Ransomware on the Move: Akira, Hunters International, Qilin, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: Akira, Hunters International, Qilin, and RansomHub…

‍

Ransomware activity surged during the week of October 1-6, 2024, with Akira, Hunters International, Qilin, and RansomHub leading high-impact attacks across various sectors.  

‍

These groups demonstrated evolving tactics, from exploiting software vulnerabilities to executing double extortion schemes, and their combined efforts resulted in significant disruptions across industries like IT services, finance, and engineering.

• Akira continued its aggressive assault on critical infrastructure, with notable attacks on Cascade Columbia Distribution and TRC Worldwide Engineering. Sensitive data exfiltration in both cases led to operational disruptions.

• Hunters International targeted organizations holding highly sensitive data, including a breach at Ibermutua, a Spanish insurance provider, where 647 GB of data, including financial records and PII, was stolen.

• Qilin’s focus this week included significant attacks on accounting and legal firms.

• RansomHub executed devastating attacks on Enterprise Outsourcing, stealing 7 TB of data, and Omniboxx, where 500 GB of critical information was compromised.  

Akira

‍

Akira, a ransomware group that first appeared in March 2023, has quickly gained notoriety for its aggressive double extortion tactics, targeting sectors such as education, finance, and healthcare.  

‍

The group employs a hybrid encryption approach, combining the ChaCha20 stream cipher and RSA public-key cryptography to encrypt data rapidly while ensuring secure key exchanges. Akira has primarily targeted small to medium-sized enterprises, often exploiting VPN vulnerabilities and compromised credentials to infiltrate systems.  

‍

Once inside, the group exfiltrates significant amounts of sensitive data, applying additional pressure on victims to pay ransoms. With notable activity across North America, Akira’s attacks have disrupted multiple industries.

‍

Significant Attacks:

• North American Breaker Company (NABCO), a distributor of electrical components, was hit by Akira who exfiltrated 100 GB of internal records, supplier information, and customer contracts. With an annual revenue of $11.2 million, NABCO now faces operational risks and customer trust issues.  

• CSG Consultants, Inc., a civil engineering firm in the U.S., was breached in early October 2024. Akira claimed to have stolen 15 GB of sensitive project data, potentially including architectural designs and public works plans. With CSG Consultants working closely with municipal governments, the exposure of this data could significantly impact critical infrastructure projects.

• Tanya Creations, a fashion jewelry company based in Rhode Island, fell victim to Akira in October 2024. The group exfiltrated 100 GB of data, possibly compromising proprietary designs and business strategies. The company, which generates approximately $71.1 million in revenue, faces the possibility of operational disruptions and reputational damage, risking relationships with retail partners and customers.

• Rob Levine & Associates, a Providence-based law firm, saw over 300 GB of sensitive legal documents compromised, potentially jeopardizing ongoing cases and client confidentiality.

• See more of Akira’s recent ransomware attacks here

Hunters International

‍

Hunters International, a ransomware group that emerged in late 2023, has quickly established itself as a major player through its aggressive double extortion tactics. Operating under the Ransomware-as-a-Service (RaaS) model, the group targets sectors like healthcare, construction, and government services.  

‍

Known for exploiting vulnerabilities in public-facing applications and conducting phishing campaigns, Hunters International infiltrates systems, steals sensitive data, and demands ransom payments under the threat of public disclosure. The group’s malware, written in Rust, utilizes AES and RSA encryption to facilitate fast, secure encryption.

‍

Significant Attacks:

• Ibermutua, a leading Spanish insurance provider within the country’s Social Security system, faced a devastating ransomware attack by Hunters International. The cybercriminals infiltrated Ibermutua’s systems, stealing 647.7 GB of highly sensitive data, including 386,000 confidential files. This haul contained critical information such as source code, complex database details, financial records, and personally identifiable information (PII) from both clients and employees. Given Ibermutua's role in managing occupational health and safety for workers across Spain, the breach threatens to cause significant disruption to its services. Additionally, the exposure of such sensitive data risks major regulatory penalties under GDPR and a potential loss of trust from government bodies and the public. With this scale of stolen data, Ibermutua faces the prospect of long-term reputational damage, as well as potential delays in its critical services, with its website still offline at the time of writing.

