Ransomware on the Move: Hunters International, 8Base, Medusa, RansomHub

Date:

April 23, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Hunters International

Hunters International, a prominent Ransomware-as-a-Service (RaaS) group, has recently made headlines for cyberattacks on several high-profile organizations across the globe.  

Among its targets are the Brazilian branch of Toyota, Caxton and CTP Publishers and Printers in South Africa, Chicony Electronics in Taiwan, the City of St. Cloud in Florida, and the Jack Doheny Company in the United States.

The breach at Toyota Brazil, established in 1958, resulted in the exfiltration of 169.4 GB of data, compromising 110,312 files. Similarly, Caxton and CTP Publishers and Printers fell victim to a data breach, with 576.2 GB of data and 278,696 files reportedly stolen, including sensitive personal and financial information.

Chicony Electronics, a Taiwan-based multinational electronics manufacturer, was also targeted by the Hunters International group, although specific details of the attack remain undisclosed. The company produces a range of electronic products, including input devices, power supplies, and digital image products.

In the United States, the City of St. Cloud, Florida, faced a cyberattack resulting in the exfiltration of 1.4 TB of data, amounting to 719,597 files. The city is actively working to resume normal operations amidst the breach.  

Meanwhile, the Jack Doheny Company, a sewer cleaning and maintenance equipment dealer, suffered the exfiltration of 572.7 GB of data, including sensitive HR, accounting, and financial documents.

Hunters International gained notoriety after emerging in Q3 of 2023, with their ransomware bearing resemblances to the infamous Hive ransomware strain.  

Despite denials of any ties to the Hive operation, security researchers have uncovered significant code overlaps, leading to the conclusion that the Hive operators may have transferred their malicious tool to another threat actor.

The group primarily focuses on exfiltrating target data and extorting victims with ransom demands. In one reported incident involving a plastic surgery clinic in the US, approximately 248,000 files, including patient information, were exfiltrated.  

Their modus operandi involves encrypting files, appending them with the ".LOCKED" extension, and leaving instructions for negotiation on the dark web.  

Successful exploitation often leads to significant data exfiltration before issuing ransom demands tailored to the compromised organization's perceived value.

8Base

The ransomware group 8Base has recently targeted GPI Corporate, a fully integrated promotional marketing solution provider operating nationally in Australia with offices in Hong Kong.  

Although details of the attack are scarce, the company is known for delivering innovative marketing solutions aimed at enhancing efficiency and promoting growth.

Additionally, 8Base compromised Lyon Terminal, the first multimodal platform in the Lyon region, and SOA Architecture, a design firm founded in 1987.  

In both cases, the exfiltrated data included a wide range of sensitive information such as invoices, personal data, and employment contracts. Lyon Terminal handles various transport units, while SOA Architecture specializes in design projects across different sectors.

8Base emerged in March 2022 and has rapidly become one of the most active ransomware groups, particularly targeting business services, manufacturing, and construction sectors. Their operations display sophistication, possibly linked to experienced RaaS operators like Ransomhouse.  

While they don't have a signature ransomware strain or openly recruit affiliates, they employ various ransomware payloads, including customized Phobos with SmokeLoader. Their tactics involve double extortion through data exfiltration and targeting Windows systems, often wiping Volume Shadow Copies to prevent data rollback.  

8Base's modus operandi involves "name and shame" tactics to compel victims to pay ransom demands, although their typical ransom amount remains undisclosed.

Medusa

The Medusa ransomware group has recently targeted Novus International, an American animal health and nutrition company headquartered in Missouri.  

Novus operates globally and is privately owned by Mitsui & Co and Nippon Soda Co, with operations spanning over 90 countries. While specifics of the attack remain undisclosed, Medusa's recent cyberactivity extends beyond Novus.

Medusa recently disrupted Traverse City Area Public Schools in Michigan, leading to class cancellations. The group claimed to have stolen 1.2 TB of data and demanded a ransom of $500,000 to prevent data release, with an additional $500,000 to decrypt it.  

As a Ransomware-as-a-Service (RaaS) platform, Medusa debuted in summer 2021 and has become increasingly active. Their attack tactics include restarting infected machines in safe mode, deleting local backups and Shadow Copies, and terminating over 280 Windows services and processes.  

While ransom demands typically reach millions, the amount may vary based on the victim's financial capacity. Medusa primarily targets healthcare, pharmaceutical, and public sector organizations, employing a double extortion scheme to exfiltrate data before encryption.  

However, they offer relatively modest shares to affiliate attackers, with payouts capped at 60% of the ransom.

RansomHub

The RansomHub ransomware group has targeted the Robeson County Sheriff's Office in North Carolina, claiming to have stolen 1.1 TB of data.  

The Sheriff's Office is dedicated to enhancing relationships between law enforcement personnel, first responders, and citizens, collaborating with local, state, and federal partners to combat drug-related crimes and other major offenses.

Additionally, RansomHub compromised Grupo Cuevas, exfiltrating 26 GB of data and setting a ransom deadline for April 24. Grupo Cuevas, spanning three centuries and four generations of the Cuevas family, operates prominently in food distribution and the agri-food industry.

As a relatively new ransomware-as-a-service operation, RansomHub may be a rebrand of the BlackCat/ALPHV gang. Their darknet site lists victims and provides information about the group's motivations and rules, including restrictions on targeting certain countries and non-profit organizations.  

While driven by financial gain, RansomHub prohibits re-attacks on victims who have already paid and sets guidelines for its affiliates.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.