Ransomware on the Move: 8base, Hunters International, Meow, Sarcoma

Date:

October 22, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: 8base, Hunters International, Meow, and Sarcoma…

Ransomware activity surged during the week of October 7-13, 2024, with 8base, Hunters International, Meow, and the newly discovered Sarcoma executing high-impact attacks across industries such as manufacturing, healthcare, and technology:

  • Sarcoma, despite being a newcomer, made an immediate impact by targeting AIUT, a prominent Polish automation and robotics company, stealing over 5.9 terabytes of proprietary data, including industrial automation designs and confidential client projects.
  • 8base continued its aggressive streak, targeting manufacturing companies like SOFPO, a subsidiary of the Rossmann Group, and SCHUMAG AG, compromising sensitive operational data and disrupting key business functions.  
  • Hunters International attacked Protective Industrial Products and Therabel Lucien Pharma SAS, exfiltrating over 300 GB of confidential research and client information.
  • Meow's attack on Rocky Mountain Gastroenterology in Denver resulted in the theft of over 80 GB of patient and employee data, exposing sensitive medical records and financial information.

8base

The 8Base ransomware group has reemerged after a few months of dormancy, launching a new wave of attacks in October 2024. Known for their aggressive double-extortion tactics, 8Base has already targeted 13 companies in this recent frenzy, hitting industries from manufacturing to healthcare.  

Cybersecurity experts have uncovered a new address for the group’s data leak site, confirming that despite their period of silence, 8Base never ceased its activities. This resurgence comes with heightened sophistication, leveraging AES-256 encryption and the Phobos ransomware variant to maximize disruption.

The attacks have resulted in significant data breaches, with sensitive information like accounting documents, personal data, and confidential agreements exfiltrated from various victims.  

Significant Attacks

  • SCHUMAG Aktiengesellschaft was targeted by the 8Base ransomware group in an attack between September 22 and 23, 2024. The breach, detected by the Munich State Criminal Police Office, led to the shutdown of SCHUMAG's IT systems. The attack disrupted the company's operations, causing the cancellation of a general shareholders' meeting and exfiltrating a significant amount of data, including contracts, employee information, and confidential business documents. Despite a ransom demand, the data was eventually released, worsening SCHUMAG's financial struggles and contributing to its self-administration restructuring.
  • Volkswagen Group was attacked by 8Base on September 23, 2024. The group claimed to have exfiltrated sensitive data and listed Volkswagen as a victim on its darknet blog. While the specifics of the data breach remain unclear, Volkswagen denied any major IT compromise. The ransomware group had set a ransom deadline for September 26, but the lack of public data release raises questions about ongoing negotiations. The attack highlights the growing threat posed by 8Base to high-profile corporations across various sectors.
  • 8Base compromised SOFPO, a subsidiary of the Rossmann Group, exfiltrating a wide array of critical data.  
  • 8Base also attacked Wild Apple Graphics, an art licensing agency, with invoices and employee information stolen.

Hunters International

Hunters International, a Ransomware-as-a-Service (RaaS) group, quickly rose to prominence after its emergence in October 2023. Building on the codebase from the defunct Hive ransomware, Hunters International has carried out over 130 attacks by 2024.  

This group is known for targeting industries such as healthcare, finance, and manufacturing with its sophisticated cross-platform ransomware that affects both Windows and Linux environments. Utilizing double extortion tactics, they not only encrypt their victims’ data but also exfiltrate sensitive information, leveraging the threat of public exposure to coerce ransom payments.

The group has been responsible for some of the most substantial data theft incidents in 2024, often resulting in severe operational and financial repercussions for its victims.  

Significant Attacks

  • Protective Industrial Products suffered a ransomware attack this week, where Hunters International exfiltrated 4.6 terabytes of sensitive data, including 36.7 gigabytes of QuickBooks information and critical financial records. This attack marked the second time the company had been targeted by ransomware in under a year, exacerbating concerns over its cybersecurity posture.
  • Therabel Lucien Pharma SAS was also targeted by Hunters International, having 338 GB of sensitive data stolen by the group. The breach included confidential client data, internal correspondence, contracts, and critical research documents related to preclinical and clinical trials, posing significant risks to the pharmaceutical company’s operations and reputation.
  • Hunters International breached Rumpke Consolidated Companies, a major U.S.-based waste management firm. They exfiltrated 3.3 terabytes of sensitive data, including financial records, customer information, and personal data. With annual revenues exceeding $1 billion, the attack on Rumpke highlighted the vulnerability of critical infrastructure industries to ransomware attacks.  
  • Elmore Goldsmith Kelley & deHoll, a South Carolina-based law firm specializing in construction law, was also attacked by Hunters and had over 240 GB of data exfiltrated. This included sensitive legal documents, client correspondence, and financial information, exposing the firm to severe reputational and operational risks.

