Halcyon Threat Insights 008: August 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for August 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Ransomware Prevented by Industry Vertical  

The IT, Education and Finance sectors were the most targeted industry verticals in August 2024:  

• Information & Technology: 28% (-9% mo/mo)

• Education: 21% (+12% mo/mo)

• Finance & Insurance: 18% (-9 mo/mo)

• State & Local Government: 8% (+1% mo/mo)

• Transportation & Warehousing: 6% (+4% mo/mo)

• Manufacturing: 6% (+1% mo/mo)

• Healthcare & Pharmaceutical: 4% (flat mo/mo)

• Retail Trade: 4% (+1% mo/mo)

• Other: 2% (+1% mo/mo)

• Arts, Entertainment & Recreation: 1% (-1% mo/mo)

• Professional, Scientific & Technical Services: 1% (-1% mo/mo)

• Accommodations & Food Services: .35% (-.15% mo/mo)

• Mining: .35% (-.15%)

• Utilities: .35% (+.35% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Trojans  

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified in August include:

Trojan.paradise/msil: A malicious software that primarily targets systems running Microsoft Intermediate Language (MSIL). It disguises itself as a legitimate program or file to deceive users into installing it. Once executed, it can perform a range of harmful activities, such as stealing sensitive data, allowing remote control of the infected system, downloading additional malware, or disrupting system functionality.  

Trojan.cosmu/xpiro: A type of Trojan that is part of the Xpiro malware family and is known for embedding itself deeply within system files, making it difficult to detect and remove. Once active, this Trojan can steal sensitive data, open backdoors for remote attackers, and download additional malicious software. It can also hinder system performance by altering key processes.

Trojan.cosmu/xpiro: A Trojan that integrates itself into system processes and files, making detection and removal challenging. Once installed, it can steal sensitive information, download additional malware, and grant remote access to attackers. This Trojan is also known to disrupt system performance and compromise overall security.

Trojan.formbook/razy: Primarily targets Windows systems and is designed to steal sensitive information, such as login credentials, browser data, and financial details. It can also capture screenshots, log keystrokes, and download additional malware. It operates stealthily, making it difficult for users to detect.

Trojan.hesperbot/foreign: A highly sophisticated banking Trojan designed to steal sensitive financial information from users. Once installed, the Trojan can log keystrokes, capture screenshots, and record online banking activities. It is also capable of creating a remote connection to the infected device, allowing attackers to manipulate transactions and bypass security measures.  

Ransomware Payloads  

Halcyon also detected and blocked an array of ransomware payloads that could have significantly disrupted target organizations and their operations:    

Ransomware.agenda/qilincrypt: Known for its flexibility, this ransomware allows attackers to customize the ransom note, encryption techniques, and attack approach to suit specific targets. It often spreads through phishing campaigns or by exploiting vulnerabilities in software. QilinCrypt poses a serious risk to business operations, leading to financial loss, data breaches, and potential long-term disruption.

Ransomware.lockbit/blackmatter: A highly advanced strain of ransomware combining features from both LockBit and BlackMatter ransomware families that targets businesses and critical infrastructure. It spreads through phishing attacks, exploited software vulnerabilities, or remote desktop protocol (RDP) weaknesses. This ransomware variant is known for its fast encryption speed, ability to evade detection, and the attackers' use of double extortion tactics—threatening to release stolen data if the ransom is not paid.

Ransomware.darkrace/imps: An aggressive ransomware variant that is distributed through phishing emails, malicious downloads, or exploiting system vulnerabilities. DarkRace/IMPS is particularly dangerous due to its ability to spread quickly within networks and evade traditional security measures. In addition to encryption, it may also exfiltrate sensitive data, using double extortion tactics to pressure victims by threatening to leak stolen information.

Ransomware.phobos/crysis: A highly destructive ransomware variant that primarily targets small and medium-sized businesses and spreads through weak remote desktop protocols (RDP), phishing attacks, and malicious downloads. Once inside a system, it encrypts a wide range of file types, appending a unique extension and leaving behind a ransom note with instructions for payment. Phobos/Crysis is known for its robust encryption methods and lack of decryption options without paying the ransom, leaving victims with little recourse.

Ransomware.maze/ranpack: Maze, also known as RanPack, is a ransomware strain that emerged around 2019. Maze typically targets large organizations, and its attacks have affected sectors such as healthcare, finance, and manufacturing. The ransomware is often delivered through phishing emails, exploiting vulnerabilities in outdated software.

Recent Ransomware Attacks Statistics

Halcyon provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month on our Recent Ransomware Attacks website, including details on the attackers, victims, industry verticals, geolocations impacted and more.

Ransomware Stats for August 2024:

Alleged Attacks Posted to Leaks Websites: 470

Confirmed Attacks Posted to Our Database: 396

Top 5 Industries Targeted:

• Manufacturing: 79 attacks

• Business Services: 49 attacks

• Construction: 45 attacks

• Healthcare: 32

• Retail: 25

Most Active Ransomware Groups:

• RansomHub: 68 attacks

• Meow: 35

• Play: 25 attacks

• LockBit: 22

• BianLian: 18

Recent Ransomware News:

• Over 2.7 Billion Records from National Public Data Exposed in Breach: A massive data breach has exposed nearly 2.7 billion records of personal information from the United States on a hacking forum. The leaked data includes names, social security numbers, addresses, and possible aliases.  

