Ransomware on the Move: DragonForce, Play, LockBit, RansomHub
Date:
July 16, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:
The first week of July 2024 saw a significant spike in ransomware attacks, affecting various sectors worldwide. Four prominent ransomware groups—DragonForce, LockBit, Play, and RansomHub—were notably active, carrying out sophisticated cyberattacks that disrupted operations and compromised sensitive data across numerous industries.
The manufacturing sector was hit hardest with 9 attacks, followed by healthcare services and construction, each suffering 4 attacks. These incidents highlight the evolving nature of ransomware threats, urging organizations to strengthen their cybersecurity defenses.
DragonForce
DragonForce is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape. Emerging in late 2023, the group is distinguished by its targeted ransomware attacks on corporate and organizational networks, employing advanced techniques such as leveraging leaked LockBit ransomware code.
DragonForce operates using both encryption and exfiltration tactics, threatening to release stolen information publicly if ransom demands are not met—a strategy known as double extortion. The group has targeted various industries, including retail, manufacturing, government entities, and healthcare organizations, with notable breaches including the Ohio Lottery, Yakult Australia, Coca-Cola Singapore, and the government of Palau.
For the week of July 1 to July 7, DragonForce conducted several significant attacks, stealing substantial amounts of sensitive data. Super Gardens, a prominent landscape construction and turf management company based in Victoria, experienced a ransomware attack where DragonForce claimed to have accessed and exfiltrated 120.1 gigabytes of data.
This included sensitive employee information, such as medical checks and driver's license scans, as well as details of high-profile clients like Melbourne Racing Club and La Trobe University.
Similarly, DragonForce targeted Elite Fitness NZ, a leading supplier of fitness and gym equipment in New Zealand,, resulting in the theft of 5.31 gigabytes of data, including business-related documents and personal identification information.
Significant Attacks
- Gray & Adams, a leading manufacturer of temperature-controlled and bespoke vehicles based in Scotland, fell victim to a DragonForce ransomware attack. The breach resulted in the exfiltration of 8.35 gigabytes of sensitive data, highlighting vulnerabilities in the company's network systems. With over 750 employees and significant operations in the food services and pharmaceuticals sectors, the impact on Gray & Adams was considerable, raising concerns about the security of manufacturing processes and client confidentiality.
- The Franciscan Friars of the Atonement, a Roman Catholic religious order with an estimated revenue of $10.8 million, faced a significant breach by DragonForce. The attack led to the theft of sensitive data and disruptions in their operations. Despite their mission centered on reconciliation and atonement, the Friars' work across multiple countries made them a high-value target for ransomware attacks.
- Grand Rapids Gravel, a long-standing construction materials supplier in Michigan, experienced a ransomware attack by DragonForce, resulting in the exfiltration of 10.96 gigabytes of data. The breach disrupted their operations and posed severe risks to business continuity and client data security. As a company operational since 1920, Grand Rapids Gravel's reputation and operational integrity were significantly impacted by the attack.
Play
The Play ransomware group, also known as PlayCrypt, has been active since June 2022 and has quickly become a significant threat in the cybersecurity landscape. This ransomware targets both Windows and Linux systems, leveraging various vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange to gain access.
Play ransomware appends the .play extension to encrypted files and often leaves a minimalistic ransom note instructing victims to contact them via email for negotiations. The group's dark web leak site is used to disclose victim information, putting additional pressure on organizations to follow ransom demands. Play's rapid evolution and widespread impact underline the growing sophistication and persistence of ransomware threats in today's digital environment.
Play ransomware's attacks involve the exfiltration of substantial amounts of sensitive data, posing severe risks to the affected organizations. For example, Elyria Foundry, a mining and metals company specializing in iron casting, experienced a significant breach discovered on July 5, 2024.
The compromised data potentially includes critical operational and financial information, which could severely disrupt the company's services. Similarly, Fareri Associates, a real estate development firm, suffered a ransomware attack on the same date, compromising sensitive client data and property transaction details. These breaches highlight Play ransomware's capability to significantly disrupt operations and compromise critical data integrity across various sectors.
Significant Attacks:
- Elyria Foundry, a leading iron casting manufacturer based in Ohio, was targeted by the Play ransomware group on July 5, 2024. The attack underscored vulnerabilities in the company's cybersecurity measures and posed significant risks to its operational integrity. Elyria Foundry, with a rich history dating back to 1905, serves global sectors such as construction, mining, energy, and heavy machinery, making it a critical player in the manufacturing industry.
- Fareri Associates, a prominent real estate development firm in Connecticut, was also attacked on July 5, 2024. Known for its high-end residential, retail, and commercial projects, the company's compromised data included sensitive client and transaction information, raising concerns about the security of its IT infrastructure. The firm's strategic development initiatives in Fairfield and Westchester counties emphasize the broader impact of the attack on the regional real estate market.
