Ransomware on the Move: BlackBasta, Fog, KillSec, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: BlackBasta, Fog, KillSec, and RansomHub...

‍

In the week of October 21–27, ransomware attacks intensified across various sectors, with significant breaches impacting manufacturing, finance, and education. This period saw groups like BlackBasta, Fog, KillSec, and RansomHub launching high-impact attacks on organizations, highlighting the ongoing threats these actors pose to data security and operational stability:

• BlackBasta concentrated its efforts on large enterprises, using aggressive data exfiltration and encryption tactics to cause widespread disruption.  

• The Fog ransomware group, though smaller, continued its steady approach by focusing on niche sectors, often exploiting unpatched systems and weak access controls.  

• KillSec ramped up its attacks across industries, from finance to technology, impacting companies like NoBroker, a leading proptech firm, and Mixfame, a casting platform. Both organizations experienced significant breaches involving sensitive user data.  

• RansomHub, known for its affiliate model and operational efficiency, targeted entities like Mélange Systems and MK Arrari, showcasing its adaptability in targeting diverse industries.

‍

BlackBasta

‍

Emerging in early 2022, BlackBasta rapidly established itself as a dominant ransomware operator, noted for highly targeted and aggressive attacks. Once believed to have evolved from the now-defunct Conti group, BlackBasta operates as a Ransomware-as-a-Service (RaaS) model, leveraging affiliates to extend its reach.  

‍

The group applies double extortion tactics, encrypting victims' data and threatening to publish it on their leak site if ransoms are unmet. Its operations span North America, Europe, and the Asia-Pacific region, impacting industries such as manufacturing, infrastructure, and healthcare.  

‍

With over 500 attacks to date, BlackBasta remains one of the most disruptive actors in the ransomware ecosystem. BlackBasta typically targets and exfiltrates sensitive corporate data, focusing on financial records, employee information, and proprietary documents.  

‍

Significant Attacks

• Kaiser Enterprise, a diversified manufacturing and services company, BlackBasta extracted approximately 1.5 terabytes of data, encompassing corporate and accounting records along with employee details.

• Silver Springs Bottled Water Company in Florida lost around 600 GB of data, including employee files, financial documents, and customer contracts, presenting both operational and reputational risks.

• LEWA experienced a substantial breach by BlackBasta on October 23, 2024. This attack compromised approximately 400 GB of sensitive data, which included confidential research and development files, employee records, and critical financial documentation. LEWA, with over seventy years of experience and a global presence in industries like petrochemistry, water treatment, and food production, now faces considerable risks to its proprietary information and established reputation.

• Temple, Inc., an infrastructure management company based in Alabama, was attacked by BlackBasta on October 25, 2024. The ransomware assault affected roughly 200 GB of highly sensitive data, including project designs, detailed financial records, and long-standing customer contracts. Temple, Inc.’s trusted relationships with government and municipal clients throughout the Southern United States intensify the impact of this breach, posing risks not only to the company but also to its public-sector clients.

• See more of BlackBasta’s recent ransomware attacks here

‍

Fog Ransomware

‍

Since its appearance in November 2021, Fog ransomware, a variant of the STOP/DJVU family, has become a prominent threat with its file encryption and ransom demands in Bitcoin. Initially focused on smaller organizations, Fog has expanded to more lucrative and high-profile targets, including critical infrastructure and financial sectors.  

‍

Known for swift encryption, Fog can lock files within hours, forcing rapid response from affected organizations. Fog typically gains initial access via compromised VPN credentials or unpatched systems, exploiting vulnerabilities across sectors from finance to utilities.  

‍

Significant Attacks

• Value City Furniture NJ, Fog ransomware exfiltrated 25 GB of critical data, including Social Security numbers and employee records.  

• Trimarc Financial also experienced a breach, with 3GB of sensitive data compromised. These incidents highlight Fog’s technical reach and adaptability, especially in sectors reliant on operational continuity and data privacy.

