Ransomware on the Move: Akira, Cactus, RansomHub, Play
Date:
September 17, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...
During the week of September 2 to September 8, 2024, ransomware activity reached alarming levels, with some of the most notorious ransomware groups—Akira, Cactus, RansomHub, and Play—launching a series of devastating attacks.
These groups primarily targeted critical sectors such as manufacturing, business services, and construction, where they managed to compromise sensitive data and disrupt essential operations. The scale and precision of these attacks marked a concerning escalation in ransomware activity, with attackers showing increasing boldness in their campaigns.
Among these groups:
- Akira stood out for its aggressive operations, targeting high-profile companies like Baird Mandalas Brockstedt LLC and Imetame Group.
- Akira’s double-extortion tactics allowed them to exfiltrate significant amounts of sensitive data, which was then used as leverage to pressure their victims into paying ransoms.
- Meanwhile, Cactus also made headlines with successful breaches at Rio Marine Inc. and J.M. Champeau, Inc., using similar tactics to compromise critical financial and operational data.
- RansomHub’s attack on Cardiology of Virginia, which resulted in 1 TB of healthcare data being exfiltrated, brought fresh concerns over the vulnerability of the healthcare sector.
- Play ransomware managed to cause significant disruption in the outdoor gear industry by targeting Seirus Innovation.
These incidents underscore the versatility and determination of ransomware groups, highlighting the wide range of sectors that remain vulnerable to cyberattacks.
Akira
Akira ransomware, which first surfaced in March 2023, has swiftly become a notable player in the global ransomware landscape. Akira’s key tactic involves a double-extortion model where they not only encrypt files but also exfiltrate sensitive data, leveraging it to pressure victims into paying high ransom demands.
The group primarily targets sectors in North America, Europe, and Australia, with a focus on finance, healthcare, education, and manufacturing. Akira ransomware attacks are characterized by the use of the .akira extension for encrypted files and tools such as RClone for data exfiltration.
Akira typically engages victims through a Tor-based communication portal, offering no decryptor for those who refuse to pay, further complicating recovery efforts. Akira’s attacks result in the theft of significant amounts of sensitive data, including personal identification details, financial information, and proprietary business records.
In an attack on Imetame Group, a major Brazilian industrial conglomerate, Akira exfiltrated 20GB of project details, employee records, and financial data. The breach threatens the company’s operations across energy and metalworking sectors, posing serious financial risks.
Similarly, SWISS CZ, a precision equipment repair company based in the Czech Republic, had 15GB of sensitive data, including employee information and accounting records, stolen. This breach jeopardizes their operations and the relationship with their parent company, ELKO GROUP, which reports over $2.2 billion in annual revenue.
Significant Attacks:
- Baird Mandalas Brockstedt & Federico, LLC (BMBF), a law firm based in Delaware, was attacked by Akira on September 6, 2024. The group exfiltrated 400GB of client-sensitive data, including Social Security Numbers, passports, birth certificates, and court-related documents. This breach poses a significant risk to the firm's reputation, especially in its high-profile personal injury and environmental litigation cases, which collectively account for over $1 billion in verdicts and settlements. The stolen data threatens the privacy of numerous clients.
- Cellular Plus, a Verizon Wireless Authorized Retailer, became another target of Akira, resulting in the exfiltration of sensitive information for 270 employees, including financial records and customer data. The attack caused significant operational disruption, and after refusing to meet the ransom demands, the company faced threats from the attackers to publish the stolen information, jeopardizing its reputation in the telecommunications industry.
Cactus
The Cactus ransomware group, identified in March 2023, has quickly risen to prominence due to its exploitation of vulnerabilities in VPN appliances, especially those from Fortinet. Cactus uses a double-extortion model, encrypting data while exfiltrating sensitive information, threatening to leak it unless ransom demands are met.
The group targets large organizations across various sectors, including construction, manufacturing, and marine services. Cactus is responsible for several high-profile attacks, leveraging its advanced techniques to cause significant disruptions to targeted businesses.
Cactus ransomware is known for stealing large volumes of sensitive information, including personally identifiable information (PII), financial records, and proprietary business documents.
In an attack on Rio Marine Inc., a company offering marine services, the group exfiltrated 490GB of sensitive data, including engineering data, customer information, and financial documents. The attackers demanded a ransom of $56 million USD.
Another breach occurred at Balboa Bay Resort, where 790GB of data was exfiltrated, including customer PII, employee records, and financial data. The attackers demanded a ransom of $101 million, though less than 1% of the stolen data has been publicly disclosed so far.
