Ransomware on the Move: BlackCat/ALPHV, Medusa, Rhysida, RansomHouse

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

‍

BlackCat/ALPHV

‍

An attack by the BlackCat/ALPHV ransomware group on UnitedHealth Group subsidiary Optum led to an ongoing outage impacting the Change Healthcare payment exchange platform.  

‍

Change Healthcare warned customers on Wednesday that some of its services are offline because of a cybersecurity incident.  

‍

One day later, UnitedHealth Group said in an SEC 8-K filing that the cyberattack was coordinated by suspected "nation-state" hackers who gained access to Change Healthcare's IT systems.  

‍

Optum is an American healthcare services provider with business interests encompassing technology and related services, pharmacy care services and various direct healthcare services. It has been a subsidiary of UnitedHealth Group since 2011.

‍

Hardeman County Community Health Center (HCCHC) was also attacked by the BlackCat/ALPHV ransomware group.  

‍

Almost all of the data is from residents of Hardeman County, Tennessee SQL database with all private customer information, financial statements, personal documents, and more. No other information has been given.  

‍

HCCHC is a Non-Profit Federal Qualified Health Center (FQHC) that provides comprehensive, integrated, and quality healthcare services to improve the health and well-being of the patients and communities it serves.  

‍

The mission of Hardeman County Community Health Center is to provide quality, accessible, affordable primary health care services to the residents of Hardeman County, Haywood County, Chester County, and neighboring counties.

‍

BlackCat/ALPHV ransomware group also attacked S+C Partners. No other information has been disclosed. S+C Partners is a full-service firm of Chartered Professional Accountants, tax specialists, and business advisors with in-house expertise that extends well beyond traditional CPA Services.  

‍

In addition to audit accounting, and Canadian tax services, they also offer business advisory services, comprehensive IT solutions, Human Resource consulting, and in-house expertise within highly focused areas such as US taxation, business valuations, and estate planning.

‍

The BlackCat/ALPHV gang suffered a major disruption by law enforcement recently, with reports that they took down the operator’s websites and developed a decryption tool.  

‍

Further reports indicate the gang restored some of their infrastructure after the takedown. While the operations may have been stifled, BlackCat/ALPHV still remains a top threat.  

‍

BlackCat/ALPHV was first observed in late 2021 and maintains a well-developed RaaS platform that encrypts by way of an AES algorithm. The code is highly customizable and includes JSON configurations for affiliate customization. BlackCat/ALPHV is adept at disabling security tools and evading analysis and is likely the most advanced ransomware family in the wild.

‍

BlackCat/ALPHV is capable of employing multiple encryption routines, displays advanced self-propagation, and hinders hypervisors for obfuscations and anti-analysis. BlackCat/ALPHV can impact systems running Windows, VMWare ESXi and Linux including Debian, ReadyNAS, Ubuntu, and Synology distributions.  

‍

BlackCat/ALPHV became one of the more active RaaS platforms over the course of 2022, and attack volumes in Q1 2023 continued to increase although it was overtaken by CI0p in a number of attacks in Q1 2023.  

‍

Medusa

‍

The Infamous Medusa ransomware gang has attacked The Professional Liability Fund. No further details have been disclosed. For over forty years, the Oregon State Bar Professional Liability Fund (PLF) has provided malpractice coverage to lawyers in private practice in the state of Oregon. The PLF is a unique organization within the United States.  

‍

The Oregon State Bar Board of Governors created the PLF in 1977 pursuant to state statute (ORS 9.080) and with approval of the OSB membership. The PLF began operation on July 1, 1978, and has been the mandatory provider of primary malpractice coverage for Oregon lawyers since that date.

‍

The Medusa ransomware group also attacked Penn Cinema, although no details have been given. Penn Cinema is a family-owned and independently operated movie theater. It provides an experience for its customers that is world-class.

