Ransomware on the Move: Cicada 3301, Kill Security, Play, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week...

‍

In the week spanning August 19th to August 25, 2024, ransomware activity has surged with significant attacks impacting key industries such as manufacturing, education, and transportation.  

‍

Among the most prolific threat actors are Cicada3301, KillSecurity, Play, and RansomHub, each employing distinct tactics to target and compromise organizations worldwide. The escalation in attacks underscores the persistent and evolving nature of ransomware threats, particularly as these groups continue to refine their methods and expand their reach.

‍

Cicada3301, known for its data exfiltration and resale strategies, has targeted organizations like Findel Educational Resources and Hofmann Malerei AG, leveraging stolen data as a bargaining chip.

‍

Unlike traditional ransomware groups, Cicada3301 focuses less on encryption and more on the long-term monetization of sensitive information through dark web marketplaces. This shift in approach has allowed them to inflict lasting damage on their victims, well beyond the initial breach.

‍

Meanwhile, KillSecurity has continued to exploit vulnerabilities across various sectors, employing more conventional ransomware tactics. Their recent attacks on Autonomous Furniture and School Rush demonstrate their ability to target both large enterprises and smaller entities with equal effectiveness.  

‍

The Play ransomware group has also maintained its aggressive stance, compromising companies such as Armour Coatings, further highlighting the widespread impact of these cybercriminals.  

‍

RansomHub, another notable player, has targeted organizations like Prasarana Malaysia Berhad and Banham Poultry Ltd, emphasizing the diverse range of industries at risk.

‍

Cicada3301

‍

Cicada3301, a data broker group that emerged in June 2024, has rapidly gained notoriety for its sophisticated operations targeting organizations across a wide range of industries.  

‍

Unlike traditional ransomware groups that typically encrypt data and demand ransom for decryption, Cicada3301 has distinguished itself by focusing on the exfiltration of sensitive data, which it then sells on dark web marketplaces.  

‍

This approach marks a significant shift in the ransomware landscape, moving away from one-time ransom payments to strategies that enable long-term exploitation of stolen data.  

‍

Cicada3301 is particularly adept at infiltrating companies with valuable intellectual property, proprietary business data, and sensitive client information, leading to severe operational disruptions and reputational damage for its victims.

‍

Their attacks usually involve the exfiltration of substantial amounts of sensitive data, which is subsequently used to apply pressure on victims or to generate revenue through dark web sales.

‍

For example, Hofmann Malerei AG, a venerable Swiss painting and construction firm with over 140 years of history, was recently targeted. The attack resulted in the theft of 500 MB of crucial business data, including internal documents and potentially sensitive client information. This breach has raised concerns about the vulnerability of even long-established companies to modern cyber threats.  

‍

Similarly, UFCW Local 135, a labor union based in San Diego representing workers across multiple industries, experienced a breach where 90 GB of member data was stolen. This attack exposed personal and financial information of union members, creating significant risks related to privacy, identity theft, and potential misuse of data.

‍

Significant attacks claimed by Cicada3301:

• Findel Educational Resources, a UK-based supplier of educational materials that serves institutions in over 130 countries, suffered a massive breach in which approximately 870 GB of sensitive data was exfiltrated. This stolen data included financial records, passport details, confidential documents, and a comprehensive customer database. The breach not only jeopardizes the operational integrity of Findel but also endangers the personal and financial information of countless clients and partners, highlighting the significant threat posed by Cicada3301 to large organizations.

• Chama Gaucha, a prominent Brazilian steakhouse chain in the U.S., known for its high-end dining experience, was also severely impacted when Cicada3301 stole 50 GB of sensitive data. The exfiltrated information included critical business documents, customer data, and potentially proprietary business strategies. The exposure of this data could severely undermine the restaurant’s reputation, erode client trust, and result in substantial financial losses. This attack underscores the vulnerability of the hospitality industry to sophisticated ransomware operations and the broadening scope of sectors targeted by Cicada3301.

• See more of Cicada3301’s Recent Ransomware Attacks here

‍

Kill Security

‍

Kill Security, a ransomware group that first emerged in 2024, has quickly become a significant threat across various industries worldwide. Known by the alias "KillSec," the group has targeted sectors such as government, manufacturing, defense, professional services, banking, and sports.  

‍

Kill Security employs a variety of sophisticated tactics to breach security defenses, including phishing campaigns and exploiting vulnerabilities in network protocols. What sets this group apart is their focus on exfiltrating sensitive data before encrypting it, using the stolen data as leverage to extort their victims.  

‍

The group’s ransom demands have ranged from 1,500 to 10,000 EUR, and they exclusively accept payments in Monero (XMR) cryptocurrency, enhancing the anonymity of their operations.

‍

Their activities are particularly concerning due to the lack of available decryptors, making their attacks especially damaging to the affected organizations. Kill Security’s attacks typically involve the theft of significant amounts of sensitive data, which they use to pressure victims into meeting their demands.  

‍

In a recent attack on TerraLogs, a Brazil-based agribusiness financing platform, the group exfiltrated personal and financial data of rural producers, including identification numbers, credit amounts, and financial projections, severely compromising the company's operations and client trust.  

‍

Another significant attack targeted Instadriver, a Kenyan driver-employer marketplace, where sensitive data such as drivers' IDs and passport scans were stolen, threatening the privacy of thousands of drivers and putting the company at risk of severe reputational damage.

‍

Significant Attacks Claimed by Kill Security:

• School Rush, a platform integral to school-parent communication, was severely compromised when Kill Security exfiltrated its entire user database. This data breach included highly sensitive personal information, such as names, email addresses, phone numbers, and student identification numbers, putting the privacy of countless families at significant risk. The potential misuse of this data raises serious concerns about identity theft and the safety of those involved.

