Halcyon Threat Insights 011: December 2024 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings for November 2024 based on intelligence collected from our customer base. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

The IT, Finance, and Education sectors were the most targeted industry verticals in November 2024:

• Information & Technology: 28% (+5% mo/mo)

• Finance & Insurance: 13% (-15% mo/mo)

• Education: 13% (Flat mo/mo)

• Manufacturing: 13% (+4% mo/mo)

• State & Local Government: 8% (+4% mo/mo)

• Arts, Entertainment & Recreation: 8% (+2% mo/mo)

• Healthcare & Pharmaceutical: 5% (Flat mo/mo)

• Professional, Scientific & Technical Services: 3% (-1% mo/mo)

• Retail Trade: 3% (Flat mo/mo)

• Transportation & Warehousing: 2% (-2% mo/mo)

• Utilities: 2% (+2% mo/mo)

• Other: 1% (+0.5% mo/mo)

• Accommodations & Food Services: 1% (+1% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload.

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and mya be indicators of compromise. Some of the hack tools detected include:

Hacktool.msil/jalapeno: A tool developed using the Microsoft Intermediate Language (MSIL) designed to exploit system vulnerabilities, bypass security controls, or provide unauthorized access to protected systems. Once installed, it can perform various harmful actions, including privilege escalation, credential theft, or network exploitation. Some variants may include features that allow attackers to bypass software licensing restrictions, monitor user activity, or deploy additional malware payloads. It can create backdoors, enabling persistent unauthorized access to compromised systems. The tool’s ability to evade detection by some security solutions further amplifies its threat. Detecting and removing this tool promptly is critical to minimizing its impact.

Hacktool.kmsauto/msil: This tool operates by emulating a Key Management Service (KMS) to activate software without a legitimate license, allowing unauthorized use of paid software. It is written in the Microsoft Intermediate Language (MSIL), a code format used in .NET applications. Despite its legitimate functionality, the tool poses significant security risks. Attackers often bundle it with additional malware, such as keyloggers, trojans, or ransomware, to exploit users who download the tool from unverified sources.

Hacktool.autokms/kmsauto: A software utility designed to illegally activate Microsoft products, such as Windows and Office, without a valid license. The tool typically works by installing a local KMS emulator that activates the target software. To maintain activation, it may schedule periodic tasks on the system, which can interfere with normal operations. It is often bundled with additional malicious software, including adware, spyware, or trojans, posing a significant risk to users. Its use can lead to system instability, reduced security defenses, and exposure to data breaches. The tool's unauthorized modifications can also conflict with legitimate system updates, causing errors or functionality issues.

Hacktool.rdpwrap/radmin: A tool designed to modify or enable features in remote desktop services, often without proper authorization. These tools are commonly used to bypass restrictions on Remote Desktop Protocol (RDP) in Windows operating systems, enabling multiple concurrent remote desktop sessions or access to features typically reserved for licensed versions of Windows. RDPWrap modifies system files to enable additional RDP functionality, such as enabling RDP access on non-licensed Windows editions or allowing simultaneous connections. It is frequently misused by threat actors for unauthorized access, data theft, or system control. Modifications made by Hacktool.RDPWrap or misuse of Radmin may introduce vulnerabilities, leaving systems open to cyberattacks, such as brute force attacks or ransomware deployment.

Hacktool.incognito/nettool: A category of tools designed to manipulate network configurations, elevate privileges, or mask user activity on a network. These tools are often used by attackers to maintain unauthorized access, escalate user privileges, or conceal malicious actions. Hacktool.Incognito specifically targets privilege escalation, allowing users to gain unauthorized administrative rights or impersonate other users. It is commonly used to exploit weak access controls or poorly configured systems. It is often employed in reconnaissance or network exploitation phases of cyberattacks. When used maliciously, these tools can compromise system integrity, steal sensitive data, or disrupt network operations. Additionally, they may act as a gateway for deploying further malware or launching coordinated attacks.

Ransomware Precursors

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan.weelsof/mikey: The primary functions of this Trojan include data theft, system manipulation, and unauthorized remote access. It may harvest sensitive information such as login credentials, banking details, or personal files, which can be exploited for financial gain or identity theft. Additionally, it can download and install other malware, such as ransomware or spyware, further compromising the system. It often disables security software and system defenses, making detection and removal challenging. In some cases, it may display fake warnings or lock the system entirely, demanding payment for restoration—actions characteristic of ransomware-like behavior.

