Halcyon Threat Insights 010: November 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for October 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Ransomware Prevented by Industry Vertical

The Finance, IT and Education sectors were the most targeted industry verticals in October 2024:

• Finance & Insurance: 28% (+16% mo/mo)

• Information & Technology: 23% (-2% mo/mo)

• Education: 13% (-12% mo/mo)

• Manufacturing: 9% (-1% mo/mo)

• Arts, Entertainment & Recreation: 6% (+1% mo/mo)

• Healthcare & Pharmaceutical: 5% (-3% mo/mo)

• State & Local Government: 4% (-3% mo/mo)

• Transportation & Warehousing: 4% (+1% mo/mo)

• Professional, Scientific & Technical Services: 4% (+3% mo/mo)

• Retail Trade: 3% (flat mo/mo)

• Other: 0.5% (-0.5% mo/mo)

• Mining: 0.3% (+0.3% mo/mo)

• Construction: 0.2% (+0.2% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Trojans  

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. It is important to understand that ransomware payloads are the tail-end of an attack, so it is critical to detect precursors prior to infection.  

Detecting and blocking trojan activity can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified in October include:

trojan.mimikatz/genericfca: A malicious trojan variant associated with the well-known Mimikatz tool, which is often used in cybersecurity attacks for credential theft and lateral movement within networks. Mimikatz itself is an open-source tool initially developed for educational purposes to demonstrate vulnerabilities in Windows' authentication systems. However, threat actors frequently abuse its functionalities to extract sensitive information, such as login credentials and stored passwords, from targeted systems. Once installed on a system, it leverages advanced techniques to bypass antivirus defenses and gain access to the system's memory, where it retrieves plaintext credentials from processes like LSASS (Local Security Authority Subsystem Service). This variant poses a high risk in corporate environments, as it enables attackers to escalate privileges and access sensitive resources, facilitating further exploitation.

trojan.cobaltstrike/lazy: A malicious trojan variant linked to the commercial penetration testing tool Cobalt Strike, which has been increasingly weaponized by threat actors for sophisticated cyberattacks. Originally designed to help security professionals simulate real-world attacks, Cobalt Strike has unfortunately become a powerful tool for malicious activity. In particular, the “Lazy” variant of this trojan exploits the tool’s extensive post-exploitation features, making it ideal for advanced persistent threat (APT) operations and other targeted cyberattacks. Once deployed, it provides attackers with command-and-control (C2) capabilities, allowing them to establish persistent access, perform lateral movement, and exfiltrate sensitive data. The “Lazy” variant often focuses on evading detection, utilizing techniques such as process injection, fileless payloads, and obfuscation to bypass endpoint defenses and traditional antivirus solutions.

trojan.injexa/dridex: A sophisticated banking trojan designed to steal sensitive financial information and enable further malicious activities within infected systems. Originating from the Dridex malware family, which is known for targeting banking and financial services, this variant, Injexa/Dridex, is particularly dangerous due to its ability to deploy modular payloads, adapt to various environments, and evade detection with advanced obfuscation techniques. Once a user unknowingly executes the malware, Injexa/Dridex installs itself and establishes a command-and-control (C2) connection with a remote server controlled by the attackers. From there, it can log keystrokes, capture screenshots, and steal credentials or other valuable data. The trojan also enables attackers to inject malicious code into web pages viewed by the victim, making it highly effective in stealing online banking credentials.

trojan.marte/volt: A malware variant that leverages remote access trojan (RAT) capabilities to infiltrate systems, exfiltrate data, and establish persistent backdoors within target environments. Emerging as a threat in both personal and enterprise environments, Marte/Volt is particularly concerning due to its stealth and adaptability, enabling cybercriminals to perform a range of malicious activities remotely. Once deployed, this trojan establishes a covert connection with a command-and-control (C2) server, allowing attackers to take control of infected machines. Once activated, the trojan can monitor user activity, capture keystrokes, access sensitive files, and, in some cases, even control webcams and microphones. The Marte/Volt variant is often equipped with sophisticated obfuscation techniques, making it difficult for standard antivirus software to detect and neutralize.

