Ransomware on the Move: 3AM, Play, Qilin, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the #ransomware gangs on the move last week: 3AM, Play, Qilin, and RansomHub…

‍

Over the past week, ransomware groups 3AM, Play, Qilin, and RansomHub launched a relentless wave of attacks, targeting a wide range of industries. Each group intensified its tactics, exploiting specific vulnerabilities and exfiltrating sensitive data to pressure victims into compliance:

• Play alone executed high-profile attacks on CGR Technologies, seizing sensitive financial and payroll data, while also targeting J.S. McCarthy Printers, putting over 600GB of client and operational data at risk.  

• 3AM, a less discussed but equally potent group, displayed its capabilities by compromising secure networks with precision.  

• Qilin and RansomHub added further disruption, exploiting weaknesses in IT and critical infrastructure, underscoring the adaptability and persistence of ransomware groups as they target a broader array of victims.  

‍

3AM

‍

Also known as ThreeAM, 3AM is a rising threat in the ransomware field, notable for its sophisticated use of the Rust programming language. Initially developed as a secondary option when other ransomware, such as LockBit, fails to deploy, 3AM has quickly built a reputation for adaptability.  

‍

Leveraging an affiliate structure and utilizing shared infrastructure with cybercrime groups like Conti and Royal, 3AM has become a versatile tool in the hands of cybercriminals, enhancing its reach and impact across sectors. 3AM ransomware often carries out large-scale data exfiltration, which leads to significant operational and reputational consequences for its victims.  

‍

Significant Attacks

• Freedom Home Care and Medical Staffing faced a 3AM ransomware breach, potentially exposing sensitive personal and health information and highlighting vulnerabilities within the healthcare sector.  

• Sandray Precision Grinding Inc., a precision manufacturing provider, had operations disrupted affecting its components production for industries like aerospace, illustrating the vulnerability of manufacturing firms to ransomware attacks that exploit their dependency on digital infrastructure.

• ANU Enterprise, the commercial arm of the Australian National University, was targeted by 3AM ransomware on October 31, 2024. Listed on 3AM's dark web site, the attackers have not disclosed specific details or data, leaving the breach’s extent uncertain. Given ANU Enterprise’s role in connecting research with industry, this attack raises concerns over the security of academic institutions involved in commercial partnerships.

• Caillau, a notable distributor and manufacturer of specialized fasteners, suffered a 3AM ransomware attack on November 1, 2024. Known for supplying the automotive and aerospace sectors, this breach raises concerns over potential disruptions to global supply chains. While the full scope of data compromised has not been revealed, this incident highlights the critical risk to industrial sectors posed by evolving ransomware tactics.

• See more of 3AM's recent ransomware attacks here

‍

Play

‍

Active since June 2022, the Play ransomware group has established itself as a significant player in the ransomware world. Initially focused on Latin American entities, Play has expanded globally, with operations spanning IT, transportation, government, and critical infrastructure.  

‍

Known for innovative tactics, Play gains initial access through RDP server vulnerabilities, FortiOS, and Microsoft Exchange, and stands out by omitting an upfront ransom demand, instead instructing victims to initiate contact.  

‍

With more than 300 impacted organizations worldwide, the group has made a strong impact across sectors, leveraging both data encryption and exfiltration for maximum effect. Play’s attacks are marked by substantial data exfiltration, frequently targeting sensitive business information, client records, and financial data.  

‍

Significant Attacks

• Play compromised data at CGR Technologies, a manufacturing company in Illinois, extracting confidential client documents, financial records, and tax information.  

• Play also hit Maval Industries, a leading automotive manufacturer, experienced a breach in which Play exfiltrated critical data, including client contracts and financial documents, amplifying security risks for both the company and its clients.

• J.S. McCarthy Packaging + Print, a leading provider of commercial folding carton packaging, was breached by Play ransomware on November 4, 2024. The attack resulted in the exfiltration of 652GB of sensitive data, including client documents, payroll records, and financial information. Play has threatened to publish the data, increasing pressure on J.S. McCarthy to respond quickly to the breach.

