Halcyon Threat Insights 009: September 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for September 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Ransomware Prevented by Industry Vertical  

The IT, Education and Finance sectors were the most targeted industry verticals in September 2024:  

• Information & Technology: 25% (-3% mo/mo)

• Education: 25% (+4% % mo/mo)

• Finance & Insurance: 12% (-6% mo/mo)

• Manufacturing: 10% (+4% mo/mo)

• Healthcare & Pharmaceutical: 8% (+4% mo/mo)

• State & Local Government: 7% (-1% mo/mo)

• Arts, Entertainment & Recreation: 5% (+4% mo/mo)

• Retail Trade: 3% (-1% mo/mo)

• Transportation & Warehousing: 3% (-3% mo/mo)

• Professional, Scientific & Technical Services: 1% (Flat mo/mo)

• Other: 1% (-1% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Trojans  

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified in September include:

Trojan.msil/reverserat: A remote access trojan (RAT) written in the Microsoft Intermediate Language (MSIL), targeting Windows-based systems. It enables attackers to remotely control compromised machines, exfiltrate data, and execute malicious commands. Distributed through phishing emails, malicious links, or exploited software vulnerabilities, this trojan is known for its flexibility and stealth. It can capture keystrokes, take screenshots, manipulate files, and deploy additional payloads, posing a severe threat to both personal and enterprise environments. Its advanced evasion techniques make it challenging to detect and remove.

Trojan.knight/tedy: Primarily targets Windows systems, exploiting vulnerabilities to gain unauthorized access and execute malicious payloads. Trojan. Knight/Tedy is designed to bypass detection mechanisms, making it difficult to identify and remove. Operates as a backdoor, allowing attackers to remotely control the compromised system, steal sensitive data, or deploy additional malware like ransomware payloads.

Trojan.keygen/barys: Disguises itself as a key generator for pirated software but secretly infects systems with malware. Often spread through file-sharing platforms and suspicious downloads and tricks users into executing it by promising free access to licensed software. Designed to steal sensitive information, install additional malware like ransomware, or create backdoors for remote access, bypassing system security. It poses a significant risk by modifying system files, evading detection, and operating without user knowledge.

Trojan.xbrtrh/bplat: A highly evasive malware variant designed to infiltrate systems and execute malicious activities undetected. It primarily targets Windows-based environments, exploiting system vulnerabilities to establish persistent control. Once inside, it can disable security features, modify system configurations, and download additional malicious payloads. Often used by cybercriminals to facilitate data theft, execute financial fraud, or serve as a backdoor for further exploitation. Obfuscation techniques and the ability to hide in legitimate processes make it difficult to detect and remove.

Trojan.acll/bbsw: A stealthy and highly adaptable malware that often masquerades as legitimate software or uses deceptive tactics, such as bundled downloads, to bypass security defenses. It establishes a backdoor for attackers to remotely control the compromised system, allowing them to manipulate files, execute commands, or deploy additional malicious payloads. It can also collect sensitive information, monitor user activities, and disable security tools, making it a potent threat for both individuals and organizations.  

Ransomware Payloads  

Halcyon also detected and blocked an array of ransomware payloads that could have significantly disrupted target organizations and their operations:      

Ransomware.tedy/encoder: A destructive ransomware variant that spreads through phishing emails, malicious attachments, or software vulnerabilities. It can also disable recovery options and delete backups to make file restoration difficult. It is part of a broader family of ransomware known for its disruptive impact and sophisticated attack strategies. This variant typically leverages advanced encryption algorithms, such as AES (Advanced Encryption Standard) or RSA (Rivest-Shamir-Adleman), making it virtually impossible to decrypt files without the decryption key.

Ransomware.crysis/crusis:A highly dangerous ransomware strain that spreads through phishing emails, malicious attachments, and weak Remote Desktop Protocol (RDP) settings. It scans the system for files to encrypt, using strong encryption algorithms like AES-256 and RSA-2048, making decryption nearly impossible without the attacker’s key. Crysis/Crusis is particularly harmful due to its ability to disable antivirus programs, delete shadow copies, and encrypt files on network drives.