trojan.remcos/craexxe: A potent remote access trojan (RAT) that provides attackers with unauthorized access and control over infected devices, enabling extensive data theft, surveillance, and manipulation of system processes. Originally marketed as a legitimate tool for IT professionals, Remcos (Remote Control & Surveillance) has been co-opted by cybercriminals for malicious purposes. The Craexxe variant is particularly insidious due to its focus on stealth and versatility, making it a preferred tool in both targeted and broad-based attacks. Once activated, it installs itself deeply within the system, establishing a command-and-control (C2) connection with the attacker. This connection allows the attacker to execute commands remotely, monitor user activity, capture keystrokes, and exfiltrate sensitive information. Craexxe's advanced obfuscation and anti-analysis techniques enable it to bypass many traditional antivirus defenses, making detection and removal challenging.

trojan.ursu/mzoaw: A stealthy and adaptive malware variant designed for data theft and network infiltration, primarily targeting enterprise environments. This trojan, part of the Ursu family, is highly modular and equipped with multiple attack capabilities, making it a serious threat for organizations handling sensitive data. Once deployed, Ursu/Mzoaw establishes a covert connection with a command-and-control (C2) server, allowing attackers to exfiltrate data, log keystrokes, and manipulate system files. It often disguises itself within legitimate software or documents, bypassing standard detection mechanisms. It can infiltrate deeply into system processes, masking its presence and evading antivirus programs. The trojan can also adjust its behavior based on the security environment, further complicating detection and removal. Ursu/Mzoaw’s flexibility allows attackers to inject additional malware, such as ransomware or other trojans, once a foothold is gained.

miner.bitminer/apcz: A malicious cryptocurrency mining trojan that covertly utilizes infected systems’ resources to mine cryptocurrencies, such as Bitcoin or Monero, without user consent. Part of the Bitminer family, this variant, APCZ, is designed to operate stealthily, embedding itself within legitimate processes or disguising itself as a benign application. By monopolizing CPU and GPU power, Bitminer/APCZ can significantly degrade system performance, causing slower response times, overheating, and increased electricity consumption. It can remain hidden within a system for extended periods, often evading basic antivirus scans with advanced obfuscation techniques. Once installed, it connects to a remote mining pool, siphoning processing power to mine cryptocurrencies for the attacker’s benefit. While the trojan itself is not inherently destructive, its impact can lead to costly hardware damage and productivity losses, especially in corporate settings with multiple infected machines.

trojan.nightfury/blind: A stealthy trojan variant designed for remote access, data exfiltration, and system manipulation. Originating from the Nightfury malware family, the Blind variant is particularly concerning due to its adaptability and advanced evasion techniques. This trojan is often deployed in targeted attacks, allowing cybercriminals to establish a hidden presence within networks and maintain prolonged control over compromised systems. Once executed, it establishes a command-and-control (C2) connection, granting attackers remote access to infected machines. This connection enables extensive malicious activities, such as capturing keystrokes, stealing credentials, accessing files, and deploying additional payloads. Blind's use of obfuscation and anti-analysis techniques makes it highly resistant to detection by traditional security tools. The trojan poses a significant threat to corporate environments, as it can facilitate espionage, intellectual property theft, and other types of data breaches.

hacktool.pswtool/showpassword: A malicious software tool designed to recover or reveal saved passwords within web browsers or local applications. Often marketed as a password recovery utility, this tool is commonly used by cybercriminals to extract login credentials from compromised systems without user authorization. ShowPassword specifically targets stored passwords, making it a preferred method for threat actors seeking quick access to sensitive accounts, including email, social media, banking, and corporate systems. It operates by accessing a system's credential storage, where browsers and applications often save encrypted passwords for ease of use. Once launched, the tool decrypts and displays these credentials, allowing attackers to quickly capture and exploit them. Its minimal system footprint and ability to bypass basic antivirus detection make it particularly dangerous in both personal and enterprise environments.

trojan.productkey/passview: A malicious tool designed to extract and reveal product keys and passwords stored within an infected system. Originally presented as a utility for recovering forgotten product keys for legitimate software, this tool has been widely adopted by cybercriminals to gain unauthorized access to software licenses and confidential credentials on compromised devices. PassView specifically targets key management locations within the operating system, exposing licenses and login details for both software and online accounts. Once installed, it scans for stored product keys, software licenses, and saved credentials within browsers and applications, decrypting and displaying them for the attacker. This capability allows hackers to illegally use licensed software or access sensitive accounts, potentially leading to software piracy, data theft, and further exploitation of user accounts. This trojan is particularly concerning for businesses and individuals who store credentials locally, as it can compromise licensing agreements and expose sensitive information.

