Ransomware on the Move: Akira, RansomHub, RansomCortex, INC Ransom
Date:
July 23, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...
The second week of July 2024 witnessed a significant spike in ransomware attacks, affecting various sectors worldwide. Four prominent ransomware groups—Akira, INC Ransom, RansomCortex, and RansomHub—were notably active, carrying out sophisticated cyberattacks that disrupted operations and compromised sensitive data across numerous industries.
Akira
Akira is a rapidly evolving ransomware group that first appeared in March 2023 and has quickly become a significant threat to small and medium-sized businesses across various industries.
This group, believed to be affiliated with the now-defunct Conti ransomware gang, utilizes double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion.
Akira's ransom demands typically range from $200,000 to over $4 million. Their dark web leak site, featuring a retro 1980s-style interface, adds a unique element to their operations. Akira targets sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications, showcasing their ability to adapt and expand their reach.
Significant Attacks:
- Usina Alta Mogiana S/A, with a reported revenue of $418.4 million, processes over 6 million tons of sugarcane annually, making the breach particularly impactful given the company's scale and critical role in the farming industry.
- Financoop, a financial cooperative institution based in Ecuador, was also targeted. The attackers threatened to release 20GB of sensitive data, which included substantial financial information and internal business documents, highlighting the severe implications for both the company and its clients.
- Inland Audio Visual, a leading systems integrator of professional audiovisual solutions based in Western Canada, suffered a ransomware attack by Akira, resulting in the exfiltration of 10GB of sensitive data. This included employee personal files, non-disclosure agreements, contracts, and financial information. Inland Audio Visual's extensive operations and reliance on advanced audiovisual technologies made them a prime target, with the breach exposing critical data and underscoring the vulnerabilities in their cybersecurity measures.
- Heidmar Inc., a global leader in crude oil and refined petroleum marine transportation services, was another notable victim. On July 10, 2024, Akira compromised approximately 20GB of data, potentially impacting the company's operational transparency and trust with stakeholders. Heidmar, headquartered in Norwalk, Connecticut, manages a fleet of tankers and operates a digital platform, eFleetWatch, for voyage and earnings transparency. With a revenue of approximately $100 million, the breach poses significant risks to Heidmar's operational integrity and client trust.
- Federated Co-operatives Limited (FCL), operating across Western Canada with numerous grocery stores and fuel facilities, also experienced a ransomware attack. The cyberattack disrupted internal and customer-facing systems, leading to significant operational disruptions, including the unavailability of online shopping and inconsistent grocery supplies in Saskatoon. FCL, a major player in Western Canada's economy with a substantial network of independent co-operatives, faced severe challenges in restoring services and securing data, highlighting the critical need for robust cybersecurity measures.
INC Ransom
INC Ransom is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape.
Active since 2023, the group is distinguished by its targeted ransomware attacks on corporate and organizational networks, employing advanced techniques such as spear-phishing campaigns and exploiting vulnerabilities like CVE-2023-3519 in Citrix NetScaler.
INC Ransom operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion.
The group has targeted various industries, including healthcare, education, government entities, and technology companies, with notable breaches including Xerox Corp and NHS Scotland.
Significant Attacks:
- Erne AG, a manufacturer of high-quality pipe fittings for the power plant and oil and gas industries with an estimated revenue of $66 million, fell victim to an INC Ransom attack on July 16, 2024. The attack involved the encryption and theft of sensitive company data, though specifics remain under investigation. Erne AG's specialization in modern wood construction and innovative building solutions underscores the significant threat such attacks pose to businesses involved in critical infrastructure.
- The Coffee Bean & Tea Leaf, founded in 1963 and headquartered in Los Angeles, California, operates over 1,000 stores in nearly 30 countries. Known for its high-quality ingredients and innovative products like the "Original Ice Blended" drink, the company was targeted by INC Ransom, resulting in the exfiltration of substantial confidential business information. This attack highlights the vulnerability of even well-established companies to sophisticated cyber threats.
- The Alabama State Department of Education, overseeing public education for approximately 750,000 students across 138 districts with an annual revenue of $20.61 billion, managed to prevent a complete system lockdown during the attack on June 17. However, hackers accessed some data, potentially including personal information of students and employees, despite efforts to bolster cybersecurity measures and restore affected systems from clean backups.
RansomHub
RansomHub is a new ransomware group that has recently emerged in the cyber threat landscape, distinguishing itself by making claims and backing them up with data leaks.
The group, believed to have roots in Russia, operates as a Ransomware-as-a-Service (RaaS) entity, where affiliates receive 90% of the ransom money, with the remaining 10% going to the main group.
RansomHub ransomware strains are written in Golang, reflecting a growing trend among new ransomware variants. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, with notable victims including healthcare institutions like Change Healthcare.
Their advanced techniques and double extortion tactics, where they encrypt data and threaten to release it publicly, have made them a significant threat across multiple industries.
Notable Attacks:
- Rite Aid, an American pharmacy chain with a revenue of $24.6 billion in 2022, fell victim to a ransomware attack on June 6, 2024. The breach affected 2.2 million people and involved the theft of 10 gigabytes of data, including customer names and addresses from transactions between June 6, 2017, and July 30, 2018. Rite Aid has notified affected customers and is offering them free credit monitoring and identity protection for 12 months. This attack underscores the vulnerabilities in healthcare and retail sectors, adding to Rite Aid's ongoing challenges, including federal lawsuits and previous data breaches.
- BFC Solutions, a Nashville-based provider of preventive maintenance for commercial HVAC systems, fell victim to RansomHub. The attack disrupted their services, impacting various systems including evaporators, condensers, refrigeration racks, walk-in coolers, and self-contained units. Founded in 1961, BFC Solutions is the largest self-performing preventive maintenance provider in the United States, with over 600 employees performing more than 2,000 maintenance site visits daily. This breach highlights the vulnerabilities in BFC Solutions' digital infrastructure and the critical need for robust cybersecurity measures.
- Lynch Aluminum, a U.S.-based manufacturing company specializing in aluminum products, experienced a ransomware attack by RansomHub. The attackers reportedly accessed 100 gigabytes of sensitive data and threatened to release the information publicly within a few days unless their demands were met. This cybersecurity breach puts significant pressure on Lynch Aluminum to address the situation swiftly to safeguard its data and mitigate potential damages. The attack underscores the importance of cybersecurity in manufacturing, where disruptions can have widespread operational impacts.
RansomCortex
RansomCortex is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape.
Emerging this week, the group is distinguished by its targeted ransomware attacks on healthcare facilities, employing advanced techniques to exploit the high value of healthcare data.
Ransomcortex operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion.
The group has targeted various healthcare institutions, recognizing the critical nature of the data involved and the urgency to resolve such breaches quickly to avoid operational disruptions and patient data exposure.
Significant Attacks
- Policlínica Dona Anita, a comprehensive healthcare facility located in Araucária, Paraná, has been serving the community since 2010. The clinic offers a wide range of medical services across various specialties, including cardiology, gynecology, and orthopedics. The ransomware attack by Ransomcortex compromised approximately 30 gigabytes of sensitive data, disrupting the clinic's operations and putting patient information at serious risk.
- Instituto Respirar Londrina, a multidisciplinary healthcare facility in Brazil specializing in respiratory medicine, experienced a ransomware attack where Ransomcortex encrypted 90 gigabytes of critical data, including sensitive financial documents. This breach has severely compromised the hospital's functionality and patient care services, h ighlighting vulnerabilities in the healthcare sector.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.