Last Week in Ransomware: 09.09.2024

Last week in ransomware news we saw RansomHub exfiltrate sensitive Planned Parenthood data, new Cicada3301 Linux ransomware variant, and victims who paid ransoms suffer multiple attacks...

RansomHub Steals Planned Parenthood Data

In late August 2024, Planned Parenthood of Montana fell victim to a ransomware attack by the cybercriminal group RansomHub, which claims to have stolen 93 gigabytes of data.  

The breach was discovered on August 28, prompting the organization to activate its response protocols and take parts of its network offline. Planned Parenthood's CEO, Martha Fuller, confirmed that federal authorities had been notified, and the group is investigating the breach.  

RansomHub, which has been responsible for over 230 attacks since its emergence in February 2024, has given the organization until September 11 to pay an undisclosed ransom, threatening to publish the data if the demand is unmet. Fortunately, no private patient information has been compromised so far.

This attack comes shortly after Montana's abortion rights initiative secured enough signatures to appear on the November ballot, raising concerns about the potential political motivations behind the breach. Fuller reassured the public that the organization is treating the matter with the utmost seriousness.

RansomHub's attack on Planned Parenthood underscores the increasing threat ransomware poses, particularly to critical sectors like healthcare. Beyond the financial implications, ransomware attacks have been linked to disruptions in medical services, resulting in worsened patient outcomes and, in severe cases, increased mortality rates.  

The potential exposure of private health data compounds the threat, as sensitive medical records could be weaponized to extort victims further. This evolving cyber threat demands a more robust response from the U.S. government.  

Current frameworks remain inadequate to address the severity of ransomware as it transforms into a highly organized, multi-billion-dollar criminal industry with devastating consequences for its victims.  

Strong deterrence measures, both domestically and internationally, are necessary to curb these attacks and protect vulnerable individuals and organizations from ongoing exploitation.

READ MORE HERE

New Cicada Linux Ransomware Variant Seen

A recently emerging ransomware-as-a-service (RaaS) operation is falsely using the name and logo of Cicada 3301, a group famous for cryptographic puzzles between 2012 and 2014, though it has no real connection to the original project.  

This cybercriminal group has already targeted 19 companies globally, threatening them through its extortion portal. Analysis suggests the ransomware shares technical characteristics with BlackCat/ALPHV, hinting at a possible rebranding or fork by former developers of BlackCat/ALPHV.  

Both ransomware variants are written in Rust, utilize the ChaCha20 encryption algorithm, and employ similar encryption methods and shutdown commands.

Following BlackCat/ALPHV’s exit scam in March 2024, where they disappeared with $22 million after falsely claiming an FBI takedown, there are signs that the Cicada3301 ransomware group is working with the Brutus botnet operators.  

This botnet specializes in VPN brute-forcing and emerged shortly after ALPHV’s shutdown, further suggesting a link.

Unlike traditional ransomware operations, Cicada3301 focuses more on data exfiltration and monetization rather than ransom payments. The group sells stolen data on dark web marketplaces and applies pressure by threatening to release sensitive information.  

Their attacks, characterized by deep reconnaissance, unpatched system exploitation, and custom scripts, target organizations with valuable intellectual property, client data, and proprietary information, often causing more damage through data theft than traditional ransomware encryption.

READ MORE HERE

Victims Who Paid Suffered Multiple Attacks

A recent survey of nearly 1,000 IT and security professionals highlights a concerning rise in ransomware attacks, with many organizations facing repeated assaults.  

According to the Insurance Journal, 74% of respondents who experienced ransomware attacks in the past 12 months were hit multiple times, sometimes within days.  

The financial burden is severe, as 78% of these organizations paid the ransom, with 72% making multiple payments. Alarmingly, 33% paid ransoms four or more times.

Despite paying the ransom, 87% of businesses still experienced significant disruptions, including data loss and prolonged downtime, with 16% of incidents posing life-or-death risks. Furthermore, 35% of victims who paid did not receive functional decryption keys, intensifying the impact.

These findings mirror a report by Halcyon, which revealed that ransomware attacks have become frequent and severe over the past two years. According to the Ransomware and Data Extortion Business Risk Report, 18% of respondents faced 10 or more infections, with data exfiltration becoming a common tactic.  

Around 60% of organizations reported that sensitive data had been stolen, and over half were asked to pay additional ransoms to prevent data leaks. As a result, 58% of organizations faced heightened risks of regulatory action and lawsuits.

Despite these challenges, many businesses remain overconfident in their defenses. While 88% believed their security measures could block ransomware, over one-third were attacked multiple times. Moreover, 62% of organizations experienced severe operational disruptions, lasting from two months to over six months.

The report underscored that ransomware defenses remain inadequate, even among companies running prevention tools. Among those paying ransoms, 78% received unusable decryption keys, and 59% spent over $1 million on incident response.  

Additionally, cyber insurance premiums rose sharply for 39% of organizations following an attack, emphasizing the lasting impact of ransomware on business viability and competitiveness.

READ MORE HERE

‍

Halcyon.ai is the leading anti-ransomware company. Global 2000 companies rely on the Halcyon platform to defeat ransomware with minimal business disruption through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration and extortion prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Recent Ransomware Attacks resource site.