Significant Attacks:
- Champeau Hardwood Company, a Canadian firm specializing in the production and distribution of hardwood components, was targeted by Cactus ransomware. The group exfiltrated 130GB of sensitive business documents, including financial records, engineering projects, and personal information of employees and executives. Champeau, which has an annual revenue of $25.5 million, faces potential risks following the exposure of critical business information.
- McPhillips Construction, a civil engineering company in the UK, was attacked by Cactus, resulting in the exfiltration of 1.2TB of data. The stolen data includes detailed engineering drawings, project plans, financial documents, and personal information of employees and customers. McPhillips, with annual revenue of $40.8 million, is now handling the fallout from this significant breach.
RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group that emerged in February 2024, has rapidly gained prominence in the ransomware landscape. Known for its aggressive affiliate model, RansomHub combines encryption and data theft in its double extortion tactics, targeting a wide range of sectors.
By focusing on large enterprises across critical industries, including healthcare, manufacturing, and government sectors, RansomHub has positioned itself as one of the most dangerous threat actors of 2024.
The group has filled the gap left by other ransomware groups disrupted by law enforcement, such as ALPHV/BlackCat and LockBit. As of August 2024, RansomHub claimed responsibility for over 210 victims on its dark web leak site, reflecting the group's accelerating operations.
RansomHub has successfully exfiltrated significant amounts of sensitive data from its targets, often using this information to demand large ransoms.
One notable attack occurred against Cardiology of Virginia, a cardiovascular healthcare provider, where the group stole 1 TB of patient records, financial documents, and internal communications. This attack threatens the privacy and security of sensitive healthcare information, leaving the organization scrambling to mitigate the damage.
Another breach targeted Briedis Publishing House in Lithuania, where RansomHub exfiltrated 10 GB of data, impacting the company's educational resources and client records. Both examples highlight RansomHub’s ability to exploit vulnerabilities across different industries, using the stolen data as leverage for large ransom payments.
Significant Attacks:
- Kawasaki Motors Europe (KME), the European branch of Kawasaki Heavy Industries, was attacked by RansomHub in early September 2024. The group stole 487 GB of data, causing KME to isolate its servers and work with cybersecurity experts to restore functionality. Although the company restored 90% of its systems within a week, RansomHub threatened to release the data unless their demands were met, leaving the company with ongoing concerns over the stolen information.
- Planned Parenthood became a target of RansomHub on August 28, 2024, with 93 GB of sensitive data exfiltrated, including financial records and court papers. The healthcare provider, which plays a key role in reproductive health services, has yet to confirm if patient data was compromised, heightening fears about the impact of the breach. With RansomHub threatening to leak the data, this incident has drawn significant attention from both cybersecurity authorities and privacy advocates.
Play
The Play ransomware group, also known as PlayCrypt, first emerged in June 2022. The group rapidly gained a reputation for its ability to exploit vulnerabilities in RDP servers, Microsoft Exchange, and FortiOS systems.
Its operations have expanded across North America, South America, and Europe, targeting a broad range of industries, including IT, construction, transportation, government entities, and critical infrastructure. Known for using double extortion tactics, Play has left a trail of compromised organizations in its wake, with no available decryptors for victims.
Play ransomware is notorious for exfiltrating substantial amounts of sensitive data from its victims. Crain Group, an investment and philanthropy organization, suffered a breach where attackers stole confidential client information, tax records, and legal documents, jeopardizing the company's operations and stakeholders.
Similarly, The Bakersfield Californian, a regional newspaper in California, experienced a severe data breach affecting client documentation, tax records, and private identification details, which disrupted the newspaper's operations and exposed vulnerabilities in their cybersecurity measures.
Significant Attacks:
- Seirus Innovation, a company renowned for delivering innovative, high-quality gear to enhance the comfort of outdoor enthusiasts in cold weather, has fallen victim to a ransomware attack orchestrated by the Play ransomware group. The attackers have compromised a significant amount of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, contracts, tax information, identification documents, and financial data. This breach poses a substantial risk to the privacy and security of both the company and its clients, potentially leading to severe operational and reputational damage.
- Farmers' Rice Cooperative, established in 1944, has fallen victim to a ransomware attack orchestrated by the Play ransomware group. The breach has compromised a wide array of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, contracts, tax information, identification documents, and financial data. This attack poses significant risks to the cooperative's operations and the privacy of its stakeholders.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.