Last Week in Ransomware: 08.12.2024
Last week in ransomware news we saw Dark Angels net a record $75M ransom, Play debuts a Linux variant, UK Healthcare won’t recover until fall, and new threat actors emerging...
UK Healthcare Still Recovering from Attack
Synnovis, a blood testing partnership in the UK, has revealed that its blood transfusion services may not fully recover from a recent ransomware attack until the fall.
The attack disabled 60 critical systems, leading to widespread disruptions, including the cancellation of hundreds of surgeries and thousands of appointments.
Although many systems have been restored, the impact on blood transfusion services has been significant, prompting the NHS to issue an urgent appeal for blood donors due to unprecedentedly low blood stock levels.
Synnovis, a collaboration between several NHS trusts and Synlab, a commercial testing firm, has made progress in reconnecting laboratories to electronic systems for test orders and results.
Core services at major hospitals, including King’s College and Princess Royal University Hospitals, have been restored, with similar progress expected at other hospitals soon.
The attack highlights the increasing threat of ransomware on healthcare providers, with research indicating that such attacks have led to a rise in mortality rates.
These cybercrimes are not only financially motivated but are also suspected of advancing geopolitical interests, particularly those of Russia, making them a significant national security concern.
Play Releases Linux Variant
The Play ransomware gang has introduced a new Linux variant targeting VMware ESXi virtual machines, a crucial infrastructure component for many enterprises.
This variant is designed to first verify its operation within an ESXi environment before executing its payload, evading detection on Linux systems.
By focusing on ESXi VMs, the attackers aim to cause significant business disruptions, making it harder for victims to recover data, thereby increasing the likelihood of successful ransom payments.
The shift towards targeting Linux servers by ransomware groups like Play is significant. Linux systems, which power about 80% of web servers and are integral to critical infrastructure, offer attackers strategic advantages.
The open-source nature of Linux allows attackers to understand and exploit system operations deeply. Moreover, the "always on" characteristic of Linux servers makes them particularly attractive targets, as compromising these systems can lead to widespread network infiltration.
The growing focus on Linux by ransomware groups is alarming, given that many security solutions do not adequately cover Linux environments.
Without enhanced defenses, the potential for devastating disruptions from such attacks is high. Proactive measures are essential to mitigate these risks and protect critical systems from catastrophic consequences.
DarkAngels Net Record Ransom
The Dark Angels ransomware group has reportedly set a new record by securing a $75 million ransom payment from an unnamed Fortune 50 company, according to BleepingComputer.
This figure surpasses the previous highest ransom payment of $40 million made by the insurance firm CNA to the Evil Corp ransomware group.
Blockchain research firm Chainalysis confirmed the unprecedented scale of this payment. Although the specific company affected has not been disclosed, speculation suggests a possible link to a major pharmaceutical company, Cencora, which was compromised in February 2024.
However, no group has claimed responsibility for that attack, leaving the connection to Dark Angels unconfirmed.
Active since May 2022, Dark Angels has been involved in several high-profile ransom demands, including a failed attempt to secure $51 million in September 2023.
This record-breaking ransom highlights the escalating threat posed by ransomware groups, especially those targeting high-value organizations.
The evolution of Ransomware-as-a-Service (RaaS) platforms underscores the ongoing challenges faced by organizations in defending against increasingly sophisticated attacks.
Ransomware groups continue to enhance their tactics, focusing on cloud installations and data backups, which many organizations wrongly assume to be secure.
The growing disparity between attacker capabilities and organizational defenses emphasizes the urgent need for new approaches to mitigate this expanding threat.
July Emerging Threat Actors
In June and July 2024, the ransomware landscape saw the rise of several prominent groups targeting a range of industries. Notable among them were BrainCipher, Mad Liberator, RansomCortex, SenSayQ, and Cicada3301, each employing distinct tactics, techniques, and procedures (TTPs) to attack high-profile organizations.
BrainCipher and Mad Liberator are notorious for deploying ransomware and engaging in data exfiltration. BrainCipher's attack on Indonesia's National Data Center disrupted vital services, while Mad Liberator's breach of the Italian Ministry of Culture underscored their dual focus on encryption and data theft.
These groups’ use of encryption and phishing highlights the critical need for robust cybersecurity measures to protect sensitive data.
RansomCortex operates as a Ransomware-as-a-Service (RaaS) provider, offering tools and infrastructure to affiliate attackers.
This model has lowered the barrier to entry for cybercriminals, resulting in more frequent ransomware incidents. RansomCortex's attacks on healthcare facilities in Brazil and Canada illustrate the growing threat from collaborative and scalable ransomware operations.
Cicada3301 functions as a data extortion group, focusing on stealing and selling sensitive information rather than deploying ransomware.
Their actions have led to long-term damage through identity theft and corporate espionage. Meanwhile, SenSayQ blends traditional ransomware tactics with innovative techniques, making it increasingly difficult for organizations to defend against their attacks.
As ransomware threats continue to evolve, understanding each group’s unique strategies is crucial for developing effective cybersecurity defenses and staying ahead of cybercriminals' ever-changing tactics.
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
.jpg)
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!