• Apache Mills, Inc., a major manufacturer of commercial and residential floor mats, suffered a severe attack by Fog ransomware, which led to the exfiltration of 27 GB of sensitive data. This compromised data included a variety of critical files, such as human resources records, personal contact information, medical documents, and essential non-disclosure agreements. Additional exposures included driver’s licenses and detailed financial records, presenting both operational and reputational risks for the $296 million company.

• Cucamonga Valley Water District (CVWD) encountered a significant breach by the Fog group, which exfiltrated 41 GB of sensitive data. This California-based water provider experienced disruptions in its phone lines and payment systems, though its water services remained intact due to effective network segmentation. The breached data included human resources records, personal contact information, and various financial documents. CVWD swiftly engaged cybersecurity professionals and alerted federal authorities, managing to restore operations without paying the demanded ransom.

• See more of Fog’s recent ransomware attacks here

‍

KillSec

‍

Originally a hacktivist group tied to the Anonymous movement, KillSec transitioned to ransomware with a RaaS platform launched in June 2024. Previously focused on government website defacements, particularly in India, KillSec’s pivot represents a broader shift among hacktivist groups incorporating criminal tactics.  

‍

With features like a C++-based locker, DDoS capabilities, and automated calls to pressure victims, KillSec demands payments through a Tor-accessible dashboard, taking a 12% commission on each ransom.

‍

KillSec applies double extortion, exfiltrating sensitive data before encryption to maximize pressure on victims. The group has shown its capability in accessing sensitive information across industries, utilizing compromised VPNs and tools like SystemBC.  

‍

Significant Attacks

• Edmov, a Turkish EdTech platform, faced a breach exposing corporate and personal data,  

• Mixfame, a Dubai-based casting platform, had personal details and modeling portfolios compromised.

• NoBroker, a major player in India’s real estate sector, experienced a ransomware attack by KillSec that compromised a substantial amount of personally identifiable information (PII). Sensitive data affected included names, addresses, PAN numbers, financial information related to stamp duty transactions, and biometric data from Aadhaar-based verifications. KillSec has demanded a ransom of $50,000 to prevent the release of this data.

• The Government of Brazil was targeted by KillSec in a high-stakes breach involving approximately 100 GB of sensitive information. The compromised data included personal and corporate information, transaction records, CNPJ/CPF numbers, contact details, and banking data. KillSec’s ransom demand of $25,000 reflects its strategic targeting of high-value governmental data.

• See more of KillSec’s recent ransomware attacks here

‍

RansomHub

‍

Emerging in early 2024, RansomHub has rapidly become a significant player in the ransomware-as-a-service (RaaS) field. Known for its adaptable affiliate model, RansomHub leverages double extortion, combining data encryption with exfiltration to maximize leverage.  

‍

Affiliating with former Knight and ALPHV/BlackCat actors, RansomHub targets large enterprises across sectors like healthcare, financial services, and government. In recent attacks, RansomHub’s affiliates have targeted high-stakes data assets, utilizing sophisticated technical capabilities.  

‍

Significant Attacks

• Mélange Systems, a wireless networking firm, RansomHub exfiltrated around 1.2 TB of proprietary data, including source code and employee credentials.  

• MK Arrari had 202 GB of client data and confidential documents exposed. These attacks illustrate RansomHub’s reach and efficiency in breaching companies with critical digital infrastructures.

• Walsin Technology Corporation, an electronics manufacturing leader with annual revenue approaching $3 billion, was targeted by RansomHub. Attackers exfiltrated 150 GB of sensitive information, including technical designs, manufacturing agreements, and certification documents. This breach places considerable pressure on the Taiwan-based company as ransom negotiations continue.

• Yorozu Corporation, a prominent automotive parts manufacturer in Japan, experienced a ransomware attack by RansomHub that compromised approximately 849 GB of data. Confidential contracts with major automakers such as Nissan, Honda, and Toyota were exposed, alongside sensitive production and financial documents. The attack has brought Yorozu’s operations to a halt, with the ransom deadline set for October 31, 2024.

• See more of RansomHub’s recent ransomware attacks here ‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.