Ransomware on the Move:  BianLian, Helldown, Meow, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: BianLian, Helldown, Meow, and RansomHub
‍

In the week spanning August 12 to August 18, 2024, the cybersecurity landscape saw an uptick in ransomware activities, with some of the most prolific ransomware groups intensifying their operations. The frequency and sophistication of these attacks highlight the persistent and evolving threat that ransomware continues to pose to organizations across multiple sectors.

Among the most active were four notorious ransomware groups: BianLian, Helldown, Meow, and RansomHub. Their targets spanned a wide range of industries such as manufacturing, business services, and construction.

Notable victims included Mohawk Valley Cardiology PC and Benson Kearley IFG, both attacked by BianLian, while Helldown set its sights on Zyxel Networks and Hug-Witschi AG. Meow disrupted operations at Lennartsfors AB and Zydus Pharmaceuticals, and RansomHub targeted Regent Caravans and Manotherm.
‍

As these ransomware groups continue to refine their techniques, the attacks during this period underscore the importance of strong cybersecurity measures and constant vigilance among organizations. The fallout from these incidents serves as a reminder of the critical need for proactive defense strategies in an increasingly hostile cyber environment.
‍

BianLian

BianLian has quickly established itself as a dominant force in the ransomware threat landscape. Originally emerging as a banking trojan, the group has evolved into a sophisticated ransomware operation, expanding its reach across North America and Europe, with a particular focus on the United States, United Kingdom, and Canada. BianLian is notorious for targeting sectors rich in high-value data, including healthcare, finance, manufacturing, and professional services. Unlike traditional ransomware models that primarily rely on data encryption, BianLian favors exfiltration-based extortion, threatening to release sensitive information unless a ransom is paid. This approach, combined with their use of compromised Remote Desktop Protocol (RDP) credentials and custom backdoors, has solidified their reputation as a formidable threat actor.
‍

BianLian's attacks frequently involve the theft of significant amounts of sensitive data, which they use to coerce their victims. A notable incident involved Southwest Family Medicine Associates, a healthcare provider in Dallas, Texas, where the group exfiltrated 400 GB of sensitive data, including patient records and personal information. Similarly, PBC Companies, a construction firm in California, suffered a breach that resulted in the theft of 300 GB of critical project information and business data. These cases illustrate the severe operational and reputational damage that BianLian's attacks can inflict.

‍

Significant Attacks Claimed by BianLian

• Benson, Kearley & Associates Insurance Brokers Ltd. (BK&A), a prominent insurance brokerage with an estimated annual revenue of $20.9 million, was targeted by BianLian in a major ransomware attack disclosed on August 12, 2024. The attackers exfiltrated 1.4 terabytes of critical data, including customer databases, insurance policies, passports, confidential company documents, and operational records. The breach also compromised HR folders, file server data, and network users' personal folders. In response, BK&A immediately took systems offline, engaged third-party cybersecurity experts, and launched a comprehensive investigation. The company has begun notifying affected customers, emphasizing that there is currently no evidence of misuse for fraudulent purposes. BK&A is focused on implementing enhanced security measures and restoring operations while assuring clients that their information is being protected.
  ‍
• Mohawk Valley Cardiology PC, a healthcare provider specializing in cardiovascular care with over $5 million in annual revenue, was targeted by the BianLian ransomware group in an attack discovered on August 19, 2024. The breach resulted in the theft of 80 gigabytes of sensitive data, including accounting records, medical and personal information, pharmaceutical data, insurance details, and files from the clinic president's PC. The compromised data also included network users' personal folders and critical fileserver data. The BianLian group has threatened to release the stolen data unless negotiations occur, putting the clinic under significant pressure. This incident highlights the severe vulnerabilities in the healthcare sector and the potential risks to patient confidentiality and data integrity.

See more of BianLian’s recent ransomware attacks here

‍

Helldown

Helldown, a relatively new but highly aggressive ransomware group, has rapidly made a name for itself within the cybersecurity landscape. Known for its sophisticated encryption techniques, such as AES, Salsa20, and RSA, Helldown operates with a high degree of anonymity, utilizing the dark web and cryptocurrencies to mask its activities. The group is particularly feared for its ability to infiltrate networks by exploiting vulnerabilities and disabling security measures, making it a formidable adversary in various sectors, including IT services, telecommunications, and manufacturing. Helldown’s strategy involves exfiltrating large volumes of sensitive data and threatening to release it publicly unless a ransom is paid, a tactic that has proven both effective and destructive.
‍

During the week of August 12-18, 2024, Helldown executed several high-profile attacks, compromising significant amounts of sensitive data. For instance, KBO Fire & Security Ltd, a UK-based company specializing in fire and security solutions, was targeted, resulting in the exfiltration of critical business data. Similarly, XPERT Business Solutions GmbH, a Vienna-based company specializing in legal technology solutions, suffered a breach where 32 GB of sensitive data was stolen. These attacks underscore Helldown’s capacity to cause substantial operational disruptions and financial losses, affecting companies that are leaders in their respective industries.
‍

Significant Attacks Claimed by Helldown

• Zyxel Networks, a global leader in networking and cybersecurity solutions, suffered a major breach during the week of August 12-18, 2024, when the Helldown ransomware group exfiltrated 253 GB of sensitive data. This breach severely impacted Zyxel, a company known for pioneering innovations such as the world’s first integrated 3-in-1 data/fax/voice modem. The attack compromised critical customer information and challenged Zyxel’s reputation as a reliable provider of advanced networking solutions.
  ‍
• Hug-Witschi AG, a leading Swiss IT services and payment technology provider, was also targeted by Helldown within the same week. The ransomware group successfully stole 67 GB of sensitive data, which they subsequently showcased on their Dark Web portal as proof of the breach. This incident underscores the vulnerabilities that even established firms like Hug-Witschi AG face, highlighting the ongoing threat posed by sophisticated ransomware attacks.