‍

The Medusa ransomware group also allegedly attacked JS International. No further details have been disclosed. JS International was founded in 1997 and is engaged in the manufacturing of solid wood furniture structures (cabinets, accessories, and such). The company currently has 95 employees.

‍

Medusa is a RaaS that made its debut in the summer of 2021 and has evolved to be one of the more active RaaS platforms. Attack volumes were inconsistent in the first half of 2023 with a resurgence of attack activity in the last half of 2023.  

‍

The attackers restart infected machines in safe mode to avoid detection by security software as well preventing recovery by deleting local backups, disabling startup recovery options, and deleting VSS Shadow Copies to thwart encryption rollback.  

‍

Medusa ramped up attacks in the latter part of 2022 and have been one of the more active groups in the first quarter of 2023 but appear to have waned somewhat in the second quarter.  

‍

Medusa typically demands ransoms in the millions of dollars which can vary depending on the target organization’s ability to pay.

‍

Rhysida

‍

The Ann & Robert H Lurie Children's Hospital of Chicago recently fell victim to a ransomware attack orchestrated by the Rhysida group. Despite the cyberattack, the hospital has managed to remain operational, albeit with some disruptions to appointments and elective surgeries.  

‍

The attack targeted the hospital's MyChart electronic records system, leading to its temporary shutdown and the implementation of manual processes. As a result, patients experienced longer wait times for prescription requests, highlighting the far-reaching consequences of ransomware attacks on critical healthcare services.

‍

The Rhysida ransomware group has demanded 60 bitcoins, equivalent to just over $3.4 million, in exchange for the stolen data. The attack underscores the vulnerability of healthcare facilities to cyber threats and the urgent need for robust cybersecurity measures to protect patient data and ensure the continuity of care.

‍

Additionally, the Rhysida group targeted Ironrock, a leading manufacturer of ceramic solutions for walls and floors. While specific details of the attack remain undisclosed, the incident highlights the indiscriminate nature of ransomware attacks and their potential impact on businesses across various sectors.

‍

Rhysida, a Ransomware-as-a-Service (RaaS) group, first emerged in May of 2023 and has since become one of the more prevalent threats in the cybersecurity landscape. The group engages in data exfiltration for double extortion, maintaining both a leaks site and a victim support portal on TOR.

‍

Rhysida has been responsible for a series of high-profile attacks, including those against the Chilean military and Prospect Medical Holdings, which impacted services at hundreds of clinics and hospitals across the US. Despite modest attack volumes compared to other threat actors, Rhysida has steadily increased its operations and expanded its targeted industries.

‍

The group deploys its ransomware through various methods, including Cobalt Strike frameworks and phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development, lacking certain standard features found in contemporary ransomware.

‍

RansomHouse

‍

The RansomHouse gang targeted the Wangkanai Group, one of Thailand's major sugar producers. While specific details of the attack remain undisclosed, the incident highlights the vulnerability of critical infrastructure to ransomware attacks and the potential for significant disruptions to essential services.

‍

Furthermore, RansomHouse targeted Webber International University, adding the institution to its dark web portal. Although no official statements or responses have been received, the incident underscores the need for heightened cybersecurity measures to protect educational institutions from cyber threats.

‍

Unlike traditional ransomware groups, RansomHouse does not maintain a RaaS platform. Instead, the group operates as a data extortion group, targeting organizations for financial gain.

‍

RansomHouse has been known to attack high-profile targets, such as chipmaker AMD, and exfiltrate large volumes of data for extortion purposes.

‍

The group's attack volumes have steadily increased in recent years, with ransom demands ranging between $1 million and $11 million. RansomHouse appears to be opportunistic in its targeting, choosing victims based on their ability to pay rather than their industry or sector.

‍

RansomHouse maintains an active leaks site, where they engage in "name and shame" tactics to pressure victims into paying the ransom demand. The group also exfiltrates victim data for double extortion, further exacerbating the impact of their attacks.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.