Ransomware on the Move: Akira, Rhysida, 8Base, BianLian


October 4, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

BlackCat/ALPHV Ransomware Gang: The BlackCat/ALPHV ransomware gang launched attacks on multiple organizations. On September 25th, they targeted Clarion, a renowned manufacturer of in-car entertainment and audio systems based in Tokyo, Japan. The gang claimed to have stolen confidential data about Clarion's business, engineering information, and more.

Yusen Logistics, a subsidiary of the NYK Group and a global logistics company, was also attacked on September 25th. BlackCat/ALPHV claimed to have stolen 90GB of company information.

Pik Rite, a company specializing in agricultural and industrial equipment, fell victim to the gang's attack on September 25th, with the gang claiming to have stolen 250GB of documents.

Additionally, Pretzel-Stouffer, a law firm in Chicago, was targeted on September 25th, and the gang claimed to have stolen a massive 736GB of company data.

First observed in late 2021, BlackCat/ALPHV employs a well-developed RaaS platform that encrypts by way of an AES algorithm. The code is highly customizable and includes JSON configurations for affiliate customization.  

BlackCat/ALPHV released a new ransomware version called Sphynx with upgraded evasion capabilities.  

BlackCat/ALPHV can disable security tools and evade analysis and is probably the most advanced ransomware family at present capable of employing different encryption routines, advanced self-propagation, and hinders hypervisors to for obfuscations and anti-analysis.  

BlackCat/ALPHV can impact systems running Windows, VMWare ESXi and Linux (including Debian, ReadyNAS, Ubuntu, and Synology distributions).

Akira Ransomware Gang: The Akira ransomware gang attacked CLX Logistics, a transportation management company, on September 25th. They claimed to have stolen 26GB of client, personal, and business documents. Akira utilizes advanced tactics like closing processes and services to encrypt files effectively.

Akira first emerged in March 2023, and their extortion platform uniquely included a chat feature for victims to negotiate directly with the attackers and the group may have links to the notorious Conti gang, although this is difficult to ascertain given the Conti code was leaked in 2022.  

Interestingly, it has been observed that Akira will inform victims who have paid a ransom of the infection vectors they leveraged to carry out the attack.

Akira operates a RaaS written in C++ that is capable of targeting both Windows and Linux systems, typically by exploiting credentials for VPNs. Akira also abuses legitimate LOLBins/COTS tools like PCHunter64, making detection more difficult.

Akira modules will delete Windows Shadow Volume Copies leveraging PowerShell and is designed to encrypt a wide range of file types while avoiding Windows system files with .exe, .lnk, .dll, .msi, and .sys extensions.  

Ragnar Locker Ransomware Gang: Ragnar Locker targeted Comeca, a provider of electrical equipment and automation systems, on September 25th. However, no further details were provided.

Skatax, a tax consultancy and accounting firm in the UK, was also attacked by Ragnar Locker on September 25th, but details remained undisclosed.

J.T. Cullen, a custom metal fabrication company based in Illinois, and Praxis Arndt und Langer, a diabetologist in Germany, were targeted by Ragnar Locker on September 25th, with threats to publish stolen data if ransoms were not paid by October 2nd.

RagnarLocker is not a traditional RaaS. They first emerged in December of 2019 and were assessed to be related to or working in cooperation with Maze and MountLocker operators. RagnarLocker typically compromises victim networks through vulnerable Remote Desktop Protocol (RDP) software, a common ransomware technique.

Ragnar Locker has both Windows and Linux versions that actively detect and bypass security tools on the targeted network, as well as scanning for virtual-based machines, and any remote management solutions.  

IT encrypts with a custom Salsa20 algorithm and has been observed terminating services that managed service providers (MSPs) to remotely protect and manage customer networks.

8Base Ransomware Gang: The 8Base ransomware gang attacked several organizations. They targeted Fabricate Engineering on September 25th, claiming to have stolen a wide range of confidential information.

Springer Eubank, a bulk fuel delivery service provider in North Carolina, and J.T. Cullen, a custom metal fabrication company, were also attacked on September 25th, with similar claims of data theft.

Praxis Arndt und Langer, a diabetologist in Germany, faced an attack on the same date, with a ransom deadline set for October 2nd. The 8Base ransomware gang first emerged in March of 2022 and has quickly become one of the most active groups today.  

8Base had a "massive spike in activity" according to reports, with 67 attacks as of May 2023, with about half of targets in the business services, manufacturing, and construction sectors.  

The sophistication of the operation suggests they are an offshoot of previous operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 that had been steadily increasing attacks in late 2022 and early 2023.  

Other researchers see a connection to the leaked Babuk builder. Like most groups today, 8Base engages in data exfiltration for double extortion and employs advanced security evasion techniques including modifying Windows Defender Firewall for bypass.

Rhysida Ransomware Gang: Rhysida targeted ORT Harmelin College of Engineering in Netanya, Israel, demanding a $26,000 ransom for stolen data. They are known for using Cobalt Strike and PSExec for lateral movement and data exfiltration.

Istituto Prosperius, an Italian healthcare institution, was attacked, with a $130,000 ransom demand.