hacktool.processhacker: A powerful system monitoring and task management utility that, while initially developed for legitimate use, is frequently exploited by cybercriminals to gain control over system processes, monitor active applications, and manipulate services within compromised environments. Process Hacker offers extensive capabilities, such as viewing and terminating processes, modifying system services, inspecting network activity, and bypassing security protections like antivirus and anti-malware software. These capabilities make it a valuable tool in malicious campaigns aimed at evading detection and escalating privileges on a target system. It is often delivered via malicious downloads, bundled with other malware, or deployed post-compromise to disable or manipulate security defenses. Once installed, it provides attackers with detailed visibility into system processes, allowing them to identify and terminate security software, mask malicious processes, and establish persistence on the compromised machine. Its versatility in controlling processes makes it especially dangerous in corporate environments, where it can be used to evade detection and disrupt normal security monitoring.

Ransomware Payloads  

Halcyon also detected and blocked an array of ransomware payloads that could have significantly disrupted target organizations and their operations:      

trojan.wannacry/wanna: A notorious ransomware that gained global attention in May 2017 when it rapidly infected hundreds of thousands of systems across numerous industries. The WannaCry payload exploits vulnerabilities in the Windows operating system, particularly the EternalBlue exploit, which was leaked from a cache of NSA hacking tools. The worm-like behavior of WannaCry allows it to propagate automatically across networks, making it exceptionally contagious. Once executed, WannaCry begins by scanning for unpatched or vulnerable Windows systems, then encrypts files with extensions typically associated with essential user data, such as documents, images, and archives. WannaCry can cause significant operational disruptions, data loss, and financial damage, especially in large organizations.

ransomware.lockbit/lockbit2: A fast-spreading ransomware strain targeting organizations across various industries worldwide. Known for its speed, adaptability, and automated processes, LockBit 2.0 has become one of the most prolific ransomware variants, typically leveraging the RaaS model. LockBit 2.0 works by infiltrating systems, often through phishing emails, vulnerable software, or weak Remote Desktop Protocol (RDP) connections, and then quickly encrypting data files. The ransomware’s advanced encryption algorithm makes it nearly impossible to decrypt data without the attacker-provided key. LockBit 2.0 also includes advanced evasion techniques to bypass endpoint detection and response (EDR) solutions, making it especially challenging to detect and contain. Additionally, it employs a “double extortion” method, in which attackers threaten to leak sensitive data if the ransom isn’t paid.

ransomware.sodinokibi/revil: A sophisticated ransomware strain responsible for high-profile attacks across numerous industries. Known for its advanced techniques and aggressive tactics, REvil operates on a RaaS model, which has enabled REvil to spread widely and impact organizations of all sizes, making it one of the most formidable ransomware threats to date. Once executed, REvil makes decryption without the attackers' key nearly impossible. Additionally, REvil employs a “double extortion” strategy: attackers not only demand a ransom for decrypting the files but also threaten to leak sensitive information publicly if the ransom isn’t paid, increasing pressure on victims.

trojan.zeppelin/zapchast: A ransomware variant that targets enterprise networks and individuals, primarily focusing on organizations in healthcare, technology, and education sectors. Part of the Zeppelin ransomware family, Zapchas is notorious for its stealth and adaptability, which allows attackers to launch highly targeted and destructive attacks. This ransomware is often deployed in "big-game hunting" attacks, where cybercriminals aim for high-value targets to maximize their ransom demands. Once inside a network, it spreads to other systems and encrypts critical files, disrupting operations and causing significant downtime. This variant is known for its customization capabilities, allowing attackers to tailor the ransom note, encryption methodology, and demands based on the specific victim, which heightens the pressure to pay the ransom.

trojan.xorist/cryptotorlocker2015: A ransomware variant that is part of the Xorist ransomware family, CryptoTorLocker2015 is typically spread through malicious email attachments, compromised websites, or bundled with other software, often disguising itself as legitimate files to trick users into opening it. Upon execution, the ransomware searches for valuable file types such as documents, images, and databases. This variant of Xorist is known for its relatively straightforward tactics, but it can still cause significant disruption, especially for users without backups or security protections in place.  

ransomware.blackkingdom/python: A ransomware variant known for targeting Windows and Linux systems using scripts written in Python. BlackKingdom/Python has been known to exploit specific vulnerabilities, such as the 2020 Pulse Secure VPN vulnerability, to gain initial access. This variant uses Python scripts for file encryption, making it particularly adaptable and versatile, able to affect various operating systems where Python is installed. The open-source nature of Python allows BlackKingdom to be easily modified, making it difficult for traditional security solutions to detect.  

