Ransomware on the Move: Akira, LockBit, 8Base, INC, Qilin, BlackBasta
Date:
February 6, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:
Akira
The Akira ransomware group has recently claimed responsibility for a series of attacks on high-profile targets. British cosmetics retailer Lush, boasting nearly three decades of operation and close to 1,000 stores globally, found itself on Akira's hit list.
While the group hasn't shared any pilfered data from Lush publicly, the company is listed among the upcoming data releases.
Toronto Zoo, known for its commitment to connecting people, animals, and conservation science, also fell victim to Akira. The zoo disclosed a potential breach affecting current, former, and retired employees dating back to 1989.
Akira's relentless pursuit extended to Castilleja School, an independent girls' school in grades 6-12. The breach involved the exfiltration of 10 GB of data, primarily focusing on the education process and administrative information.
Akira, emerging in March 2023, exhibits unique features in its operations. Notably, its extortion platform integrates a chat feature, allowing victims direct negotiation with the attackers. Surprisingly, Akira informs victims who comply with ransom demands about the infection vectors employed in the attack – a departure from standard ransomware procedures.
The ransom demands from Akira vary, ranging from $200,000 to over $4 million. The group operates a Ransomware-as-a-Service (RaaS) platform, capable of targeting both Windows and Linux systems. Exploiting credentials for VPNs is a common tactic, and the group leverages legitimate tools like PCHunter64, making detection challenging.
Akira's malicious activities extend to the exploitation of vulnerabilities in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software, as well as VMware ESXi vulnerabilities.
LockBit
LockBit, a ransomware group operational since 2019, has left its mark on various sectors. Saint Anthony Hospital, an independent, faith-based healthcare provider in Chicago, withstood a LockBit attack.
The hospital's swift response ensured patient care continued without disruptions, though the specifics of the information impacted remain undisclosed.
Grimme Skandinavien, a provider of specialized machinery for potato and sugar beet growers, experienced an attack, resulting in system restarts and potential delays in spare parts location.
Additionally, The Caravan and Motorhome Club, operating 149 campsites across the UK, faced challenges as administrative systems were impacted.
LockBit's versatile RaaS platform demands significant ransoms, with reported figures exceeding $50 million. LockBit is renowned for its security tool evasion prowess and rapid encryption speed.
It continues to innovate, introducing a macOS ransomware variant in April 2023. LockBit 3.0, released in June 2022, features advanced anti-analysis capabilities, targeting both Windows and Linux systems. The group exploits vulnerabilities like Citrix Bleed (CVE 2023-4966) and prefers targeting larger enterprises, particularly in the healthcare sector.
8Base
The 8Base ransomware group, appearing in March 2022, has rapidly gained notoriety with a surge in activity in the latter half of 2023. Basin Trucking and Oilfield Services LLC, a provider of transportation and services for the oil and gas industry, and Groupe Sweetco, a manufacturer of childcare products, fell victim to 8Base's attacks.
8Base, a group showing signs of affiliation with experienced RaaS operators, engages in data exfiltration for double extortion. Their attacks span across business services, manufacturing, and construction sectors.
The ransomware group remains opportunistic in victim selection, emphasizing "name and shame" tactics through leaks sites to compel ransom payments. 8Base first emerged in March of 2022 and has quickly become one of the most active groups today, having displayed a "massive spike in activity" in the second half of 2023.
About half of the 8Base targets are in the business services, manufacturing, and construction sectors. The sophistication of the operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023. Other researchers see a connection to the leaked Babuk builder.
INC Ransom
INC Ransom, a relative newcomer in the ransomware landscape since the summer of 2023, has left a trail of destruction. North American University, a small educational institution in Houston, TX, witnessed a massive 108 GB data breach, including student records, HR, financial data, and admission documents, fully published by the group.
OrthoNY Orthopedic Care, specializing in orthopedic issues, sports injuries, and work-related injuries, also fell prey to INC Ransom.
The group employs common tactics like leveraging compromised RDP credentials and Living-off-the-Land techniques for lateral movement and data exfiltration. INC's diverse targets include manufacturing, retail, IT, hospitality, pharma, construction, and the public sector.
INC has been observed delivering ransomware using legitimate tools like WMIC and PSEXEC and uses other Living-off-the-Land (LOTL) techniques, abusing applications including MSPaint , WordPad, NotePad, MS Internet Explorer, MS Windows Explorer, and AnyDesk for lateral movement. INC has also been observed abusing tools like Esentutl for reconnaissance and MegaSync for data exfiltration.
Qilin
Qilin, also known as Agenda, operates as a RaaS since July 2022, utilizing the Go and Rust programming languages for its malicious activities. The group claimed attacks against Mordfin, an accounting and advisory group, and Wannago Cloud, a cloud service provider in the UAE.
Qilin's deployment of Rust enhances its evasive capabilities, allowing customization for various operating systems. Qilin ransomware adopts unique tactics, such as altering filename extensions and terminating specific processes and services.
The group operates a double extortion scheme, demanding payment for both decryptor and non-disclosure of stolen data. Qilin's cross-platform capabilities make it a potent threat against Windows, Linux, and other operating systems.
BlackBasta
BlackBasta, emerging in early 2022, has quickly become one of the most prolific ransomware groups. The energy services provider, High Arctic Energy Services, suffered a massive 345GB data breach, including HR, financial data, executive and governance information, and project details.
Prudent Publishing, the owner of the Gallery Collection, experienced a ransomware attack without specific details on the compromised data.
BlackBasta, believed to be an offshoot of the disbanded Conti and REvil groups, targets organizations with highly targeted attacks and engages in double extortion. The group's estimated ransom revenue exceeds $107 million, showcasing its efficacy in the ransomware business.
Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers. Black Basta ransomware is written in C++, can target both Windows and Linux systems, encrypts data with ChaCha20, and then the encryption key is encrypted with RSA-4096 for rapid encryption of the targeted network.
In some cases, Black Basta leverages malware strains like Qakbot and exploits such as PrintNightmare during the infection process. As these ransomware groups continue to innovate and adapt, organizations must remain vigilant and proactive in defending against these malicious actors.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