Trojan.cosmu/xpiro: Once installed, it establishes itself deeply within the operating system, infecting executable files and spreading across the network to compromise other connected devices. Its primary objectives include stealing sensitive information, such as login credentials, financial data, and personal files. Additionally, it often creates backdoors, granting attackers unauthorized access to the infected system. These backdoors can be used to deploy other forms of malware, such as ransomware, keyloggers, or botnets. A distinguishing feature is its polymorphic nature, allowing it to change its code structure dynamically to avoid detection. This makes it particularly challenging to remove and a persistent threat even to well-secured environments.

Trojan.clipbanker/zusy: A type of Trojan malware designed to manipulate clipboard data, primarily targeting cryptocurrency transactions and other financial activities. The Trojan’s primary function is to monitor and intercept clipboard activity. When a user copies sensitive information, such as cryptocurrency wallet addresses or banking details, it replaces the copied content with an attacker-controlled value. For example, if a user attempts to send cryptocurrency to a specific wallet, the Trojan substitutes the intended address with the attacker’s address, diverting the funds without the user’s awareness. In addition to its clipboard manipulation capabilities, it may include spyware functionalities to harvest sensitive information, such as login credentials, or even serve as a delivery mechanism for additional malware.

Trojan.sasfis/processhijack: Once installed, it hijacks legitimate system processes to mask its activity, blending into the operating system’s normal operations. This tactic allows it to evade detection by security tools and remain active for extended periods. The Trojan is often used to download and execute additional payloads, including spyware, ransomware, or other forms of malware. It can also steal sensitive information such as login credentials, banking details, or personal files, which can then be exploited or sold on the dark web. In addition, the Trojan may weaken system defenses by disabling antivirus programs or altering system configurations, further exposing the system to subsequent attacks.

Trojan.apbcw/r002c0xcp24: Once installed, it establishes a foothold in the operating system by disguising itself as a legitimate process or system file. Its primary objectives include data theft, surveillance, and system compromise. It may harvest sensitive information such as passwords, financial data, or personal documents. Additionally, it can serve as a gateway for other malware, such as ransomware, spyware, or botnet components. This Trojan is also known for its ability to disable or bypass security software, making removal more challenging. It may create backdoors to provide attackers with persistent remote access, allowing them to control the infected system, monitor user activity, or deploy further attacks.

Ransomware Payloads  

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Trojan.diskwriter/lfbzh: A highly destructive ransomware wiper designed to manipulate or overwrite disk data on compromised systems. It can overwrite, delete, or encrypt critical files, rendering them unusable. In some cases, it may modify the system's master boot record (MBR) or partition tables, leading to complete system failure or preventing the operating system from booting. These actions often serve as a precursor to further malicious activities, such as ransomware attacks or data theft. It may also create backdoors, enabling attackers to remotely access the system for surveillance, data exfiltration, or further malware deployment. Its ability to disable security defenses and evade detection makes it particularly challenging to counter.

Trojan.rook/abysslocker: This payload establishes a foothold in the infected system by exploiting system vulnerabilities or misconfigurations. It can evade detection by masquerading as legitimate processes and employing obfuscation techniques. In addition to ransomware functionality, this Trojan often installs backdoors, granting attackers persistent remote access to the compromised system. These backdoors can be used for further data theft, espionage, or additional malware deployment. The impact of this ransomware can be devastating to an organization, resulting in data loss, operational disruption, financial impact, regulatory actions, legal liability and brand damage.

Ransomware.msil/msilperseus: A ransomware strain developed using the Microsoft Intermediate Language (MSIL), a code format utilized in .NET applications. Known for its aggressive encryption capabilities and stealthy delivery mechanisms, this ransomware is a significant threat to individuals and organizations. It targets a wide range of file types, including documents, images, databases, and backups. A defining characteristic is its ability to evade detection by antivirus software through advanced obfuscation and polymorphic techniques, making it challenging to identify and remove. In some cases, it also disables system recovery options and deletes shadow copies to prevent victims from restoring their files.

Ransomware.incransom/imps: Its stealthy nature and aggressive encryption mechanisms make it a significant threat to individuals, businesses, and organizations. Once executed, it can scan the victim's system for valuable files, including documents, images, videos, and databases. Using strong encryption algorithms, it locks these files, rendering them inaccessible. A defining characteristic of IncRansom/IMPS is its ability to evade detection through advanced obfuscation techniques and its capability to disable security defenses such as antivirus software or firewalls. Additionally, it may delete backups or shadow copies to prevent file recovery without paying the ransom.