ransomware.trigona/nekark: Part of the Trigona ransomware family, the Nekark variant often enters networks through phishing emails, malicious downloads, or exploiting unpatched software vulnerabilities, leveraging these entry points to establish a foothold in the target environment. This variant employs strong encryption algorithms, making decryption without the attackers' key nearly impossible. Trigona/Nekark also engages in “double extortion,” not only demanding payment for file decryption but also threatening to release sensitive data publicly if the ransom is not paid. This additional pressure tactic increases the likelihood of compliance, particularly in industries where confidentiality is critical, such as healthcare, finance, and legal services.

trojan.fragtor/crypmod: Unlike typical ransomware, Fragtor/CrypMod focuses on stealth and persistence, allowing it to operate undetected within a network for extended periods. This ransomware variant is often distributed through phishing emails, malicious links, compromised downloads, or bundled with other software, disguising itself as a legitimate file to trick users into executing it. CrypMod employs advanced obfuscation techniques to evade detection by antivirus and anti-malware software, making it especially challenging for traditional security measures to intercept or remove.

trojan.caddywiper/killdisk: A destructive wiper variant known for its capability to destroy data on infected systems, making it a particularly damaging payload for victim organizations. Unlike other ransomware which encrypts files to demand a ransom, CaddyWiper/KillDisk aims to permanently destroy data, often as part of sabotage-driven cyberattacks. This trojan has been associated with attacks on critical infrastructure, financial institutions, and corporate networks, where attackers seek to cripple operations rather than profit through extortion. CaddyWiper/KillDisk operates by gaining unauthorized access to a network and then systematically overwriting or deleting critical data. Once activated, it targets specific files and system configurations, making recovery exceedingly difficult. Its stealth capabilities allow it to bypass certain traditional antivirus protections, often lying dormant until triggered for maximum impact. The threat posed by CaddyWiper/KillDisk is significant, as its primary objective is irrecoverable data loss, leading to costly downtime and operational disruption.

Recent Ransomware Attacks Statistics

Halcyon provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month on our Recent Ransomware Attacks website, including details on the attackers, victims, industry verticals, geolocations impacted and more.

Ransomware Stats for October 2024:

Alleged Attacks Reported: 482 (+25% mo/mo)

Confirmed Attacks Posted: 422 (+31% mo/mo)

Top 5 Industries Targeted:

• Manufacturing: 94 attacks

• Construction: 36 attacks

• Healthcare: 26

• Business Services: 24 attacks

• Legal: 24

Most Active Ransomware Groups:

• RansomHub: 76 attacks

• Play: 44 attacks

• KillSec: 28 entries

• Sarcoma: 27 entries

• Fog: 24 entries

Recent Ransomware News:

• Latest Qilin.B Ransomware Features Better Evasion and Stronger Encryption: This strain employs AES-256-CTR encryption with AESNI support for faster performance on modern CPUs, while using ChaCha20 for older systems. It also utilizes RSA-4096 to secure encryption keys, making decryption nearly impossible without the private key.

• Cyberattack Disrupts American Water - Largest Water Utility in the US: American Water, which serves over 14 million people across 14 states and operates on 18 military installations, said it discovered the unauthorized activity and took immediate action, including pausing its billing systems.

• Losses from Change Healthcare Ransomware Attack Approach $3B: UnitedHealth Group (UHG) has revised its estimate of the costs related to the cyberattack on its Change Healthcare IT services, raising the figure to nearly $2.9 billion for fiscal year 2024.  

• Ransomware Attack Downstream Impact Hits 237,000 Comcast Customers: The breach, which originated in February 2024, exposed the personal information of approximately 4 million individuals, initially affecting 1.9 million before numbers were revised in June.

• Ransomware Attack on Casio Exposes Sensitive Customer Data: The attack compromised personal information of employees, contractors, business partners, and job applicants, as well as internal documents, including invoices and human resources files.

• Extortion Gang BianLian Attacks Boston Children's Health Physicians: The BianLian data extortion group has claimed responsibility for a recent cyberattack on Boston Children's Health Physicians (BCHP), a network of over 300 pediatric specialists operating across New York’s Hudson Valley and Connecticut.  

• Akira Develops Rust-Based Ransomware to Target ESXi Servers: The Akira ransomware gang have developed a Rust variant to target VMware ESXi servers, marking a significant evolution in their technical architecture by transitioning from C++ to Rust for its new ESXi encryptor variant.