• INC Ransomware Tied to McLaren Hospitals Attack: McLaren Health Care's IT and phone systems were disrupted by an attack linked to the INC Ransom ransomware group.  

• Exposed Employee PII in Ransomware Attack Spurs Class Action Lawsuit for City of Columbus: The law firm Cooper Elliott filed a class-action lawsuit against the City of Columbus following a ransomware attack that compromised the personal information of city employees.  

• Ransomware Payouts: “Firmly on Track for the Worst Year on Record”: The ransomware crisis has deepened in 2024, with over $459 million extorted in the first half of the year alone, marking a $10 million increase from the previous year, signaling a worsening trend.  

• Hunters International Ransomware Operators Threaten to Publish US Marshals Data: The Hunters International ransomware group is threatening to leak 386 GB of data from the U.S. Marshals Service (USMS), claiming it includes “Top Secret” documents, gang files, and information from the 2022 drug enforcement operation “Operation Turnbuckle.”

• Qilin Ransomware TTPs Include Harvesting VPN Credentials in Chrome: In a recent Qilin ransomware attack observed in July 2024, threat actors stole credentials stored in Google Chrome browsers on compromised endpoints.

• RansomHub Gang Connected to Haliburton Attack Disclosed in SEC Filing: The attack, which occurred on August 21, 2024, severely disrupted Halliburton's IT systems and business operations. The impact was widespread.

Emerging Ransomware Groups  

• Mad Liberator: The Mad Liberator ransomware operation, first detected in July 2024, quickly gained notoriety for its sophisticated use of social engineering and its exploitation of the AnyDesk remote access tool. The attackers initiated their attacks by establishing a connection through AnyDesk, at which point they deployed a malicious binary that mimicked a legitimate Windows update screen. This deceptive tactic enabled them to discreetly maintain control over the victim’s device while surreptitiously accessing and exfiltrating sensitive information. One of the key targets for these attackers was the victim’s connected OneDrive account, along with centralized server files. Using the AnyDesk FileTransfer feature, they efficiently stole the data without raising suspicion. To extend their reach within the compromised environment, the attackers utilized Advanced IP Scanner to identify additional devices on the network that could be exploited, further amplifying the scope of their attack. This multi-layered approach allowed Mad Liberator to effectively infiltrate and control entire networks, making it a highly dangerous and adaptive threat.  

• Ransomcortex: Ransomcortex has quickly gained attention for its targeted attacks on healthcare facilities. In just a few days after its appearance, the group had already claimed four victims, including three healthcare institutions in Brazil and one in Canada. Although the healthcare sector has been a frequent target for ransomware attacks, Ransomcortex marks a significant shift by focusing exclusively on healthcare organizations. Extortion becomes a powerful tool, as attackers may threaten to disclose sensitive medical information unless a ransom is paid. By focusing exclusively on healthcare, Ransomcortex increases the potential harm to both the targeted organizations and the individuals whose data is stolen, raising the stakes for cybersecurity in the healthcare sector.  

• VanirGroup: Vanir Group is quickly drawing attention for the aggressiveness and sophistication of their operations. In a short time, they have targeted three companies, making their attacks public through a data leak site. The Vanir Group claims to have a detailed understanding of the financial situations of these companies, implying that their ransom demands are carefully tailored to each victim. They have threatened to sell or distribute the stolen data if their demands are not met. Their website features an interactive terminal allowing users to input commands. Commands such as “help” provide a list of available actions, “news” offers updates about the group and their activities, and “victims” displays a list of companies they have attacked.  

Threat Actor Spotlight: Black Basta

Black Basta is a RaaS that emerged in early 2022 and is assessed by some researchers to be an offshoot of the disbanded Conti and REvil attack groups.  

The group routinely exfiltrates sensitive data from victims for additional extortion leverage. Black Basta engages in highly targeted attacks and is assessed to only work with a limited group of highly vetted affiliate attackers.

Black Basta remains one of the most prolific attack groups in 2024 and was observed leveraging unique TTPs for ingress, lateral movement, data exfiltration data, and deployment of ransomware payloads.

Black Basta also employs a double extortion scheme and maintains an active leaks website where they post exfiltrated data if an organization declines to pay the ransom demand. Black Basta takes an average of 14% of ransom payments, distributing the remainder among its affiliates.

Black Basta continues to evolve their RaaS platform with ransomware payloads that can infect systems running both Windows and Linux systems. Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers.  

Black Basta ransomware is written in C++ and can target both Windows and Linux systems, encrypts data with ChaCha20, and then the encryption key is encrypted with RSA-4096 for rapid encryption of the targeted network.  

In some cases, Black Basta leveraged malware strains like Qakbot and exploits such as PrintNightmare during the infection process. Black Basta also favors abuse of insecure Remote Desktop Protocol (RDP) deployments, one of the leading infection vectors for ransomware.

Ransom demands vary depending on the targeted organization with reports that they can be as high as $9 million dollars. It is estimated that 35% of the group’s victims pay the ransom, enabling Black Basta to exceed $107 million in ransom revenue from more than 500 victims in less than two years.

Black Basta typically targets manufacturing, transportation, construction and related services, telecommunications, the automotive sector, and healthcare providers.  

Notable victims include Southern Water, BionPharma, M&M Industries, coca Cola, Yellow Pages Canada, AgCo, Capita, ABB, Merchant Schmidt, Tag Aviation, Blount Fine Foods.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.