Ransomware on the Move: Akira, RansomHub, RansomCortex, INC Ransom

Date:

July 23, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...

The second week of July 2024 witnessed a significant spike in ransomware attacks, affecting various sectors worldwide. Four prominent ransomware groups—Akira, INC Ransom, RansomCortex, and RansomHub—were notably active, carrying out sophisticated cyberattacks that disrupted operations and compromised sensitive data across numerous industries.  

Akira

Akira is a rapidly evolving ransomware group that first appeared in March 2023 and has quickly become a significant threat to small and medium-sized businesses across various industries.  

This group, believed to be affiliated with the now-defunct Conti ransomware gang, utilizes double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion.  

Akira's ransom demands typically range from $200,000 to over $4 million. Their dark web leak site, featuring a retro 1980s-style interface, adds a unique element to their operations. Akira targets sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications, showcasing their ability to adapt and expand their reach.

Significant Attacks:

  • Federated Co-operatives Limited (FCL), operating across Western Canada with numerous grocery stores and fuel facilities, also experienced a ransomware attack. The cyberattack disrupted internal and customer-facing systems, leading to significant operational disruptions, including the unavailability of online shopping and inconsistent grocery supplies in Saskatoon. FCL, a major player in Western Canada's economy with a substantial network of independent co-operatives, faced severe challenges in restoring services and securing data, highlighting the critical need for robust cybersecurity measures.

INC Ransom

INC Ransom is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape.  

Active since 2023, the group is distinguished by its targeted ransomware attacks on corporate and organizational networks, employing advanced techniques such as spear-phishing campaigns and exploiting vulnerabilities like CVE-2023-3519 in Citrix NetScaler.  

INC Ransom operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion.  

The group has targeted various industries, including healthcare, education, government entities, and technology companies, with notable breaches including Xerox Corp and NHS Scotland.

Significant Attacks:

  • The Coffee Bean & Tea Leaf, founded in 1963 and headquartered in Los Angeles, California, operates over 1,000 stores in nearly 30 countries. Known for its high-quality ingredients and innovative products like the "Original Ice Blended" drink, the company was targeted by INC Ransom, resulting in the exfiltration of substantial confidential business information. This attack highlights the vulnerability of even well-established companies to sophisticated cyber threats.
  • The Alabama State Department of Education, overseeing public education for approximately 750,000 students across 138 districts with an annual revenue of $20.61 billion, managed to prevent a complete system lockdown during the attack on June 17. However, hackers accessed some data, potentially including personal information of students and employees, despite efforts to bolster cybersecurity measures and restore affected systems from clean backups.

RansomHub

RansomHub is a new ransomware group that has recently emerged in the cyber threat landscape, distinguishing itself by making claims and backing them up with data leaks.  

The group, believed to have roots in Russia, operates as a Ransomware-as-a-Service (RaaS) entity, where affiliates receive 90% of the ransom money, with the remaining 10% going to the main group.  

RansomHub ransomware strains are written in Golang, reflecting a growing trend among new ransomware variants. The group has targeted various countries, including the US, Brazil, Indonesia, and Vietnam, with notable victims including healthcare institutions like Change Healthcare.  

Their advanced techniques and double extortion tactics, where they encrypt data and threaten to release it publicly, have made them a significant threat across multiple industries.

Notable Attacks:

  • BFC Solutions, a Nashville-based provider of preventive maintenance for commercial HVAC systems, fell victim to RansomHub. The attack disrupted their services, impacting various systems including evaporators, condensers, refrigeration racks, walk-in coolers, and self-contained units. Founded in 1961, BFC Solutions is the largest self-performing preventive maintenance provider in the United States, with over 600 employees performing more than 2,000 maintenance site visits daily. This breach highlights the vulnerabilities in BFC Solutions' digital infrastructure and the critical need for robust cybersecurity measures.
  • Lynch Aluminum, a U.S.-based manufacturing company specializing in aluminum products, experienced a ransomware attack by RansomHub. The attackers reportedly accessed 100 gigabytes of sensitive data and threatened to release the information publicly within a few days unless their demands were met. This cybersecurity breach puts significant pressure on Lynch Aluminum to address the situation swiftly to safeguard its data and mitigate potential damages. The attack underscores the importance of cybersecurity in manufacturing, where disruptions can have widespread operational impacts.

RansomCortex

RansomCortex is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape.  

Emerging this week, the group is distinguished by its targeted ransomware attacks on healthcare facilities, employing advanced techniques to exploit the high value of healthcare data.  

Ransomcortex operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion.  

The group has targeted various healthcare institutions, recognizing the critical nature of the data involved and the urgency to resolve such breaches quickly to avoid operational disruptions and patient data exposure.

Significant Attacks

  • Policlínica Dona Anita, a comprehensive healthcare facility located in Araucária, Paraná, has been serving the community since 2010. The clinic offers a wide range of medical services across various specialties, including cardiology, gynecology, and orthopedics. The ransomware attack by Ransomcortex compromised approximately 30 gigabytes of sensitive data, disrupting the clinic's operations and putting patient information at serious risk.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.