See more of Helldown’s recent ransomware attacks here

‍

Meow

Meow Ransomware, a group that surfaced in late 2022, has grown increasingly notorious in 2024 for its aggressive targeting of organizations, primarily within the United States. Associated with the Conti v2 ransomware variant, Meow Ransomware employs various sophisticated infection methods, including phishing emails, exploit kits, and vulnerabilities in Remote Desktop Protocol (RDP). The group is particularly known for encrypting files using a combination of ChaCha20 and RSA-4096 algorithms. Meow Ransomware has seen a resurgence in activity, maintaining a data leak site where they list victims who have refused to pay the demanded ransom. Their operations frequently focus on industries with sensitive data, such as healthcare, making them a persistent threat in the cybersecurity landscape.
‍

Meow Ransomware’s attacks generally involve the exfiltration of substantial amounts of sensitive data, which they then leverage to pressure victims into paying ransoms. A recent attack on Lennartsfors AB, a Swedish company specializing in off-road and on-road transport equipment, saw the group steal 17 GB of sensitive organizational data. This breach included employee information, client data, and financial records, severely disrupting the company’s operations. Similarly, Rostance Edwards, a UK-based accountancy firm, was compromised by Meow Ransomware, resulting in the theft of 7 GB of data. The stolen data encompassed client information, personal data, and financial records, posing a significant risk to both the firm’s reputation and its clients' privacy.
‍

Significant Attacks Claimed by Meow

• Safefood, an organization dedicated to promoting food safety and healthy eating across Ireland, fell victim to a ransomware attack orchestrated by Meow Ransomware. The attackers claimed to have exfiltrated over 200 GB of confidential data, including employee information, client details, financial records, and other sensitive materials. This data is being sold for $3,000 on the dark web, posing a severe threat to Safefood's operations and public health initiatives.
  ‍
• Gaston Fence Co., Inc., a well-established fencing solutions provider in North Carolina, also suffered a ransomware attack by Meow Ransomware. The group exfiltrated over 20 GB of data, including employee information, client details, and financial records. This stolen data is being marketed for $6,000, with a discounted price of $2,000 for multiple buyers, jeopardizing the company’s reputation and the privacy of its clients and employees.

See more of Meow’s recent ransomware attacks here

‍

RansomHub

RansomHub, a relatively new ransomware group, has quickly gained notoriety in the cybersecurity landscape since its emergence in early 2024. Operating as a Ransomware-as-a-Service (RaaS) platform, RansomHub offers a revenue-sharing model where affiliates receive 90% of the ransom, with the remaining 10% allocated to the core group. Believed to have roots in Russia, RansomHub targets a wide range of industries globally, including the United States, Brazil, Indonesia, and Vietnam. Their ransomware strains, written in Golang, are noted for their efficiency and cross-platform capabilities, enabling the group to execute sophisticated attacks on both Windows and Linux systems.
‍

RansomHub's operations are characterized by the rapid encryption of files and the exfiltration of large volumes of sensitive data, which they use as leverage to demand substantial ransoms. In a recent attack on NRcollecties.nl, a Netherlands-based luxury goods and jewelry company, RansomHub exfiltrated over 8 gigabytes of sensitive data, including documents, databases, and source code. The attackers threatened to release this data if their ransom demands were not met, putting significant pressure on the company. Another incident involved Allan McNeill Chartered Accountants, a New Zealand-based firm, where RansomHub managed to steal 30 gigabytes of data, including potentially sensitive financial information, posing a significant risk to the firm's clients and operations.
‍

Significant Attacks by RansomHub

• Regent Caravans, a luxury caravan manufacturing company based in Australia, was targeted by RansomHub in early August 2024. The attackers stole 30 gigabytes of sensitive data, including CAD files, ordering details, and employee ID photos. Despite the data leak, Regent Caravans confirmed the security of their backups and opted not to negotiate with the attackers. The breach involved the exposure of HR-related data and some financial records, compelling the company to take immediate cybersecurity measures and notify affected employees and customers.
  ‍
• Goldman & Peterson, PLC, a San Antonio-based law firm specializing in insurance defense, was also victimized by RansomHub. The group claimed to have exfiltrated 2.5 terabytes of sensitive organizational data, including legal documents and client information, threatening to publish the data within 6 to 7 days if their demands were not met. This attack is particularly alarming due to the sensitive nature of the data involved, which could have serious implications for the firm’s clients and its ongoing legal cases.

See more of RansomHub’s recent ransomware attacks here
‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.

‍