Last Week in Ransomware: 11.25.2024

Last week in ransomware news we saw a ransomware attack expose data for 133k, an attack disrupt American Associated Pharmacies, and RansomHub attack government of Mexico...

Ransomware Attack Exposes Data for 133,000

In September 2024, Great Plains Regional Medical Center, a 62-bed not-for-profit hospital in Elk City, Oklahoma, fell victim to a ransomware attack that encrypted files and exfiltrated sensitive data from September 5 to 8.  

This hospital serves Western Oklahoma and the Eastern Texas Panhandle, providing critical healthcare services, including 24-hour emergency care. Despite swift system restoration, some patient data remains unrecoverable.  

Exposed information includes names, Social Security and driver’s license numbers, demographic details, health insurance data, and medical records such as diagnoses and medications.

The attack affected 133,149 individuals, who have been offered free credit monitoring. No ransomware group has claimed responsibility, but the breach has been reported to the U.S. Department of Health and Human Services.  

This incident underscores the dire impact ransomware attacks have on patient care, privacy, and outcomes, including increased mortality rates linked to healthcare disruptions.

The attack highlights the dual threat posed by cybercriminals who paralyze healthcare systems and weaponize stolen data for extortion. Patients face the trauma of their private health information being exploited.  

This escalating trend emphasizes the urgent need for coordinated national and international strategies to combat ransomware, which has evolved into a critical national security and humanitarian crisis.

READ MNORE HERE

Attack Disrupts American Associated Pharmacies

The Embargo ransomware group, a relatively new but highly sophisticated actor, has claimed responsibility for targeting American Associated Pharmacies (AAP), a network of over 2,000 independent pharmacies in Scottsboro, AL.  

Embargo alleges it stole 1.5 TB of data, encrypted systems, and demanded $1.3 million for decryption keys, which AAP reportedly paid. Now, the group is demanding an additional $1.3 million to prevent the release of the stolen data, doubling the average ransom demand, as reported by HIPAA Journal.  

While AAP has not confirmed the attack, password resets and limited website functionality suggest a breach response.

Embargo, active since June 2024, operates under a ransomware-as-a-service (RaaS) model, where it develops ransomware and affiliates, like Storm-0501, execute attacks. Written in Rust, the ransomware employs advanced encryption algorithms such as ChaCha20 and Curve25519, adding the ".564ba1" extension to encrypted files.  

Embargo's arsenal includes customized tools like MDeployer, a loader, and MS4Killer, an EDR killer, allowing precise bypass of security defenses. Their double-extortion strategy pressures victims to pay not only for decryption but also to prevent data leaks.

The group has aggressively targeted healthcare and critical infrastructure. Recent victims include Memorial Hospital and Manor in Georgia, which experienced significant disruptions, and Weiser Memorial Hospital in Idaho, where stolen data was leaked online.  

Embargo’s approach increasingly exploits hybrid cloud environments, enabling lateral network movement, extensive data theft, and ransomware deployment.

These attacks underscore the rising threat of ransomware, highlighting the critical need for robust cybersecurity measures and coordinated responses to mitigate such advanced threats.

READ MORE HERE

RansomHub Attacks Government of Mexico

The ransomware group RansomHub, linked to Russian actors, has claimed responsibility for a cyberattack on Mexico's federal government website, gob.mx, exfiltrating 313 GB of sensitive data.  

Announced on the group’s dark web blog, the breach includes personal information of federal employees—such as names, job titles, headshots, and ID numbers—along with signed government documents from 2023.  

Notable files include a transportation contract worth $100,000 and a document addressed to Mexico’s Director of IT and Communications, Mario Gavina Morales. The group has threatened to release the data in ten days unless an undisclosed ransom is paid.

RansomHub is a ransomware-as-a-service (RaaS) platform that emerged in early 2024 and quickly gained prominence. Originally suspected of ties to LockBit, the group’s ransomware code is linked to the now-defunct Knight group, whose codebase was sold in February 2024, accelerating RansomHub’s development.  

Written in Golang, the ransomware integrates advanced features and offers affiliates up to 90% of ransom payments, making it highly appealing. RansomHub’s operations are marked by strict compliance policies for affiliates, a versatile codebase, and targeted double-extortion tactics.  

Known for high-value targets, the group has demanded ransoms as high as $22 million, as seen with Change Healthcare. By Q3 2024, RansomHub had become a major player in the ransomware ecosystem, leveraging the decline of other groups and executing impactful attacks on prominent organizations, including Christie’s Auction House and Frontier Communications.

READ MORE HERE

INC Infiltrates Hungarian Defense Network  

The Hungarian government disclosed a cyberattack on its defense procurement agency on November 14, 2024, involving foreign non-state actors. The breach, attributed to the INC Ransomware group, exposed contracts detailing the Hungarian Army’s air and land capabilities.  

While officials stated no sensitive data was compromised, cybersecurity expert Akhil Mittal noted the strategic value of procurement details, which can reveal future defense strategies and financial priorities. INC Ransom demanded $5 million and leaked screenshots of the data on the dark web.

INC Ransom emerged in mid-2023, employing double extortion tactics that involve encrypting data and threatening to publish stolen information. They use compromised Remote Desktop Protocol (RDP) credentials, phishing campaigns, and vulnerabilities like Citrix NetScaler (CVE-2023-3519) for initial access.  

Their tactics also include Living-off-the-Land (LOTL) techniques, leveraging legitimate tools like WMIC, PsExec, and AnyDesk for lateral movement, and MegaSync for data exfiltration. The ransomware, written in C++, uses AES-128 encryption, with a Linux variant also identified.

Branding itself as a "moral agent," INC Ransom claims to expose cybersecurity weaknesses, adding complexity to its narrative. The group has targeted sectors ranging from education to defense, escalating attacks in 2024.  

High-profile victims include NHS Scotland, Xerox, the Peruvian Army, and Yamaha Philippines, highlighting its adaptability and the growing threat it poses to public and private sectors worldwide.

READ MORE HERE

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.