Ransomware on the Move: Arcus Media, Black Basta, El Dorado, Medusa

Date:

June 25, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Arcus Media

Arcus Media, a new ransomware group active since May 2024, has already been responsible for at least six incidents in the first week of June 2024. Known for its use of direct and double extortion methods, the group employs phishing emails for initial access, custom ransomware binaries, obfuscation techniques, and tools like Mimikatz for privilege escalation.  

They maintain persistence through scheduled tasks and registry modifications. Operating as a Ransomware-as-a-Service (RaaS), Arcus Media has an affiliate program requiring referrals and vetting. Arcus Media executed high-profile attacks on various organizations from June 3rd to June 9th.  

This week's targets include Langescheid GbR, Franja IT Integradores de Tecnología, Duque Saldarriaga, BHMAC, and Botselo Mills Ltd. They have targeted sectors such as Manufacturing, Healthcare Services, Real Estate, and Construction. The group's TOR site lists victim shares, and their operations resemble those of DarkSide, REvil, and LockBit but with a distinct affiliate program.

The attacks carried out by Arcus Media in the past week have led to the exfiltration of large volumes of sensitive data, including financial documents, personally identifiable information (PII), intellectual property, and operational data. The total amount of exfiltrated data across all reported attacks is as follows:

The threat actor has exfiltrated significant amounts of data from various organizations. Langescheid GbR, a logistics company, had 514 GB of logistics and customer data stolen. Franja IT Integradores de Tecnología, involved in tech integration, lost 49 GB of client information and operational data.  

Duque Saldarriaga, a manufacturing firm, had 270 GB of production data and client records taken. BHMAC, active in mine action, saw 833 GB of operational and personnel data exfiltrated. Botselo Mills Ltd, an agriculture business, suffered the theft of 5 TB of financial and operational data.

Arcus Media Attacks:

  • Langescheid GbR, a German logistics partner, was targeted by Arcus Media, resulting in the encryption of critical logistics and customer data. The attack caused significant operational disruptions, preventing the company from managing and tracking shipments effectively. The breach exposed sensitive customer contracts, shipment schedules, and internal communication records.
  • Franja IT Integradores de Tecnología, a Colombian tech integration company, faced a significant breach, with sensitive client information and operational data compromised. The exfiltrated data included detailed project plans, client proposals, and proprietary software code, severely impacting the company's ability to deliver ongoing projects and maintain client trust.
  • See more of Arcus Media’s recent ransomware attacks here

BlackBasta

BlackBasta ransomware group has executed high-profile attacks on various organizations during the week of June 3rd to June 9th. This week's targets include Akdeniz Chemson, Elutia, The Robson Companies, Inc., Talalay Global, SSI Shredding Systems, Inc., and Driver Group Plc.  

BlackBasta is known for its double extortion tactics, where they steal data before encrypting systems and demand ransom for decryption and data deletion. This approach significantly impacts the targeted organizations financially and operationally.

The BlackBasta group has emerged as a formidable threat in the cybersecurity landscape, executing a series of high-profile ransomware attacks in June 2024. This group has targeted various industries, resulting in significant data breaches and operational disruptions. The attacks have compromised vast amounts of sensitive information, including financial, human resources, and corporate data.  

In total, BlackBasta has exfiltrated approximately 2.13 TB of sensitive data from these organizations, causing substantial operational disruptions and exposing confidential information. The targeted industries include Manufacturing, Healthcare Services, Real Estate, and Construction. BlackBasta ransomware group, has executed several significant data exfiltration attacks.  

On June 8, 2024, they stole over 500GB of sensitive data from Akdeniz Chemson, including financial and HR information. From the company named Elutia, they exfiltrated over 550GB of employee personnel files, finance, payroll, HR data, tax forms, passports, and research and development documents.  

They also took 6GB bytes of sensitive data from The Robson Companies, Inc., including HR, accounting, payroll records, employee personal documents, and client data. Talalay Global saw 300GB of data encrypted, encompassing company information, HR records, payroll, accounting details, and employee personal information.

BlackBasta Attacks:

  • Akdeniz Chemson, a chemical manufacturing company, was targeted by BlackBasta on June 8, 2024, leading to the theft of over 500GB of financial and HR information. The group issued a ransom demand with a deadline of June 13, 2024, threatening to release the stolen data if the ransom is not paid. This breach has caused substantial operational disruptions for Akdeniz Chemson, impacting its role as a key supplier in the global PVC and polymer industry.
  • The Robson Companies, Inc., a real estate development firm, was compromised by BlackBasta, resulting in the theft of 6009 bytes of sensitive data, including HR, accounting, payroll records, personal documents, and client data. The attack has significantly impacted The Robson Companies' business operations, compromising critical data and potentially exposing sensitive information of both employees and clients.
  • Driver Group Plc, a consultancy firm, fell victim to a ransomware attack executed by BlackBasta, resulting in the compromise of 530GB of data. The stolen information included corporate accounts, HR, finance records, personal user data, and confidential project information. The attack underscores the vulnerabilities faced by consultancy firms and the potential impact on their operations and client relationships.
  • See more of BlackBasta’s recent ransomware attacks here

El Dorado

El Dorado, a newly discovered ransomware group, executed high-profile attacks on various organizations during the first week of June 2024. This week's targets include Gough Homes, Adams Homes, Baker Triangle, CelPlan Technologies, and the City of Pensacola.