• Dreyfuss + Blackford Architecture, a renowned architectural firm based in Northern California, became a major target of Hunters International when the group successfully breached its systems and exfiltrated 652.8 GB of highly sensitive data. The stolen data included 34.5 GB of private files, 25.4 GB of marketing materials, and 37.3 GB directly related to the firm’s Chief Financial Officer, including financial documents and internal communications.  

• In October 2024, BNBuilders, a U.S. construction firm, reported that 936.7 GB of data had been stolen by Hunters International, including project files and client contracts. This breach could affect ongoing work and result in legal complications.  

• Amplitude Laser, a French laser manufacturing firm, also suffered a breach, with 125.9 GB of proprietary data exfiltrated. This included sensitive information related to laser products, raising concerns about the company’s competitive position and intellectual property.

• See more of Hunters International’s recent ransomware attacks here

Qilin

‍

Qilin, also known as Agenda, emerged in July 2022 as a Ransomware-as-a-Service (RaaS) group. With a focus on sectors such as healthcare, manufacturing, and financial services, Qilin uses double extortion to encrypt and steal data, threatening to leak the stolen information if victims refuse to pay.  

‍

Initially developed in Golang and later rewritten in Rust for improved cross-platform functionality, Qilin’s ransomware targets both Windows and Linux environments. By 2024, the group had conducted over 60 confirmed attacks, gaining attention for its sophisticated techniques and the involvement of affiliates who receive 80-85% of ransom proceeds.

‍

Significant Attacks:

• DPC Data Inc., a leading financial data provider, was targeted by Qilin in October 2024. The group exfiltrated approximately 400 GB of sensitive data, threatening to release it if their demands were not met. DPC Data serves over 100,000 financial professionals in the municipal bond marketplace, making this a highly impactful attack.

• United Animal Health, a U.S.-based company specializing in feed additives and nutritional products, experienced a ransomware attack from Qilin. The group exfiltrated 1,000 GB of sensitive data, including proprietary research, with a public release threat within 96 hours.

• In one of its recent attacks, McGaughey & Keaney CPAs, a boutique accounting firm in Rockville Centre, New York, had over 250 GB of tax records and confidential client information stolen, significantly threatening the firm’s reputation and client security.  

• Another notable incident involved Forshey Prostok LLP, a law firm in Fort Worth, Texas, where 373 GB of legal documents were exfiltrated, putting proprietary case strategies and confidential agreements at risk.

• See more of Qilin’s recent ransomware attacks here

RansomHub

‍

RansomHub, a Ransomware-as-a-Service (RaaS) group that emerged in February 2024, has quickly become a dominant force by leveraging an aggressive affiliate model. Filling the void left by groups like ALPHV/BlackCat, RansomHub specializes in double extortion tactics, encrypting data while exfiltrating sensitive information to heighten ransom demands.  

‍

By August 2024, the group had listed over 210 victims on its dark web leak site, with attacks primarily targeting healthcare, financial services, and government sectors.

‍

Significant Attacks:

• RansomHub’s most notable breaches include Kleber & Associates, an Atlanta-based marketing agency, where 145 GB of sensitive marketing data and client information was stolen. The firm, generating $6 million annually, now faces reputational damage and possible operational delays.  

• Another major breach affected Domain Industries, Inc., a Texas-based supplier in the kitchen and bath sector. The group exfiltrated 1 TB of data, potentially disrupting operations for the company, which supports a $16 million annual revenue.

• Omniboxx, a property management software company in the Netherlands, was breached by RansomHub. The group accessed 500 GB of critical organizational data and released samples as proof of the attack, putting immense pressure on the victim.

• WinWin International, a South African e-learning provider, was also targeted. RansomHub threatened to expose sensitive data within a 5 to 6-day period, increasing pressure on the company to comply with ransom demands.

• See more of RansomHub’s recent ransomware attacks here

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.