Ransomware on the Move: Cuba, Rhysida, 8Base, RagnarLocker
Date:
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:
BlackCat/ALPHV: BlackCat/ALPHV has been making waves in the cyber underworld. This group has a penchant for targeting a diverse range of industries, including healthcare, pharmaceuticals, finance, manufacturing, and legal services.
They even stooped so low as to publish compromising clinical photographs of breast cancer patients, highlighting their ruthlessness.
BlackCat/ALPHV attacked Motel One, a German hotel chain that operates primarily in Europe known for offering stylish and affordable boutique hotels with a focus on modern design.
BlackCat/ALPHV posted Motel One to its data leak site on September 30th, claiming to have stolen 6 TB worth of documents, or almost 24.5 million files from the hotel chain.
BlackCat/ALPHV also attacked The ONE Group, a recruitment and talent management agency with offices in the United Kingdom. BlackCat/ALPHV posted The ONE Group to its data leak site on October 3rd but provided no further details.
What sets BlackCat/ALPHV apart is its use of Rust, a secure programming language, for its malicious endeavors. The ransomware encrypts files using ChaCha20 or AES algorithms and employs intermittent encryption modes for speed over strength.
BlackCat/ALPHV also utilizes a tool called Exmatter for data exfiltration. This group is known for its double extortion schemes, exfiltrating victim data even before encrypting it to maximize pressure on victims.
LockBit: LockBit is a well-established Ransomware-as-a-Service (RaaS) operation with a reputation for demanding exorbitant ransoms. They have even exceeded the $50 million mark in some cases.
LockBit gained notoriety for its triple extortion model, where victims are not only required to pay a ransom but also to purchase their sensitive data back. Their advanced encryption methods, particularly the custom Salsa20 algorithm, make them a formidable adversary.
LockBit attacked AICSA. AICSA is a Guatemalan company specializing in developing commercial, corporate, residential, infrastructure, and energy projects. LockBit posted AICSA to its data leak site on October 3rd but provided no further details.
LockBit 3.0, introduced in June 2022, brought advanced anti-analysis features, expanding their threat to both Windows and Linux systems. They primarily exploit Remote Desktop Protocol (RDP) vulnerabilities for infection and rely on multiple extortion techniques to ensure compliance with their demands.
Cuba: Cuba, also known as Fidel, emerged in late 2019 and gained significant prominence in 2022. Despite its thematic Cuban nationalist website design, evidence suggests that the group's origins are likely Russian.
Cuba ransomware is associated with other threat actors, RomCom and Industrial Spy, who have disproportionately high impacts despite their relatively small numbers.
The Cuba ransomware gang attacked the Rock County Public Health Department, responsible for overseeing public health initiatives and services in Rock County, Wisconsin.
According to Josh Smith, County Administrator, some of the health departments were taken offline immediately following the attack. Cuba ransomware posted Rock County Health Department to its data leak site on October 3rd but provided no further details.
Unlike sophisticated state-sponsored malware, Cuba ransomware employs conventional software packing techniques, compressing software and libraries into a single binary executable to evade detection.
Rhysida: The Rhysida ransomware gang is a relatively new entrant, having emerged in May 2023. They employ a victim support chat portal on the TOR network, masquerading as a "cybersecurity team" that helps victims by exposing security vulnerabilities in their systems.
Rhysida attacked the General Directorate of Migration of the Dominican-Republic (Dirección General de Migración or DGM), the government agency responsible for overseeing immigration and migration-related matters within the country.
It plays a crucial role in regulating the entry and exit of foreign nationals, enforcing immigration laws, and ensuring the orderly movement of people in and out of the Dominican Republic. Rhysida posted the agency to its data leak site on October 4th but provided no further details.
Rhysida also attacked the Federal University of Mato Grosso do Sul (Universidade Federal de Mato Grosso do Sul or UFMS), a prominent public research university located in the state of Mato Grosso do Sul, Brazil.
It is one of the federal universities in Brazil and is known for its commitment to education, research, and community engagement. Rhysida posted the Federal University of Mato Grosso do Sul to its data leak site on October 2nd but provided no further details.
Rhysida deploys ransomware through various methods, including Cobalt Strike, phishing campaigns, and other tools, and employs multi-extortion practices by threatening to distribute stolen data publicly.
Medusa: Medusa, an active RaaS platform, made its debut in the summer of 2021 and gained momentum throughout 2022. This group is notorious for demanding ransoms that often reach into the millions of dollars, making them a formidable adversary.
Medusa attacked So Magic, a French company that manufactures planchas - versatile cooking devices that consist of a flat, smooth cooking surface. Medusa posted So Magic to its data leak site on October 3rd but provided no further details.
Medusa also attacked Windak, a company that specializes in the design, manufacture, and supply of cable and material handling equipment for various industries. Medusa posted Windak to its data leak site on October 2nd but provided no further details.
