Ransomware on the Move: Cicada, Fog, Play, RansomHub
Date:
October 29, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: Cicada, Fog, Play, and RansomHub…
This week’s threat actors demonstrated varied methodologies, with Cicada and Play notably focusing on data exfiltration to pressure victims, while Fog and RansomHub deployed double-extortion tactics to amplify their leverage.
Sectors affected spanned healthcare, manufacturing, and construction, indicating an ongoing shift towards sectors traditionally perceived as less fortified but increasingly reliant on digital infrastructure.
Cicada
Cicada 3301 emerged in June 2024 as a Ransomware-as-a-Service (RaaS) and data broker group, setting itself apart by prioritizing data exfiltration and sales over immediate ransom payments. Despite sharing a name with the cryptographic puzzle from a decade prior, Cicada 3301 has no connection to the original phenomenon.
Instead, the group has quickly gained notoriety for targeting small to medium-sized businesses (SMBs) and larger enterprises with weak VPN defenses, exploiting known vulnerabilities in Cisco, Fortinet, and SonicWall systems.
Utilizing the Brutus botnet for initial network infiltration and affiliates to manage ransomware deployment, Cicada 3301 has extended its reach across various industries, amplifying its influence and control in each sector attacked.
Cicada 3301 typically exfiltrates sensitive corporate data, which it later markets on dark web platforms. The types of data targeted include financial records, proprietary business information, and client files that can be used for resale or further exploitation.
Significant Attacks
- RDC Control Ltd, an industrial manufacturer in Canada, Cicada 3301 seized 60 GB of sensitive operational data, including production processes and trade secrets, placing the company’s confidential information at risk.
- Racing Forensics Inc., a Canadian horse racing regulatory firm, experienced a data breach involving regulatory documents and personal client information, compromising sensitive veterinary and compliance data used within the industry. These breaches highlight the group's focus on monetizing data that holds significant operational or client-related value.
- T-Space Architects, a prominent architectural firm in London, had approximately 50 GB of sensitive data seized by Cicada. This data breach included project files, client information, and financial records critical to ongoing projects, showcasing the potential risks posed to high-value firms within the architectural sector.
- INDIBA Group, a global leader in medical technology based in Spain, experienced a breach where Cicada exfiltrated 33 GB of highly sensitive information, such as proprietary multimedia files, client records, and financial documents, leading to potential competitive and reputational harm.
Fog
Fog ransomware, a variant of the STOP/DJVU family, has been a prominent cybersecurity threat since its discovery in November 2021. Known for its rapid encryption capabilities, the group leverages ransomware in both individual and organizational attacks, primarily targeting Windows environments, though it has also affected Linux systems.
Fog ransomware infiltrates networks through compromised VPN credentials and known application vulnerabilities, implementing advanced tactics like pass-the-hash for privilege escalation. In 2024, the group increased its focus on financially lucrative sectors, including finance and healthcare, using data exfiltration and double extortion to pressure victims into compliance.
This evolution marks Fog ransomware as a growing threat across high-stakes industries. The Fog ransomware group typically exfiltrates a wide array of sensitive data, including client records, financial information, and internal documents.
Significant Attacks
- Fromm International, a well-established beauty products company. The breach exposed valuable customer data and potentially compromised credit card information, raising concerns over financial security.
- Food Sciences Corporation, a nutritional products manufacturer, reported a data loss of 86 GB, including proprietary research, formulas, and client agreements, which could affect the company’s competitive position in the health and wellness sector.
- Cordogan Clark & Associates, a major architectural and planning firm, was hit by Fog ransomware, resulting in the exfiltration of 107 GB of sensitive data. This breach included employee personal details, client communications, and confidential HR files, such as non-disclosure agreements, social security numbers, and other identification documents, creating substantial risks for company stakeholders.
- Central Pennsylvania Food Bank, the largest nonprofit food distribution organization in the U.S., experienced a ransomware breach where over 20 GB of critical information was exfiltrated. This breach involved accounting records, client agreements, and personal identifiers, potentially impacting partnerships and the network of support provided to over 135,000 individuals monthly.
Play
The Play ransomware group, also known as PlayCrypt, has been active since June 2022, quickly establishing itself as a prominent threat actor in the ransomware landscape.
Initially targeting organizations in Latin America, the group has since expanded its operations to North America, South America, and Europe, impacting over 300 entities across critical sectors such as IT, transportation, construction, and government.
Known for its adaptive tactics, Play leverages a variety of initial access techniques, including exploiting vulnerabilities in RDP servers, Microsoft Exchange, and FortiOS appliances, as well as accessing compromised VPN credentials.
Their attacks frequently utilize custom tools for data theft and system disruption, making them a persistent threat across multiple industries. The Play ransomware group typically exfiltrates sensitive organizational data, which can range from financial documents to personal employee and client information.
Significant Attacks
- Wilkinson Chartered Professional Accountants was attacked by Play, who gained unauthorized access to client data, including confidential financial planning documents and tax-related records.
- McCody Concrete Products, Inc., a construction materials provider, where sensitive business data such as client contracts and internal budgets were exfiltrated, placing additional pressure on companies to reinforce data protection.
- Absolute Machine Tools, a leading CNC machine tool importer, was targeted on October 19, 2024. Play ransomware exfiltrated extensive data, including client contracts, payroll information, accounting records, and identification documents. The sensitive data breached poses financial and operational risks, highlighting the vulnerability of data-centric companies.
- OzarksGo, a broadband provider, was hit by a Play ransomware attack, disrupting its linear TV services and compromising sensitive data like client documents, payroll, and contracts. In response, OzarksGo took systems offline, permanently discontinued linear TV, and offered customers one month of free streaming services. The company is investigating further but has assured customers that no sensitive financial data appears compromised.
RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group, emerged in February 2024, swiftly establishing itself as a formidable presence in the ransomware landscape. This group has leveraged an aggressive affiliate model to amplify its reach across high-value sectors such as healthcare, manufacturing, and government.
Building on the experience of former Knight ransomware affiliates and known ALPHV/BlackCat actors, RansomHub specializes in double extortion, where sensitive data is exfiltrated and encrypted, pressuring victims to comply with ransom demands.
This strategy has positioned RansomHub as one of the more disruptive actors in the industry, with an emphasis on rapidly targeting and exploiting large datasets across multiple platforms.
RansomHub is known for exfiltrating and encrypting a variety of sensitive data, targeting financial records, personal identifiers, and proprietary business information, which it uses to heighten leverage in ransom negotiations.
Significant Attacks
- QS Group, an Italian industrial machinery manufacturer, RansomHub reportedly exfiltrated 45 GB of critical data, including project designs and customer records, posing potential reputational and financial threats.
- Al Qaryah Auctions, a prominent UAE auction house, where 100 GB of personally identifiable information and financial records were compromised, threatening client privacy and operational integrity.
- Clinicia, a provider of business management software for healthcare practices, was targeted by RansomHub, leading to the exfiltration of 500 GB of sensitive data, including millions of patient records. The stolen data includes clinic staff and patient details, which RansomHub threatened to release publicly if its demands are not met, putting both patient privacy and clinic operations at risk.
- Doctors To You, a healthcare service provider, was attacked by RansomHub, with critical data encrypted, jeopardizing access to patient information and essential records. The ransomware attack set a ransom deadline for October 20, with potential service disruption implications for DTY’s healthcare clients. See more of RansomHub’s recent ransomware attacks here
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.