Ransomware on the Move: DragonForce, Play, LockBit, RansomHub

Date:

July 16, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:  

The first week of July 2024 saw a significant spike in ransomware attacks, affecting various sectors worldwide. Four prominent ransomware groups—DragonForce, LockBit, Play, and RansomHub—were notably active, carrying out sophisticated cyberattacks that disrupted operations and compromised sensitive data across numerous industries.

The manufacturing sector was hit hardest with 9 attacks, followed by healthcare services and construction, each suffering 4 attacks. These incidents highlight the evolving nature of ransomware threats, urging organizations to strengthen their cybersecurity defenses.

DragonForce

DragonForce is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape. Emerging in late 2023, the group is distinguished by its targeted ransomware attacks on corporate and organizational networks, employing advanced techniques such as leveraging leaked LockBit ransomware code.  

DragonForce operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion. The group has targeted various industries, including retail, manufacturing, government entities, and healthcare organizations, with notable breaches including the Ohio Lottery, Yakult Australia, Coca-Cola Singapore, and the government of Palau.

For the week of July 1 to July 7, DragonForce conducted several significant attacks, stealing substantial amounts of sensitive data. Super Gardens, a prominent landscape construction and turf management company based in Victoria, experienced a ransomware attack where DragonForce claimed to have accessed and exfiltrated 120.1 gigabytes of data.  

This included sensitive employee information, such as medical checks and driver's license scans, as well as details of high-profile clients like Melbourne Racing Club and La Trobe University.  

Similarly, DragonForce targeted Elite Fitness NZ, a leading supplier of fitness and gym equipment in New Zealand,, resulting in the theft of 5.31 gigabytes of data, including business-related documents and personal identification information.

Significant Attacks

  • Gray & Adams, a leading manufacturer of temperature-controlled and bespoke vehicles based in Scotland, fell victim to a DragonForce ransomware attack. The breach resulted in the exfiltration of 8.35 gigabytes of sensitive data, highlighting vulnerabilities in the company's network systems. With over 750 employees and significant operations in the food services and pharmaceuticals sectors, the impact on Gray & Adams was considerable, raising concerns about the security of manufacturing processes and client confidentiality.
  • Grand Rapids Gravel, a long-standing construction materials supplier in Michigan, experienced a ransomware attack by DragonForce, resulting in the exfiltration of 10.96 gigabytes of data. The breach disrupted their operations and posed severe risks to business continuity and client data security. As a company operational since 1920, Grand Rapids Gravel's reputation and operational integrity were significantly impacted by the attack.

Play

The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has quickly become a significant threat in the cybersecurity landscape. This ransomware targets both Windows and Linux systems, leveraging various vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange to gain access.  

Play ransomware appends the .play extension to encrypted files and often leaves a minimalistic ransom note instructing victims to contact them via email for negotiations. The group's dark web leak site is used to disclose victim information, putting additional pressure on organizations to follow ransom demands. Play's rapid evolution and widespread impact underline the growing sophistication and persistence of ransomware threats in today's digital environment.

Play ransomware's attacks involve the exfiltration of substantial amounts of sensitive data, posing severe risks to the affected organizations. For example, Elyria Foundry, a mining and metals company specializing in iron casting, experienced a significant breach discovered on July 5, 2024.  

The compromised data potentially includes critical operational and financial information, which could severely disrupt the company's services. Similarly, Fareri Associates, a real estate development firm, suffered a ransomware attack on the same date, compromising sensitive client data and property transaction details. These breaches highlight Play ransomware's capability to significantly disrupt operations and compromise critical data integrity across various sectors.


Significant Attacks:

LockBit

LockBit is a notorious ransomware-as-a-service (RaaS) group that has been highly active since September 2019. This ransomware targets both Windows and Linux systems, leveraging vulnerabilities in RDP services and unsecured network shares to infiltrate networks. LockBit encrypts files using RSA-2048 and AES-256 algorithms, appending unique extensions and leaving ransom notes demanding Bitcoin payments.

The group employs a "double extortion" tactic, threatening to release stolen data on their dark web leak site if their demands are not met. LockBit’s operations are characterized by their rapid spread, modular structure, and ability to evade detection, making it a formidable threat in the cybersecurity landscape. Notably, during the week of July 1 - July 7, 2024, LockBit resurfaced as the top ransomware group after a few weeks of partial activity, underscoring its persistent threat.

During this week, LockBit’s attacks involved the exfiltration of substantial amounts of sensitive data, posing severe risks to affected organizations. For instance, Westfälische Stahlgesellschaft, a German steel trading company, experienced a significant breach on June 9, 2024.  

The compromised data included production information, accounting records, and personal data of employees and clients, severely disrupting the company's operations. Similarly, Eicher Motors Limited, an Indian automotive giant known for its Royal Enfield motorcycles, suffered a ransomware attack compromising personally identifiable information (PII) and confidentiality agreements. These breaches highlight LockBit's capability to disrupt operations and compromise critical data integrity across various sectors.

Significant Attacks:

  • Fairfield Memorial Hospital, a critical access hospital in Illinois, was targeted by LockBit, resulting in operational disruptions and a threat to release patient data by July 17, 2024. The attack underscores the vulnerability of healthcare institutions to ransomware, given their reliance on immediate data access for patient care.
  • Merryman House Domestic Crisis Center, a non-profit organization in Kentucky dedicated to supporting victims of domestic violence, was attacked by LockBit on July 3, 2024. The breach highlighted the vulnerability of non-profit organizations to sophisticated cyber threats, particularly those handling sensitive personal data.

RansomHub

RansomHub is a new and quickly rising ransomware group that has made a significant impact on the cyber threat landscape. Emerging in early 2024, this group has garnered attention with its sophisticated ransomware attacks. Believed to have roots in Russia, RansomHub operates using a Ransomware-as-a-Service (RaaS) model.

This means affiliates get 90% of the ransom payments, while the core group takes the remaining 10%. Their use of the Golang programming language for developing ransomware is a modern approach that makes their malware more robust and harder to detect. RansomHub has targeted various sectors, including healthcare, construction, IT, and government, with notable victims like the Baim Institute for Clinical Research and Aedifica Montreal.

During the week of July 1 to July 7, RansomHub carried out several significant attacks, stealing large amounts of sensitive data. For example, the Baim Institute for Clinical Research in Boston was hit hard, losing 175 GB of critical data, including clinical trial information and patient data. Another major victim was Aedifica Montreal, a respected architecture and design firm.

RansomHub stole detailed project information, including non-disclosure agreements and layouts for high-profile clients such as Zurich Insurance and Adidas Originals. These breaches reveal the extent of the threat posed by RansomHub and the vulnerabilities in even well-established organizations.

Significant Attacks:

  • Hauptmann GmbH, a construction company in Austria, was also targeted by RansomHub. The attackers stole sensitive corporate data, including personally identifiable information (PII). They even made direct contact with the company, stressing the urgency and impact of the breach. This attack demonstrates that smaller enterprises with fewer resources are also at significant risk and need to enhance their cybersecurity defenses.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.