Ransomware on the Move: BlackSuit, Meow, Monti, RansomHub
Date:
September 10, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...
Between August 26 and September 1, 2024, ransomware activity escalated significantly, with four prominent ransomware groups—BlackSuit, Meow, Monti, and RansomHub—collectively responsible for an intense wave of cyberattacks across multiple industries.
These groups targeted high-profile organizations, such as Complete Payroll Solutions and Ciot, compromising critical data in sectors that included manufacturing, healthcare services, construction, and retail.
The impact was widespread, with RansomHub alone exfiltrating over 1TB of data from the home improvement company Ciot, while Meow's breach of Complete Payroll Solutions resulted in the exposure of sensitive payroll and personal information.
The manufacturing and healthcare sectors were particularly vulnerable during this period. BlackSuit and Monti focused their attacks on these industries, exploiting security gaps in older infrastructure and systems that were not adequately patched.
Healthcare services, with vast amounts of sensitive data and critical operations, proved an attractive target, while manufacturing companies faced disruption due to their reliance on complex supply chains.
Retail and construction were also hit hard, with RansomHub leveraging its sophisticated Ransomware-as-a-Service (RaaS) model to breach large organizations in these sectors, demanding steep ransoms through a combination of data encryption and exfiltration.
BlackSuit
BlackSuit, a ransomware group that surfaced in 2023, has rapidly become a significant threat in the cybersecurity domain.
With strong ties to the notorious Royal ransomware group, BlackSuit targets both Windows and Linux systems, particularly VMware ESXi servers. It appends the distinctive “.BlackSuit” extension to encrypted files and directs victims to a Tor-based portal for communication and ransom negotiation.
Known for its attacks on a broad range of industries, including healthcare, IT services, and manufacturing, BlackSuit’s operations have had a global impact, particularly across the United States and Europe.
The group’s dual extortion model—combining data encryption with data theft—heightens the pressure on victims to meet ransom demands, making it a particularly formidable adversary.
BlackSuit is known for exfiltrating large volumes of sensitive data before encryption, targeting internal documents, financial records, and operational data. For example, Effortless Office, an IT managed services provider, saw 72 ESXi servers and over 5,000 virtual machines compromised, exposing client data from over 30 of the 90 companies it services.
In another instance, MorningStar Senior Living, a senior care provider, had over 41 GB of sensitive HR, financial, and management files stolen, severely disrupting its operations and putting resident care at risk.
Significant attacks attributed to BlackSuit:
- Nevada Heart Vascular Center: BlackSuit ransomware infiltrated the Nevada Heart Vascular Center, compromising more than 23,886 files and 6,713 directories, equating to over 41 GB of data. The stolen information included medical records, compliance documents, and billing logs, significantly affecting the operations of the center, which generates $16.9 million in annual revenue. The breach raised serious concerns about patient confidentiality and operational disruption.
- Southwest Traders: BlackSuit targeted Southwest Traders, a leading foodservice distributor, and exfiltrated over 133 GB of data, including audit documents, financial records, and business continuity plans. The company, with an annual revenue of $361.5 million, faced disruptions in its supply chain and operations. The attack also exposed signed NDAs with partners such as Tutti Frutti and Philz, creating further reputational risks for the business.
Meow
Meow is a threat actor group that surfaced in late 2022, has rapidly established itself as a significant ransomware player. With connections to the Conti v2 ransomware variant, the group specializes in targeting industries with sensitive data, particularly in the United States but also across Europe and other regions.
Known for its use of the ChaCha20 and RSA-4096 encryption algorithms, Meow Ransomware often gains access to systems through phishing emails, Remote Desktop Protocol (RDP) vulnerabilities, and malvertising.
The group has been particularly active in sectors like healthcare, financial services, and manufacturing, leaving behind ransom notes directing victims to contact them via email or Telegram for payment negotiations.
The Meow group operates a data leak site, listing victims who fail to meet ransom demands, which adds pressure by threatening public exposure of stolen data.
Meow’s attacks typically involve exfiltration of large volumes of sensitive data. For instance, Caseificio Alta Valsesia, an artisanal dairy cooperative based in Italy, experienced a breach that disrupted its operations, with potentially significant amounts of data stolen.
While the exact volume remains undisclosed, the attack highlighted vulnerabilities in its digital infrastructure, including potential financial data and production-related information.
In another case, WT Gruber Steuerberatung GmbH, an Austrian tax consultancy, saw over 120 GB of data stolen, including sensitive financial and tax documents. This breach posed serious risks to the firm’s reputation, especially given its role in handling confidential client data, such as scanned payment records and personal details.
