Last Week in Ransomware: 09.02.2024
Last week in ransomware news we saw Qilin harvest VPN credentials in Chrome, Hunters International to Publish US Marshals Data, and RansomHub connected to Haliburton attack...
Qilin Harvests VPN Credentials in Chrome
In July 2024, a sophisticated Qilin ransomware attack was observed stealing credentials stored in Google Chrome browsers on compromised endpoints. The attackers gained access to the target network by exploiting compromised VPN credentials lacking multi-factor authentication (MFA).
After 18 days, they performed post-exploitation actions, including modifying the default domain policy on a domain controller.
They introduced a logon-based Group Policy Object (GPO) containing two scripts: a PowerShell script ("IPScanner.ps1") designed to harvest credentials from Chrome, and a batch script ("logon.bat") that executed the PowerShell script upon user login.
The GPO remained active for over three days, during which time users unknowingly triggered the credential-harvesting process every time they logged in.
This attack exemplifies a significant escalation in attack sophistication, combining ransomware with credential harvesting.
Qilin, a Ransomware-as-a-Service (RaaS) operation, first emerged in July 2022, using Go and Rust programming languages. It targets both Windows and Linux systems and exploits vulnerable applications, including Remote Desktop Protocol (RDP).
Qilin operations include data exfiltration for double extortion, with an affiliate program offering up to 85% of ransoms over $3 million.
Qilin is a "big game hunter," targeting sectors like healthcare and education with ransom demands in the millions. Notable victims include Ditronics Financial Services and Daiwa House, among others.
Hunters to Publish US Marshals Data
Hunters International, a ransomware group that emerged in October 2023, is threatening to leak 386 GB of sensitive data from the U.S. Marshals Service (USMS), including “Top Secret” documents and information from the 2022 drug enforcement operation “Operation Turnbuckle.”
The group has demanded a ransom from the USMS, with a deadline of August 30. However, a USMS spokesperson indicated that the data might not stem from a new breach.
The USMS previously experienced a significant ransomware attack in February 2023, affecting systems containing legal and administrative data, although the Witness Security Program was reportedly unaffected. No group had claimed responsibility for that attack until now.
The authenticity of the data claimed by Hunters International and how they obtained it remains uncertain. The group has connections to the Hive ransomware operation, which was dismantled in early 2023.
Hunters International reportedly purchased Hive’s source code and infrastructure, allowing them to leverage Hive’s advanced data exfiltration and double extortion techniques. The group targets sectors with a high likelihood of paying ransoms, such as healthcare, financial services, and critical infrastructure.
Hunters International uses Rust, a secure programming language, to evade security tools and has developed ransomware variants targeting both Windows and Linux systems.
Despite being relatively new, the group has quickly escalated its operations, using double extortion tactics and offering profit-sharing incentives to affiliates, leading to increased attack frequency across various industries and regions. High-profile targets have included Toyota Brazil and Frederick Wildman and Sons.
RansomHub Connected to Haliburton Attack
The RansomHub ransomware gang is reportedly behind a major cyberattack on Halliburton, a leading oil and gas services company, on August 21, 2024.
The attack severely disrupted Halliburton's IT systems, hindering business operations, including the generation of invoices and purchase orders, causing significant delays. Halliburton acknowledged the breach in an SEC filing, confirming that an unauthorized third party accessed their systems.
The company activated its cybersecurity response plan, involving internal and external experts, but provided few details about the incident, leaving customers uncertain about the potential impact. This lack of communication has led some customers to sever ties with Halliburton as they assess their own vulnerabilities.
Other companies in the oil and gas sector have sought guidance from the Oil and Natural Gas Information Sharing and Analysis Center (ONG-ISAC) to determine if they were also breached.
Speculation about RansomHub's involvement surfaced on platforms like Reddit and TheLayoff, with users sharing a partial ransom note. Halliburton has been cautious in its communications, only confirming through an email to suppliers that they had proactively taken systems offline and were working with a cybersecurity firm to investigate the incident.
RansomHub, a Ransomware-as-a-Service (RaaS) platform that emerged in early 2024, has quickly gained notoriety for its impactful attacks. The group’s code is based on the now-defunct Knight ransomware and is written in Golang.
RansomHub affiliates can retain up to 90% of ransom proceeds, and the group enforces strict policies on compliance during negotiations. RansomHub has attracted affiliates from disbanded ransomware groups, expanding its operational capacity and making substantial ransom demands, as evidenced by a $22 million demand from Change Healthcare.
The group strategically targets large organizations with valuable data, focusing initially on the healthcare sector. Notable victims include Christie’s Auction House and Frontier Communications.
Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!