Trojan.lockbit/blackmatter: A dangerous ransomware hybrid that combines features from both LockBit and BlackMatter ransomware families, targeting businesses and critical infrastructure. In addition to encryption, it can exfiltrate sensitive data, increasing pressure on victims by threatening to leak information if demands aren’t met. It spreads through phishing emails, malicious attachments, and exploiting known vulnerabilities in outdated software.

Trojan.tedy/lockbit: Known for its rapid propagation and strong encryption algorithms, this ransomware often spreads through phishing emails, malicious attachments, or exploits in vulnerable software. The payload not only locks down files but may also exfiltrate sensitive information, increasing the pressure on victims to comply with ransom demands.

Ransomware.blackbasta/basta: Known for its use of double-extortion tactics, where it not only encrypts data but also exfiltrates sensitive information, threatening to leak it if the ransom is not paid. The ransomware spreads through phishing emails, compromised RDP access, and known software vulnerabilities. Its rapid adoption and targeted attacks have made Black Basta a prominent threat in the cybercriminal landscape.

Recent Ransomware Attacks Statistics

Halcyon provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month on our Recent Ransomware Attacks website, including details on the attackers, victims, industry verticals, geolocations impacted and more.

Ransomware Stats for September 2024:

Alleged Attacks Posted to Leaks Websites: 387

Confirmed Attacks Posted to Our Database: 337

Top 5 Industries Targeted:

• Manufacturing: 63 attacks

• Business Services: 40 attacks

• Construction: 35 attacks

• Healthcare: 17 attacks

• Education: 15 attacks

Most Active Ransomware Groups:

• RansomHub: 69 attacks

• Play: 42 attacks

• Medusa: 20 attacks

• Qilin: 18 attacks

• Meow: 15 attacks

Recent Ransomware News:

• Embargo Ransomware Attacking Cloud Environments: Microsoft has issued a warning about the ransomware group Storm-0501, which has shifted its tactics to target hybrid cloud environments, expanding its focus to compromise both on-premises and cloud assets.

• Mallox Ransomware Operators Develop Linux Variant with Leaked Kryptina Code: An affiliate of the Mallox ransomware group, also known as TargetCompany, has been observed using a modified version of the Kryptina ransomware to target Linux systems.

• Hunters International Hits ICBC and Exfiltrates 6.6TB of Sensitive Data: The London branch of the Industrial and Commercial Bank of China (ICBC) recently became the target of a ransomware attack, leading to the compromise of sensitive data.

• Kransom Ransomware Attack Leverages DLL Side-Loading and Valid Certificates: Cybersecurity researchers have uncovered a new strain of ransomware, known as Kransom, which is being camouflaged as a popular game to avoid detection.

• New RansomHub TTPs Include TDSSKiller and LaZagne for Disabling EDR: RansomHub has introduced a new, sophisticated attack strategy that involves using tools to bypass security defenses and steal credentials, expanding its tactics, techniques, and procedures (TTPs).

• CISA and FBI Alert on Iranian Ransomware Attacks Against US Infrastructure: CISA, in collaboration with the FBI and the Department of Defense Cyber Crime Center (DC3), released a joint advisory warning on Iran-based cyber actors enabling ransomware attacks on U.S. organizations.

• MoneyGram Cash Services Disrupted Worldwide: MoneyGram International Inc., a global payments and wire transfer company, experienced a significant disruption in its services following a cyberattack, suspected to be a ransomware attack.

Emerging Ransomware Groups  

● Nitrogen: The group typically gains access by placing fake advertisements on Google and Bing, which direct users to download counterfeit versions of popular software like AnyDesk and Cisco AnyConnect. When victims download these applications, they unknowingly install malware like the NitrogenInstaller and Cobalt Strike, giving the attackers persistent access and control over their systems. The group’s use of additional tools like the Sliver beacon and BlackCat/ALPHV ransomware allows them to maintain long-term access and conduct deeper intrusions within compromised networks.  