• Level SuperMind, an innovative app in India designed to enhance mental and physical wellness, was targeted in another significant attack. Kill Security exfiltrated a wide array of critical user data, including full names, email addresses, passwords, device information, IP addresses, and payment details. The attackers have demanded a ransom of $25,000, threatening to expose the stolen information if the demands are not met by the specified deadline, potentially leading to severe financial and reputational damage for the company and its users.

• See more of KillSec’s Recent Ransomware Attacks here

‍

Play

‍

Play Ransomware, also known as PlayCrypt, has been a prominent player in the ransomware landscape since its emergence in June 2022. Initially targeting organizations in Latin America, particularly Brazil, the group quickly expanded its reach to North America, South America, and Europe.  

‍

Play Ransomware is notorious for its strategic exploitation of vulnerabilities, including Remote Desktop Protocol (RDP) servers, FortiOS vulnerabilities, and Microsoft Exchange flaws. The group’s operations span various industries, such as IT, transportation, construction, government entities, and critical infrastructure, making it a persistent and versatile threat.  

‍

One of the distinguishing features of Play Ransomware is its approach to ransom notes, which do not include an initial ransom demand or payment instructions, instead directing victims to contact the attackers via email.

‍

Play Ransomware’s attacks typically involve the exfiltration of significant amounts of sensitive data, which is then used as leverage to extort victims.  

‍

For example, Armour Coatings, a specialized industrial coatings company based in the United States, recently experienced a breach in which sensitive operational data was stolen and subsequently published on the dark web. The company, known for its custom powder coating and sandblasting services, now faces potential disruptions and reputational damage.  

‍

Similarly, Policy Administration Solutions (PAS), a U.S.-based company specializing in insurance policy administration software, was targeted by Play Ransomware. The attack resulted in the exfiltration and publication of sensitive information, including client and operational data, threatening the company’s standing in the competitive insurance technology market.

‍

Significant Attacks Claimed by Play Ransomware:

• Quilvest Capital Partners, a leading investment firm based in France, fell victim to a significant ransomware attack orchestrated by Play Ransomware. The breach was first identified on August 21, 2024, with sensitive files subsequently published on the dark web on August 26. The incident drew considerable attention, with the dark web post receiving 505 views. This attack highlights the growing vulnerability of financial institutions to sophisticated cyber threats and underscores the critical importance of strong cybersecurity measures in protecting sensitive financial data.

• RCG Ventures LLC, a prominent real estate investment firm based in the United States, was another major target of Play Ransomware. The attack, identified on August 21, 2024, led to the exposure of sensitive files on the dark web five days later. The compromised data has since garnered significant attention, with the dark web post accumulating 354 views. The incident raises serious concerns about the security infrastructure in place at RCG Ventures, particularly given the firm's extensive portfolio and significant financial assets.

• See more of Play’s Recent Ransomware Attacks here

‍

RansomHub

‍

RansomHub is a relatively new ransomware group that has quickly made a name for itself in the cyber threat landscape.  Believed to have roots in Russia, RansomHub operates as a Ransomware-as-a-Service (RaaS) entity, where affiliates receive 90% of the ransom payments, while the remaining 10% goes to the core group. This model allows for rapid expansion and increased attack frequency.  

‍

Unlike many ransomware groups that follow specific targeting patterns, RansomHub has been indiscriminate in its attacks, hitting various industries across different countries, including the United States, Brazil, Indonesia, and Vietnam.  

‍

Notably, the group has a particular interest in healthcare institutions, but their reach extends to other sectors as well. What sets RansomHub apart is their use of Golang to develop their ransomware strains, a programming language that is becoming increasingly popular among cybercriminals due to its efficiency and cross-platform capabilities.

‍

RansomHub attacks often involve the exfiltration of large amounts of sensitive data before deploying encryption, which is then used as leverage in ransom negotiations.  

‍

For example, Prasarana Malaysia Berhad, a major public transport operator in Malaysia, was targeted, resulting in the exfiltration of 316 GB of internal data, which included critical operational details.  

‍

In another case, Blower-Dempsay Corporation, a well-established packaging company in the United States, had 679 GB of sensitive data stolen, including confidential client information and proprietary manufacturing processes. These breaches underscore the significant risks that organizations face when targeted by RansomHub.

‍

Significant Attacks Claimed by RansomHub:

• Banham Poultry Ltd, a poultry factory based in Norfolk, was targeted in a ransomware attack by RansomHub on August 18, 2024. The attackers claim to have accessed 50 GB of sensitive data, including National Insurance numbers, passport copies, and bank details of staff members. Despite the breach, Banham Poultry's factory operations were not disrupted, and the company promptly took measures to secure its systems and advise staff on potential identity theft risks. The incident has been reported to the Information Commissioner’s Office (ICO), and additional security measures have been implemented to prevent future breaches.

• Capital Fund 1, a U.S.-based real estate investment firm, was significantly impacted by a RansomHub attack. The group claims to have stolen a substantial amount of data, including financial documents, personal information of investors, Social Security numbers, and sensitive business transactions. Despite multiple attempts by RansomHub to negotiate, the firm's management refused to cooperate, leading to the sale of some of the stolen data for criminal purposes. The situation remains unresolved, with further data leaks threatened, potentially exposing additional vulnerabilities within the firm's network.

• Charleston County School District (CCSD) in South Carolina faced a massive data breach when RansomHub exfiltrated 966 GB of data from the district’s systems. The attack caused a network outage but did not prevent the district from reopening schools as planned. The stolen data includes extensive records that could impact students and staff. The district has taken steps to notify those potentially affected and is working to enhance its cybersecurity posture to prevent further incidents.

• See more of Ransomhub’s Recent Ransomware Attacks here

‍

Cicada 3301

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.