Meow

Meow Ransomware, first identified in August 2022, has resurfaced as an aggressive threat in 2024, after a brief disappearance following March 2023. Associated with the Conti v2 ransomware variant, the group has become notorious for targeting industries in the United States with highly sensitive data, such as healthcare and medical research.  

Meow Ransomware employs sophisticated methods like phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and exploit kits to compromise systems. Utilizing ChaCha20 and RSA-4096 encryption algorithms, they lock victims out of their data while simultaneously exfiltrating it, pressuring them with the threat of publishing the stolen information on their leak site.

The group has carried out several significant data exfiltration attacks in 2024, notably targeting sectors that handle sensitive personal and financial information.  

Significant Attacks

  • Rocky Mountain Gastroenterology (RMG), a major gastroenterology practice based in Denver, Colorado, suffered a ransomware attack orchestrated by the Meow group. Over 80 GB of sensitive data was exfiltrated, including personal identification data, medical records, Social Security numbers, and internal business documents. The attackers demanded a ransom of $200,000 in exchange for not releasing the stolen information. RMG operates 15 offices and six Endoscopy Centers and is a key player in providing gastrointestinal care across the Denver metro area, making the attack a serious threat to patient privacy and the practice’s reputation.
  • The Law Office of Omar O. Vargas, a Houston-based legal practice specializing in immigration and criminal defense, was also targeted by Meow Ransomware. The attackers claimed to have exfiltrated 14 GB of highly sensitive information, including client data, Social Security numbers, court documents, and tax forms. This attack marks the third time the firm has been targeted by ransomware in recent months, highlighting the escalating risk to the firm's operational integrity. The attackers have demanded $36,000 for exclusive access to the stolen data, and this breach poses serious legal and financial risks for the firm.
  • Modiin Ezrachi, an Israeli security firm, had 486 GB of sensitive data stolen by Meow, including employee records, government contracts, and security passes. Modiin Ezrachi, a key player in Israel’s security sector, is known for providing security services to settlements and government facilities.  
  • OSG USA, Inc., a leading manufacturer of cutting tools, saw over 25 GB of proprietary operational data exfiltrated by Meow, underscoring the vulnerabilities within the manufacturing sector. OSG USA, which services industries such as automotive and aerospace, generates revenue exceeding $500 million annually, making it a prime target for intellectual property theft.

Sarcoma

Sarcoma is a newly identified ransomware group that first emerged in October 2024. Despite its recent debut, the group has quickly gained notoriety for its aggressive tactics and data breaches.  

Sarcoma operates primarily through double extortion, where it encrypts data and threatens public exposure through a dark web portal that already lists over 30 victims. The group has primarily targeted organizations in Australia, New Zealand, and Japan, although its victim pool is broad and spans various industries.  

Sarcoma's mode of operation includes phishing and vulnerability exploitation, making it a fast-rising threat actor in the global cybercrime landscape. Sarcoma's attacks typically involve the exfiltration of sensitive data, which they use to coerce victims into compliance without initially stating monetary ransom demands.  

Significant Attacks

  • InCare Technologies, a managed service provider based in Birmingham, Alabama, fell victim to a ransomware attack orchestrated by Sarcoma. The group claimed responsibility for the attack on their dark web leak site, placing InCare Technologies among over 30 organizations they targeted. The attack involved data exfiltration, though specific details of the stolen data remain undisclosed. InCare Technologies, which serves industries like healthcare and education, generates an annual revenue of $25.7 million and has 31 employees. The breach poses significant risks to both their operations and client trust.
  • The Roberts Family Law Firm, a prominent legal practice in Orlando, Florida, was also attacked by Sarcoma. Known for its aggressive representation in family law cases, including divorce and child custody, The Roberts Family Law Firm was listed on Sarcoma’s dark web portal, highlighting a significant data compromise. The breach is believed to involve sensitive client information, such as Social Security numbers and legal case details, posing major risks to the firm’s reputation and the privacy of its clients.
  • Advanced Accounting in New Zealand suffered a significant data breach at the hands of Sarcoma on October 10, 2024, where 115 GB of sensitive information, including passports and driver’s licenses, were stolen. The victim is a small to medium-sized accounting firm, offers services such as taxation and commercial accounting, making the breach particularly impactful.  
  • The Plastic Bag Company in Australia, faced a breach where 3.6 GB of data, including tax returns and passport scans, were compromised. This company, a major player in the plastic manufacturing industry, generates significant revenue through the production of plastic bags and related products.

 

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.