INC., Pro Metals, Springfield Area Chamber of Commerce, US Federal Labor Relations Authority, Yamaha Philippines. ‍

‍

‍

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.