● Valencia: Their operations are marked by sophisticated techniques, such as exploiting vulnerabilities in popular software like WhatsUp Gold, giving them administrative access to victim networks. There’s also speculation that Valencia might be linked to other ransomware groups like Medusa, based on shared tactics and similar target profiles. Their ability to exploit critical vulnerabilities and use advanced extortion methods positions them as a significant threat to businesses worldwide.  

● Orca: The group typically gains access through compromised credentials and exploits vulnerabilities in popular platforms like Zoho ManageEngine and Citrix NetScaler. Once inside, they conduct extensive reconnaissance to find high-value assets and move laterally through the network using stolen admin credentials. Orca is skilled at evading detection by tampering with security tools and using renamed binaries like Rclone for data exfiltration under the guise of legitimate processes.

Threat Actor Spotlight: Dragon Force

According to the Power Rankings: Ransomware Malicious Quartile report,  DragonForce has emerged as a significant player in the cybercriminal landscape, operating a highly sophisticated Ransomware-as-a-Service (RaaS) platform, constructed using a leaked builder from the notorious LockBit ransomware group.

This platform enables DragonForce to execute highly targeted and disruptive attacks, demonstrating a level of operational expertise that makes them particularly dangerous. Their ability to infiltrate systems, remain undetected, and unleash ransomware at precisely the right moment shows an impressive mastery of stealth and evasion tactics.  

The platform is engineered with advanced features, allowing DragonForce to bypass conventional security defenses through encryption and stealth techniques that evade detection by traditional monitoring tools.  

These techniques make it challenging for security teams to identify their activities before the ransomware is deployed. Leveraging LockBit’s robust architecture, DragonForce targets large, high-value organizations across various industries, maximizing the impact of their attacks.  

One of DragonForce's most notable innovations is their adoption of LockBit’s powerful double extortion strategy. In this model, they not only encrypt the victim’s data but also exfiltrate sensitive information, threatening to publicly leak it unless their demands are met.  

This dual pressure significantly increases the likelihood that victims will pay, further enhancing the group's success rate. Additionally, they utilize LockBit’s fast encryption algorithms, which can lock down large volumes of data rapidly, making it harder for organizations to respond in time to mitigate the damage.

DragonForce has further advanced their platform by integrating enhanced data exfiltration and advanced evasion techniques. These enhancements make their attacks more difficult to detect, even with modern security tools in place.  

By focusing on refining their approach, DragonForce continuously evolves into a more adaptable and resilient operation, maintaining their edge in the highly competitive ransomware ecosystem. Their commitment to innovation suggests that they prioritize staying ahead of evolving security measures, increasing the complexity and impact of their attacks.

Organizationally, DragonForce runs like a well-structured business, with a strong emphasis on recruitment and support for their affiliates. By providing technical expertise, ongoing development, and support for their affiliate network,  DragonForce ensures that their ransomware operations run smoothly and efficiently.  

Their RaaS model allows less skilled cybercriminals to execute high-impact ransomware attacks using DragonForce’s platform, further expanding their reach. A key driver of their success is their focus on research and development. DragonForce invests heavily in refining their platform, continually integrating new tools and methodologies to enhance their operations.  

This includes the development of custom encryption techniques and more sophisticated evasion methods, allowing them to keep pace with, and often surpass, the capabilities of modern cybersecurity defenses. Their commitment to innovation and adaptability helps them to maintain a competitive edge, ensuring the longevity and growth of their operation.  

In the first three quarters of 2024 alone, DragonForce has been exceptionally active, launching numerous high-profile attacks. Their success rate is significant, as evidenced by the sheer number of well-known organizations that have fallen victim to their attacks.  

Some of their most notable targets include Seafrigo Group, the Ohio Lottery, Yakult Australia, and Coca-Cola Singapore. Although ransom amounts are not always disclosed, it is clear that DragonForce aims for substantial payouts, primarily focusing on high-value organizations to maximize their demands and profits. ‍

‍

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.