• UMC Struggles to Recover from Extensive Ransomware Attack: UMC acknowledged that there is still work to be done, particularly with restoring more patient-facing systems and internal programs crucial for patient care.

• China’s Operation Salt Typhoon Targets US Political Campaigns: Operation Salt Typhoon—also recognized as GhostEmperor, FamousSparrow, King of World, or UNC2286—is an advanced persistent threat (APT) group reportedly operated by the Chinese government.  

• Ransomware Attacks - The New Snow Day for Schools: CISA issued a stark warning about the rising threat of ransomware attacks targeting the education sector and updated its cybersecurity guidelines for K-12 organizations.  

Emerging Ransomware Groups  

Sarcoma: 27 New Victims

• Sarcoma is a ransomware group that emerged in October 2024, quickly gaining notoriety for its aggressive tactics and significant data breaches. Unlike some ransomware groups, Sarcoma does not publicly list ransom amounts, instead leveraging data leaks as a primary means of coercion. Notable victims include Australian steel fabricator Meshworks, New Zealand accounting firm Advanced Accounting, and Australian produce company Perfection Fresh.  

Interlock: 5 New Victims

• Interlock is a ransomware group that emerged in late September 2024, known for its sophisticated attacks targeting both Windows and FreeBSD operating systems.  Interlock has developed encryptors for both Windows and FreeBSD systems, a relatively uncommon approach among ransomware groups. Notable victims include Wayne County in Michigan, Texas Tech University Health Sciences Center (TTUHSC), and Italian manufacturer Smeg Group.  

Fog: 24 New Victims

• The FOG ransomware group, first identified in May 2024, has rapidly emerged as a significant cyber threat, particularly targeting educational institutions in the United States. Their operations are characterized by swift attacks, leveraging compromised VPN credentials to infiltrate networks and deploy ransomware. Notable victims include unnamed entities in the financial and educations sectors, as well as the Central Pennsylvania Food Bank.

‍Threat Actor Spotlight: Qilin

The Halcyon Ransomware Malicious Quartile report reveals that the ransomware group Qilin initially operated under the name Agenda before evolving into a Ransomware-as-a-Service (RaaS) model in July 2022.  

Developed in Golang and Rust, Qilin targets both Windows and Linux systems, with Rust's robust security and cross-platform compatibility enhancing the ransomware's ability to perform complex concurrent operations. This feature allows Qilin to evade detection more effectively and facilitate multi-platform attacks.

Qilin’s operators have been observed exploiting vulnerabilities in common applications, such as Remote Desktop Protocol (RDP), to secure unauthorized access to victim networks. The RaaS platform provides its affiliates with a range of encryption tools, including ChaCha20, AES-256, and RSA-4096, giving them flexibility to customize attacks as per target-specific requirements.

The ransomware is designed to compromise both Windows and Linux environments, with particular emphasis on Linux systems running on VMware ESXi hypervisors. For Linux attacks, the variant is compiled using the GCC 11 compiler and relies on OpenSSL for public key encryption, making it highly effective in infiltrating virtualized Linux infrastructures.

Qilin affiliates are also known to use credential-harvesting techniques, particularly targeting Chrome browser credentials through PowerShell scripts. This method typically follows the initial breach of a network, often achieved through phishing or leveraging previously compromised credentials from dark web sources.

Operating on a double extortion model, Qilin not only encrypts victims' data but also threatens to expose or sell it on a leak site if ransom demands remain unmet. Its affiliate program is notably lucrative, offering up to 80% of ransoms below $3 million and increasing to 85% for payments exceeding $3 million, fueling motivation among affiliates.

The frequency of Qilin attacks surged dramatically in early 2024, with the group claiming over 150 victims by the third quarter. Among their most impactful strikes was an attack on Synnovis, a UK healthcare provider, which resulted in widespread disruption to patient care within the National Health Service (NHS).

Qilin is considered a "big game hunter," primarily targeting high-value sectors such as healthcare and education, where entities often have significant resources to meet ransom demands. Typical ransom amounts range from $50,000 to $800,000, with affiliates receiving 80-85% of the ransom. In cases where payments exceed $3 million, affiliates are rewarded with a higher share.

Prominent Qilin victims include Synnovis, NHS hospitals, Big Issue Group, Ditronics Financial Services, Daiwa House, ASIC S.A., Thonburi Energy Storage, SIIX Corporation, WT Partnership Asia, FSM Solicitors, Etairos Health, Commonwealth Sign, and Casa Santiveri.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.