What sets Medusa apart is its focus on crippling victim systems' recovery options by deleting local backups, disabling startup recovery options, and eliminating shadow copies. They have both Windows and Linux versions, and their attacks often begin with malicious email attachments or torrent websites.
Money Message: Money Message stands out from the typical ransomware variants by refraining from altering file names when encrypting them. Money Message also exfiltrates data prior to encrypting in a double extortion scheme.
Money Message attacked Toscana-Promozione, the organization responsible for promoting tourism and economic development in the Tuscany region of Italy. Money Message posted Toscana-Promozione to its data leak site on October 3rd but provided no further details.
Money Messagealso attacked MD Logistics, a third-party logistics (3PL) company that specializes in supply chain management and distribution services. Money Message posted MD Logistics to its data leak site on October 3rd but provided no further details.
Money Message also attacked Maxco Supply, a Californian company specializing in designing and manufacturing packaging headquartered in Parlier, California. Money Message posted Maxco Supply to its data leak site on October 3rd but provided no further details.
NoEscape: NoEscape is a ransomware-as-a-service operation that allows affiliates to customize various settings when creating ransomware executables.
NoEscape attacked The College of San Luis, a prestigious research and educational institution located in San Luis Potosí, Mexico. NoEscape posted The College of San Luis to its data leak site on October 3rd but provided no further details.
NoEscape also attacked the Bellsonica Corporation, a company that specializes in manufacturing automotive parts and components. NoEscape posted Bellsonica Corporation to its data leak site on October 3rd but provided no further details.
To facilitate the payment process, the victims are advised to download and install the TOR browser and access a specific link provided in the note. They must then enter their ID and follow the accompanying instructions.
Knight: The Knight ransomware gang overhauls its ransomware interface and code, recruiting affiliates through hacking forums to improve data theft from Windows and Linux systems. They employ deceptive tactics, such as disguising their malicious payload as a TripAdvisor complaint.
Knight attacked GDL Logistica Integrada SA. GDL Logistica Integrada SA is a Brazilian logistics company. Knight posted GDL Logistica Integrada SA to its data leak site on October 3rd but provided no further details.
The group's ransomware encrypts files with a custom Salsa20 algorithm, appending the '.knight_1' extension. Victims are directed to pay a $5,000 ransom.
RagnarLocker: RagnarLocker first emerged in December 2019. It compromises victim networks through vulnerable Remote Desktop Protocol (RDP) software.
RagnarLocker is known for demanding ransoms that can exceed $10 million, and they actively delete VSS Shadow Copies to thwart encryption rollback.
RagnarLocker ransomware gang has attacked Groupe Fructa Partner. Groupe Fructa Partner is a French food and beverage company. RagnarLocker posted Groupe Fructa Partner to its data leak site on October 3rd but provided no further details.
RagnarLocker is not a traditional RaaS and are assessed to be related to or working in cooperation with Maze and MountLocker operators.
8Base: Despite a significant increase in activity during the summer of 2023, the 8Base ransomware group has managed to maintain a relatively low profile. This group employs encryption techniques alongside "name-and-shame" tactics to pressure their victims into paying ransoms.
8Base ransomware gang has attacked Ted Pella Inc, a company known for offering a wide range of products and services to support scientific research, microscopy, and sample preparation for various fields, including life sciences, materials science, and electron microscopy. 8base posted Ted Pella Inc to its data leak site on October 3rd but provided no further details.
The swift and efficient operations of 8Base suggest that this group is not newly formed but rather an established and mature organization. Based on available information, certain aspects of their current operations bear a striking resemblance to past ransomware activities.
The 8Base ransomware group describe themselves as "simple pen testers,” but their communication style shares similarities with another known group called RansomHouse.
Mallox: Mallox was initially dubbed “TargetCompany” because it appended encrypted files with the target company’s name.
In an interview conducted in January 2023, the threat actors responsible for Mallox clarified that each major update of the ransomware involved changing the encryption algorithm and decryptor characteristics. These updates were accompanied by modifications to file name extensions, leading to the evolution of the group's name.
Mallox attacked Measuresoft, a software company that specializes in providing industrial automation and process control solutions. Mallox posted Measuresoft to its data leak site on October 3rd but provided no further details.
Mallox also attacked Kirkholm Maskiningenirer, a consulting engineering firm headquartered in Denmark that specializes in machine construction and production equipment, process and production optimization, and project management. Mallox posted Kirkholm Maskiningenirer to its data leak site on October 2nd but provided no further details.
Earlier variants of Mallox provided a contact site with the extension ".onion" for negotiations and delivered ransom notes titled "How to decrypt files.txt." However, in later variants, the ransomware stopped using the targeted company's name as file name extensions.
As organizations and cybersecurity professionals continue to battle against these threats, staying informed about the tactics, targets, and evolution of ransomware groups is crucial for defense and prevention.
Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).