Ransomware.embargo/barys: Upon infection, it scans the system for valuable files, including documents, databases, images, and backups. It uses robust encryption algorithms to lock these files, making them inaccessible to the user. A notable feature of Embargo/Barys is its ability to evade detection using advanced obfuscation techniques and by disabling security defenses such as antivirus software and firewalls. It may also delete shadow copies and backups to prevent victims from recovering their files independently.

November Ransomware News:

• H1-2024: Ransomware Attacks Increased 68% in Severity: According to Coalition’s 2024 Cyber Claims Report: Mid-Year Update, while the frequency of ransomware attacks slightly decreased in early 2024, their severity intensified.  

• Ransomware Attack on Blue Yonder Disrupts Supply Chain: The attack disrupted its private cloud services, affecting several key clients, including UK grocery chains and Fortune 500 companies.

• RansomHub Claims Attack on Government of Mexico: The ransomware group RansomHub, linked to Russian actors, has claimed responsibility for a cyberattack on Mexico's gob.mx website, alleging the exfiltration of 313 GB of sensitive data.  

• Black Basta Leveraging Microsoft Teams for Social Engineering: Black Basta has shifted tactics from email-based phishing to impersonating IT help desk staff on Microsoft Teams for initial infection.

• Ransomware Attack Forces UK Hospital to Send Patients Home: The incident brought most of its IT systems offline, forcing staff to revert to manual processes and creating significant challenges across its services, and the disruption has led to the cancellation of most appointments.

• Oklahoma Medical Center Ransomware Attack Exposes Data for 133,000: Attackers accessed and encrypted files from September 5 to September 8, exfiltrating sensitive data before deploying ransomware.

• Embargo Ransomware Group Disrupts American Associated Pharmacies: Embargo alleged it stole 1.5 TB of data before encrypting systems and demanded $1.3 million for decryption keys, which the pharmacy reportedly paid.

• MOVEit Exploit Fallout: Massive Data Leak from Amazon, McDonald’s and 1000+ Companies: Notable impacted companies include Amazon (2.8 million records), MetLife (585,000 records), and HSBC (280,000 records), among others, revealing the scope of compromised employee information.

• TSA Proposes Cybersecurity Mandates for Rail, Airlines and Pipelines: The Transportation Security Administration (TSA) has issued proposed cybersecurity regulations aimed at solidifying and expanding emergency directives first implemented after the 2021 Colonial Pipeline ransomware attack.  

Halcyon Attacks Lookout Statistics

The Halcyon Attacks Lookout resource provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month, including details on the attackers, victims, industry verticals, geolocations impacted and more. Here’s a snapshot of attack activity in the month of November:

‍Threat Actor Spotlight: INC Ransom

According to the Power Rankings: Ransomware Malicious Quartile report, INC is a ransomware group that emerged in mid-2023, presents a complex operational profile. It remains unclear whether they function as a Ransomware-as-a-Service (RaaS) platform with affiliates or as a closed, internally managed group.  

They employ well-known tactics, techniques, and procedures (TTPs), including the use of compromised Remote Desktop Protocol (RDP) credentials for initial access and lateral movement. Initial infections are often traced to phishing campaigns or exploitation of the Citrix NetScaler vulnerability (CVE-2023-3519).  

Despite their criminal activities, INC Ransom brands itself as a "moral agent," claiming to help victims identify cybersecurity weaknesses, a narrative that adds nuance to their motives.  

They deploy ransomware using Living-off-the-Land (LOTL) techniques, leveraging legitimate tools such as WMIC, PsExec, and common applications like MSPaint, Notepad, and AnyDesk for lateral movement. For reconnaissance, they use tools like Esentutl and MegaSync for data exfiltration, hinting at a strategic use of cloud services.  

The ransomware, written in C++, employs AES-128 encryption in CTR mode, with a Linux variant also reported. They may delete Volume Shadow Copies (VSS) to complicate recovery and encryption rollback, showcasing a degree of sophistication.  

INC Ransom uses double extortion tactics, threatening to publish stolen data if victims do not comply. Their leak site serves as a platform to follow through on these threats.  

Targeting industries ranging from education and IT to manufacturing and the public sector, INC Ransom has escalated its attack frequency into early 2024, underscoring the growing threat of this adaptable and aggressive group.  

Notable victims include Peruvian Army, NHS Scotland, Xerox, Trylon Corp, BPG Partners Group, DM Civil, Nicole Miller INC., Pro Metals, Springfield Area Chamber of Commerce, US Federal Labor Relations Authority, Yamaha Philippines, and Rockford Public Schools. ‍

‍

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.