- Innerspec Technologies, a leader in non-destructive testing solutions, faced a ransomware attack by Play, impacting its operations globally. The company specializes in advanced NDT solutions, including EMAT technology, and serves sectors such as aerospace, energy, and manufacturing. The breach potentially exposed valuable intellectual property and operational data, highlighting the sophisticated nature of Play ransomware's methods.
LockBit
LockBit is a notorious ransomware-as-a-service (RaaS) group that has been highly active since September 2019. This ransomware targets both Windows and Linux systems, leveraging vulnerabilities in RDP services and unsecured network shares to infiltrate networks. LockBit encrypts files using RSA-2048 and AES-256 algorithms, appending unique extensions and leaving ransom notes demanding Bitcoin payments.
The group employs a "double extortion" tactic, threatening to release stolen data on their dark web leak site if their demands are not met. LockBit’s operations are characterized by their rapid spread, modular structure, and ability to evade detection, making it a formidable threat in the cybersecurity landscape. Notably, during the week of July 1 - July 7, 2024, LockBit resurfaced as the top ransomware group after a few weeks of partial activity, underscoring its persistent threat.
During this week, LockBit’s attacks involved the exfiltration of substantial amounts of sensitive data, posing severe risks to affected organizations. For instance, Westfälische Stahlgesellschaft, a German steel trading company, experienced a significant breach on June 9, 2024.
The compromised data included production information, accounting records, and personal data of employees and clients, severely disrupting the company's operations. Similarly, Eicher Motors Limited, an Indian automotive giant known for its Royal Enfield motorcycles, suffered a ransomware attack compromising personally identifiable information (PII) and confidentiality agreements. These breaches highlight LockBit's capability to disrupt operations and compromise critical data integrity across various sectors.
Significant Attacks:
- Fairfield Memorial Hospital, a critical access hospital in Illinois, was targeted by LockBit, resulting in operational disruptions and a threat to release patient data by July 17, 2024. The attack underscores the vulnerability of healthcare institutions to ransomware, given their reliance on immediate data access for patient care.
- The University Hospital Centre in Zagreb (KBC Zagreb), Croatia's largest hospital, was forced to shut down its IT systems for a day due to a ransomware attack by LockBit, causing significant operational disruptions. The attack led to the potential exposure of patient and employee information, medical records, and various contracts, emphasizing the critical need for improved cybersecurity in healthcare.
- Merryman House Domestic Crisis Center, a non-profit organization in Kentucky dedicated to supporting victims of domestic violence, was attacked by LockBit on July 3, 2024. The breach highlighted the vulnerability of non-profit organizations to sophisticated cyber threats, particularly those handling sensitive personal data.
RansomHub
RansomHub is a new and quickly rising ransomware group that has made a significant impact on the cyber threat landscape. Emerging in early 2024, this group has garnered attention with its sophisticated ransomware attacks. Believed to have roots in Russia, RansomHub operates using a Ransomware-as-a-Service (RaaS) model.
This means affiliates get 90% of the ransom payments, while the core group takes the remaining 10%. Their use of the Golang programming language for developing ransomware is a modern approach that makes their malware more robust and harder to detect. RansomHub has targeted various sectors, including healthcare, construction, IT, and government, with notable victims like the Baim Institute for Clinical Research and Aedifica Montreal.
During the week of July 1 to July 7, RansomHub carried out several significant attacks, stealing large amounts of sensitive data. For example, the Baim Institute for Clinical Research in Boston was hit hard, losing 175 GB of critical data, including clinical trial information and patient data. Another major victim was Aedifica Montreal, a respected architecture and design firm.
RansomHub stole detailed project information, including non-disclosure agreements and layouts for high-profile clients such as Zurich Insurance and Adidas Originals. These breaches reveal the extent of the threat posed by RansomHub and the vulnerabilities in even well-established organizations.
Significant Attacks:
- Southwest Construction Services, Inc. (SWCS, Inc.), a general contractor in California and Nevada, fell victim to a RansomHub attack. The attackers stole all the company’s data, including sensitive blueprints and plans for strategic US facilities. This breach not only threatens business operations but also raises security concerns given the nature of their projects.
- NTT Data Romania, part of the global IT services giant NTT Data Corporation, experienced a ransomware attack where RansomHub threatened to release 230 GB of sensitive data. Despite NTT Data Romania’s advanced IT infrastructure, this incident highlights the persistent risk of ransomware and the need for constant vigilance and strong cybersecurity measures.
- Hauptmann GmbH, a construction company in Austria, was also targeted by RansomHub. The attackers stole sensitive corporate data, including personally identifiable information (PII). They even made direct contact with the company, stressing the urgency and impact of the breach. This attack demonstrates that smaller enterprises with fewer resources are also at significant risk and need to enhance their cybersecurity defenses.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.