Significant attacks attributed to Meow Ransomware:
- Donco & Sons Inc.: This family-owned electrical contracting company specializing in signage and lighting solutions suffered an attack where over 230 GB of data was stolen. The breach exposed sensitive employee and client information, internal financial documents, certifications, and blueprints. The attackers are demanding $24,000 for the data, which poses significant operational and reputational risks for Donco & Sons, a key player in the oil and retail sectors across several California counties.
- Optimize EGS: This provider of Generac home standby generators in southern Louisiana saw over 11 GB of sensitive data, including client information, technical drawings, and personal details such as social security numbers, exfiltrated. The attackers are offering the stolen data for $16,000, raising concerns over the potential misuse of technical and financial records critical to the company's operations across Baton Rouge, Kenner, and other regions in Louisiana.
Monti
Monti was first identified in June 2022, has established itself as a formidable ransomware group known for its tactics that closely mirror those of Conti. The group targets both Windows and Linux systems, using the ".puuuk" file extension for encrypted files.
Their ransom notes typically demand payment in exchange for decryption and threaten to leak exfiltrated data on their dark web leak sites if the ransom isn’t paid. Monti has demonstrated a high degree of adaptability, incorporating advanced tools like the Action1 Remote Monitoring and Maintenance (RMM) agent.
The group has become especially active in sectors such as legal services, government institutions, healthcare, and financial services, impacting organizations’ operations and reputations through its widespread attacks.
Monti’s operations often involve the exfiltration of vast amounts of sensitive data before launching encryption attacks, using the threat of leaks to further pressure victims. For example, Abatti Companies, a California-based agribusiness saw a significant breach where critical business data was stolen.
The company’s extensive operations, including seed production and fertilizer distribution, were at risk, with the attackers threatening to leak the exfiltrated data if demands were unmet.
Similarly, Burgess Kilpatrick, a professional accounting firm based in Vancouver, faced a data breach in which sensitive financial data and client records were exfiltrated. This attack severely impacted the firm's ability to operate while also exposing its clients to the risk of identity theft and financial fraud.
Significant attacks attributed to Monti:
- Prism Construction Ltd.: This Canadian construction firm, based in Delta, British Columbia, suffered a devastating attack through the Bluemaven vector. Monti exfiltrated around 200MB of sensitive data, including customer details, employee records, and critical contractual agreements. The breach put Prism Construction’s operations and business partnerships at risk, raising concerns about the broader impact of the stolen data.
- Phyton Biotech: Known for its leading role in biotechnology, Phyton Biotech was targeted by Monti, resulting in the theft of over 200MB of sensitive data. The exfiltrated data included confidential employee records, internal contractual agreements, and proprietary pharmaceutical research data. This breach poses a significant threat to the company's ongoing operations, particularly its pharmaceutical research and partnerships, highlighting the severe vulnerabilities in its cybersecurity defenses.
RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group, surfaced in February 2024 and rapidly became a formidable entity in the ransomware ecosystem. Known for its aggressive affiliate model, RansomHub deploys double extortion tactics, encrypting sensitive data while exfiltrating large volumes of information.
Affiliates of the group frequently exploit unpatched systems, leverage phishing attacks, and use password spraying to infiltrate high-value targets across industries. Their cross-platform attacks hit Windows, Linux, and ESXi systems.
As of August 2024, RansomHub has expanded its operations significantly, boasting over 210 victims on its leak sites. Industries targeted include healthcare, financial services, government institutions, and manufacturing sectors, with operations spanning the U.S., Europe, and parts of Asia.
RansomHub frequently exfiltrates vast quantities of sensitive data from victims before initiating ransomware encryption. One high-profile example is Viña Luis Felipe Edwards, a prominent family-owned winery in Chile.
In this case, the attackers exfiltrated 178 GB of business-critical information, including internal financial data, contracts, and operational details. The winery’s supply chain was severely affected, disrupting both domestic and international distribution.
Another major breach involved SPIE TEC GmbH, a German engineering services provider, where RansomHub stole critical contracts, including those related to key clients like BMW.
The attack exfiltrated over 100 GB of sensitive documents, including project plans and financial records, putting both the company’s reputation and client relations at risk.
Significant attacks attributed to RansomHub:
- Smart ERP Solutions: In a major breach, RansomHub targeted Smart ERP Solutions, an Oracle Cloud Services Partner, exfiltrating sensitive data on over 110,000 individuals. The stolen data included first and last names, Social Security numbers, and personal contact information. The attackers auctioned this data, offering full and partial records to interested parties, further pressuring the company to meet ransom demands.
- Swinburne University of Technology, Sarawak Campus: In August 2024, RansomHub breached Swinburne University’s Sarawak Campus, exfiltrating sensitive data, including passport scans, student applications, and letters of completion. Although the core systems were quickly restored, the breach exposed weaknesses in the university’s cybersecurity, particularly in protecting sensitive student and staff information.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.