The type of data exfiltrated is unknown but might include financial documents, personally identifiable information (PII), intellectual property, and operational data. El Dorado provides limited information, typically only revealing the amount of exfiltrated data and occasionally a negotiation message. Their sophisticated ransomware campaigns have impacted sectors such as construction, telecommunications, government, and education.

El Dorado is known for its double-extortion tactic of encrypting and exfiltrating sensitive data, then threatening to release it unless a ransom is paid. They began their attacks seven months ago but only publicly claimed them in the first week of June, targeting 15 victims through phishing, exploiting software vulnerabilities, and using legitimate system tools maliciously.

Their ransom notes, titled HOW_RETURN_YOUR_DATA.TXT, claim they are former "white hat" hackers turned to crime due to poor compensation and use threats of data leaks and ongoing attacks to pressure victims. Their operations span various sectors, including SMBs and critical infrastructure, raising significant cybersecurity concerns.

The attacks carried out by El Dorado have led to the exfiltration of large volumes of sensitive data, totaling approximately 7.1TB. For instance, Baker Triangle lost 2.7TB of operational and personnel data, Istituto di Istruzione Superiore Giulio Natta had 40.5GB exfiltrated, Lindostar S.r.l. lost 2.7GB, and Tankerska Plovidba d.d. had 1.7TB taken.  

Based on the available information, the total compiled revenue just from five out of fifteen affected companies—Adams Homes, Baker Triangle, CelPlan Technologies, HTE Technologies, and Thunderbird Country Club—is approximately $165.3 million.

El Dorado Attacks:

  • Gough Homes, a family-owned construction business in West Jordan, Utah, specializing in custom-built homes, was targeted by El Dorado. The ransomware attack resulted in the exfiltration of 2.8GB of sensitive data, potentially including client contracts, architectural plans, and financial documents. The breach threatened the company's reputation for high-quality craftsmanship and sustainable building practices. The public disclosure of the stolen data could lead to a loss of client trust and potential legal repercussions.
  • Thunderbird Country Club, a prestigious institution in Rancho Mirage, California, was targeted by El Dorado. The ransomware attack resulted in the exfiltration of 28.9GB of data, including member records, financial documents, and event schedules. The breach disrupted the club's operations, affecting their ability to provide high-quality amenities and activities to members. The stolen data, now for sale on El Dorado's dark web leak site, could be used for identity theft or financial fraud.
  • See more of El Dorado’s recent ransomware attacks here

Medusa  

The Medusa ransomware group, emerging in late 2022, operates as a Ransomware-as-a-Service (RaaS) platform, allowing affiliates to launch attacks. Known for its distinct identity from MedusaLocker, the group has gained notoriety through high-profile attacks globally.

In early 2024, Medusa attacked the Tarrant Appraisal District in Texas, demanding a $700,000 ransom, causing significant operational impacts and prompting an ongoing investigation. Medusa's ransomware kills numerous applications and services to prevent detection, disables shadow copies to thwart recovery efforts, and encrypts critical data with substantial ransom demands.  

Their attacks have targeted various sectors including organizations, business services, hospitality, and healthcare. Notable incidents include attacks on Inside Broadway, Market Pioneer International Corp, Mercy Drive Inc., Oracle Advisory Services, and Radiosurgery New York, compromising large amounts of sensitive data.

During the week of June 3 to June 9, the Medusa ransomware group launched a series of high-profile cyberattacks, resulting in the exfiltration of 319 GB of sensitive data from various organizations. The stolen data included patient information, financial records, client details, and confidential internal communications, highlighting the significant impact on both the privacy and operational integrity of the affected entities. Some examples include:

Medusa, a notorious ransomware threat actor, has exfiltrated significant amounts of data from multiple organizations. Radiosurgery New York (RSNY) experienced a breach of 64.7 GB, raising concerns about medical information security.  

The Women's Sports Foundation had 36.5 GB leaked, highlighting vulnerabilities in non-profits. Inside Broadway lost 1.3 GB of data. Market Pioneer International Corp had 42.2 GB exfiltrated, impacting essential services. Mercy Drive Inc. suffered a breach of 161.1 GB, raising concerns about client information security. Oracle Advisory Services lost 13.2 GB, risking its operations and reputation.

The types of data stolen include sensitive patient data from RSNY, non-profit organization data from the Women's Sports Foundation and Inside Broadway, logistics data from Market Pioneer International Corp, sensitive client information from Mercy Drive Inc., and financial and client data from Oracle Advisory Services. These incidents underscore the broad and destructive reach of Medusa.

Medusa Attacks:

  • Radiosurgery New York (RSNY), a healthcare provider specializing in non-invasive fractionated stereotactic radiosurgery treatments for cancer patients, was targeted by Medusa. The ransomware attack resulted in the exfiltration of 64.7GB of sensitive data, including patient records, financial documents, and treatment plans. The breach disrupted the center's operations, affecting their ability to provide advanced radiation therapy treatments. The stolen data, now up for sale on Medusa's dark web leak site, poses a significant risk to patient confidentiality and could lead to legal consequences.
  • The Women's Sports Foundation, a non-profit organization dedicated to advancing the lives of women and girls through sports and physical activity, was targeted by Medusa. The ransomware attack involved the exfiltration of 36.5GB of sensitive data, including financial documents, internal communications, and program details. The breach disrupted the foundation's operations, affecting their ability to provide advocacy, research, and community programs. The stolen data, now up for sale on Medusa's dark web leak site, poses a significant risk to the foundation's reputation.
  • See more of Medusa’s recent ransomware attacks here

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.