The Kuwait Ministry of Finance also fell victim to Rhysida's attack, with a $370,000 ransom demand and a deadline set for October 2nd. Rhysida has been steadily increasing its attack volume and targeting various industries.

Rhysida is a RaaS that was first observed on May 17, 2023, Rhysida has been observed deploying Cobalt Strike or similar command-and-control frameworks and abusing PSExec for lateral movement, dropping PowerShell scripts, and for payload delivery.  

They engage in data exfiltration for double extortion and maintain both a leaks site and a victim support portal on TOR. They are thought to be responsible for attacks against the Chilean military and more recently against Prospect Medical Holdings which impacted services at hundreds of clinics and hospitals across the US.

Cl0p Ransomware Gang: Cl0p targeted Shen Milsom & Wilke, a global consulting firm specializing in technology solutions, with claims of stealing agreements, PII documents, and confidential documents.

Cl0p is a RaaS platform known for its advanced anti-analysis capabilities and exploiting vulnerabilities for infiltration. Cl0p’s Windows version was written in C++ and encrypts files with RC4 and the encryption keys with RSA 1024-bit.

Cl0p is a RaaS platform first observed in 2019. Cl0p has advanced anti-analysis capabilities and anti-virtual machine analysis to prevent investigations in an emulated environment like those commonly used by security tools.  

Cl0p is increasingly using automation to exploit known vulnerabilities to infiltrate targets, as well as a SQL injection zero-day vulnerability (CVE-2023-34362) that installs a web shell – a rarity amongst ransomware operators. Cl0p was responsible for about one-fifth (21%) of all ransomware attacks in June.

Cl0p is one of just a handful of RaaS providers that have developed a Linux version, an indication that Cl0p is likely actively recruiting new talent to help improve their platform and expand the scope of what and whom they can attack.  

In May of 2023, Cl0p began exploiting SQL injection vulnerability (CVE-2023-34362) in Progress Software's managed file transfer (MFT) solution called MOVEit Transfer which was leveraged to steal data from victim databases beginning in June. Cl0p attackers also exploited a Fortra GoAnywhere MFT server vulnerability at the beginning of 2023.

BianLian Ransomware Gang: BianLian targeted Kramer Tree Specialists, a tree care company, stealing 450GB of data. They have shifted away from traditional ransomware attacks and focus on data exfiltration and extortion.

The Lutheran Church and Preschool in Oxnard, California, also faced an attack, with a claim of stealing 200GB of finance, HR, and personal data.

BianLian is not a traditional RaaS. They first emerged in June 2022 as a typical RaaS provider with Golang-based ransomware until a decrypter was released.  

In early 2023 they appear to have abandoned the ransomware payload portion of attacks in favor of less complicated data exfiltration and extortion attacks.  

This shows how successful the double extortion strategy is for ransomware groups, and we will likely see more groups join the likes of BianLian (and Karakurt before them). BianLian leverages open-source tooling and command-line scripts to engage in credential harvesting and data exfiltration.

BianLian successfully attacked several high-profile organizations before a free decryption tool was released to help victims recover files encrypted by ransomware. The group appears to have abandoned the RaaS model in favor of pure data extortion attacks where data is exfiltrated and ransom demand issues, but no ransomware is deployed.  

BianLian has been observed deploying a custom GO-based backdoor for remote access. BianLian uses PowerShell and Windows Command Shell to bypass and evade security solutions.

LockBit Ransomware Gang: LockBit targeted Precision Practice Management, a healthcare revenue cycle management company. However, no further details were provided. LockBit is known for its triple extortion model and advanced anti-analysis capabilities.

LockBit is a RaaS that has been active since 2019 and is enabled with security tool evasion capabilities and an extremely fast encryption speed. LockBit is noted for using a triple extortion model where the victim may also be asked to purchase their sensitive information in addition to paying the ransom demand for decrypting systems.  

LockBit employs publicly available file sharing services and a custom tool dubbed Stealbit for data exfiltration. The group continues to improve their RaaS platform following the release of LockBit 3.0 in June of 2022, adding what may be the first iteration of macOS ransomware in April of 2023.  

The latest versions incorporate advanced anti-analysis features and are a threat to both Windows and Linux systems. LockBit 3.0 is modular and configured with multiple execution options that direct the behavior of the ransomware on the affected systems.

LockBit employs a custom Salsa20 algorithm to encrypt files. LockBit takes advantage of remote desktop protocol (RDP) exploitation for most infections, and spreads on the network by way of Group Policy Objects and PsExec using the Server Message Block (SMB) protocol.  

LockBit appears to also still be supporting the older LockBit 2.o variant from 2021, where the encryptor used is LockBit 2.0 but the victim is named on the LockBit 3.0 leak site.

Takeaway: Ransomware groups continue to conduct attacks on organizations across every industry vertical, with each group employing different tactics and ransom demands.  

These attacks highlight the evolving and diverse landscape of ransomware threats in recent months.

The Halcyon team of ransomware experts publish a quarterly RaaS and extortion group power ranking guide as a quick reference. The Q2-2023 report is available here: Power Rankings: Ransomware Malicious Quartile Q2 2023 (PDF).

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).