• ASTAC, a telecommunications provider serving remote communities in Alaska, also became a victim of Play’s ransomware tactics. Attackers accessed and encrypted substantial volumes of sensitive data, including client records, payroll information, and tax documents. The breach represents a significant risk to ASTAC’s customer privacy and operational integrity, highlighting the threats posed by ransomware in essential service sectors.

• See more of Play's recent ransomware attacks here

‍

Qilin

‍

Initially known as Agenda, Qilin has been active since July 2022, establishing itself as a sophisticated Ransomware-as-a-Service (RaaS) operation. Primarily targeting large enterprises, Qilin has focused on industries such as healthcare, manufacturing, financial services, and government, with healthcare accounting for 7% of attacks.  

‍

Known for double extortion, Qilin employs both data encryption and exfiltration, adding pressure on victims to comply with ransom demands as sensitive information is threatened with exposure on the group’s leak site. Recent updates to Qilin’s ransomware, including a shift from Golang to Rust, have enhanced its evasion capabilities across Windows, Linux, and VMware ESXi environments.

‍

Significant Attacks

• Qilin breached DieTech North America, an automotive manufacturer with an estimated annual revenue of $10 million, seizing confidential client documents, financial data, and operational details.  

• Qilin also hit Valu-Trac Investment Management, a UK-based financial firm with annual revenue of approximately £5.3 million. Qilin reportedly compromised data containing personally identifiable information of clients, emphasizing the group’s focus on companies with valuable proprietary information.

• Daikin Thailand, operating under Siam Daikin Sales Co., Ltd., was severely impacted by a ransomware attack orchestrated by Qilin in October 2024. The attack led to the exfiltration of approximately 838GB of sensitive data, affecting Daikin's operations and potentially exposing confidential customer and operational details. Qilin provided a sample leak to demonstrate the severity of the breach, raising serious concerns over data security at Daikin.

• Aiken Electric Cooperative, a major energy provider in South Carolina, faced a Qilin ransomware attack in November 2024. The breach resulted in the exfiltration of 591GB of sensitive data, including 48 photos and over 369,000 files. The compromised data included information related to Aiken’s net metering services, which allow customers to sell excess solar energy back to the cooperative, posing potential risks to both operational integrity and customer privacy.

• See more of Qilin’s recent ransomware attacks here

‍

RansomHub

‍

Since emerging in February 2024, RansomHub has rapidly gained prominence as a Ransomware-as-a-Service (RaaS) group. Known for its aggressive affiliate model and double extortion tactics, RansomHub combines data encryption with extensive data exfiltration, pressuring victims to meet ransom demands.  

‍

Linked with former Knight ransomware affiliates and actors from ALPHV/BlackCat, RansomHub recruits skilled affiliates through platforms like RAMP, broadening its reach across multiple high-value sectors. By August 2024, the group had claimed over 210 attacks globally, particularly targeting industries like government, healthcare, and education.

‍

Significant Attacks

• RansomHub attacked Hellenic Open University in Greece, and exfiltrated an extensive 813GB of sensitive data, including student records, financial details, and internal administrative documents, revealing vulnerabilities in educational institutions.  

• Universidad Técnica Federico Santa María in Chile also suffered an attack by RansomHub, with 46GB of academic and operational data compromised. Both institutions face operational and reputational repercussions from the exposed data.

• Sanyang Motor, a major player in Taiwan’s automotive industry, was recently targeted by RansomHub, which exfiltrated approximately 265GB of sensitive data from the company’s internal systems. Although the compromised data has not been disclosed publicly, RansomHub has released a sample as proof of the breach, underscoring the threats faced by manufacturing sectors with extensive proprietary and customer data.

• Oldcastle Building Envelope, a leader in North America’s architectural glass and metal sector, was also breached by RansomHub. Attackers infiltrated Oldcastle’s IT infrastructure, encrypting critical data and exfiltrating sensitive information, including employee and customer contact details, physical addresses, phone numbers, and partial credit card data. RansomHub has demanded a substantial ransom, threatening to notify affected parties and publicly release the stolen data.

• See more of RansomHub’s recent ransomware attacks here

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.