Ransomware on the Move: Hunters International, Play, RansomHub, Qilin
Date:
September 24, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Hunters International, Play, RansomHub, Qilin…
The week of September 9-15 witnessed a surge in ransomware activity, with several high-profile incidents affecting organizations across diverse sectors, including education, finance, healthcare, and construction.
Four groups—Hunters International, Play, RansomHub, and Qilin—dominated the ransomware landscape this week.
- Hunters International executed significant breaches against entities like ICBC London and Bank Rakyat, exposing vulnerabilities in financial institutions.
- Play ransomware continued its broad attack strategy, impacting industries ranging from HVAC services to commercial refrigeration.
- RansomHub focused on high-value targets such as the Atlanta Consulting & Construction and Accurate Railroad Construction Ltd.
- Qilin group, known for its sophisticated Rust-based malware, launched attacks on educational and hospitality sectors, targeting institutions like EAGLE School and Kingsmill Resort.
Hunters International
Hunters International is a ransomware group that emerged in 2023, quickly becoming a prominent threat in the cybersecurity landscape. Suspected of having acquired Hive’s source code after its dismantling, the group leverages its sophisticated Ransomware-as-a-Service (RaaS) model to target a wide range of industries.
Hunters International is known for its focus on data exfiltration rather than encryption, using stolen data to exert pressure on victims. Their activities span across multiple sectors, including healthcare, financial institutions, and technology services, with a notable concentration of attacks in the United States and Europe.
Hunters International's breaches typically involve the theft of large volumes of sensitive data, which is then used to coerce organizations into paying substantial ransoms. This week, in an attack on VIcom Corporation, a technology solutions integrator based in Virginia, the group exfiltrated 264.7 GB of data, affecting services related to teleconferencing, security access control, and managed IT.
Another significant breach occurred at HB Construction, a Texas-based construction services provider, where 505.2 GB of data was stolen. This incident compromised the company’s operational data and project records, demonstrating the group’s ability to infiltrate and impact companies across various industries.
Significant Attacks:
- ICBC London, a branch of the Industrial and Commercial Bank of China, suffered a ransomware attack by Hunters International. The group claims to have exfiltrated 6.6 terabytes of data, encompassing over 5.2 million files, and set a ransom deadline for September 13, 2024. This breach, described as potentially catastrophic, could lead to severe legal and compliance issues for ICBC London, particularly given its extensive global financial operations and the stringent data privacy regulations in regions such as the EU and UK.
- Bank Rakyat, a prominent financial institution in Malaysia, was attacked by Hunters International, resulting in the exfiltration of 463.2GB of data, encompassing 144,015 files. Initially, the group removed the post about the attack but later decided to leak all the stolen data on their dark web site. In response, Bank Rakyat assured its customers that its banking system remained secure and emphasized its commitment to transparency and operational resilience. The incident was reported to the authorities, and customers were individually informed via letters and SMS about the situation and the bank's cybersecurity measures. Despite the data breach, Bank Rakyat assured that business operations continued as usual, focusing on maintaining security and service integrity.
RansomHub
RansomHub, a Ransomware-as-a-Service (RaaS) group, has established itself as a significant threat in the ransomware landscape since its emergence in February 2024. Known for its aggressive affiliate model, the group rapidly gained notoriety by targeting a wide range of industries, including healthcare, financial services, and government organizations.
RansomHub uses advanced data exfiltration techniques combined with intermittent encryption to exert pressure on victims, making it one of the most effective ransomware groups in terms of impact and ransom collection.
The group’s attacks span globally, with a particular focus on high-value targets in the United States, Canada, and Europe, leveraging vulnerabilities in unpatched systems and utilizing sophisticated malware to infiltrate networks undetected.
RansomHub typically steals vast amounts of sensitive data, which is then leveraged to coerce organizations into paying substantial ransoms. One significant breach involved Thornton Inc., a construction management and general contracting company based in Miami, Florida. The attackers exfiltrated 100 GB of project details, financial records, and personal information of employees and clients, severely disrupting their operations and damaging their reputation.
Another example is the attack on Mechdyne Corporation, an Iowa-based leader in advanced immersive and collaborative technology solutions. RansomHub exfiltrated 700 GB of sensitive data, including non-disclosure agreements and financial information, threatening the company's proprietary technologies and business relationships.
Significant Attacks:
- Accurate Railroad Construction Ltd., a privately held corporation in Ontario, Canada, experienced a major ransomware attack by RansomHub. The group infiltrated the company’s servers, exfiltrating approximately 120,000 documents, including client details, company records, financial data, and project documentation. The attackers left a message for communication, presumably to negotiate a ransom for the return or decryption of the stolen files.
- Advantage CDC, an SBA lender based in California, was attacked by RansomHub, resulting in the theft of 128,000 documents. The stolen data included client information, financial records, and critical documents such as bank statements and payroll summaries. RansomHub issued a ransom demand, threatening to contact clients directly with evidence of the breach and release portions of the database to the public and media if their demands were not met.
Play Ransomware Group
The Play ransomware group, also known as PlayCrypt, has been active since June 2022, targeting a broad range of industries across North America, South America, and Europe. The group typically exploits vulnerabilities in RDP servers, FortiOS, and Microsoft Exchange to gain access to networks.
After infiltration, they use tools like Mimikatz for privilege escalation and distribute ransomware through scheduled tasks, PsExec, and Group Policy Objects. Unlike other ransomware groups, Play does not initially demand a ransom in their notes, instead instructing victims to contact them via email. Play has affected over 300 organizations globally, including businesses and critical infrastructure.
Play ransomware frequently exfiltrates large volumes of sensitive data prior to encryption, leveraging this information to coerce victims. For example, the group targeted True Family Enterprises, a private investment firm based in California, stealing 200 GB of financial records, contracts, and personal data. This breach severely impacted the firm’s operations and client trust.
Similarly, Play infiltrated Dimensional Merchandising Inc. in New Jersey, exfiltrating 500 GB of proprietary formulas, client information, and financial records, jeopardizing the company’s business relationships and compliance status.
Both companies, with annual revenues of approximately $14.5 million and $119 million respectively, faced substantial operational and reputational challenges as a result.
Significant Attacks:
- Piggly Wiggly Alabama Distributing Company, Inc., a wholesale supplier cooperative based in Bessemer, Alabama, suffered a major ransomware attack orchestrated by the Play ransomware group. The attackers gained access to a significant amount of sensitive data, including budgetary details, payroll records, client documents, and financial information. With annual sales of around $750 million, PWADC services over 270 stores across seven states, making the impact of this breach potentially far-reaching. s.
- Bel-Air Bay Club, a prestigious venue in Pacific Palisades, California, experienced a ransomware attack that led to the exfiltration of extensive client and financial data. The Play group targeted the club’s digital systems, stealing sensitive information such as payroll records, tax documents, and identification information. This attack not only threatens the club's operational integrity but also poses serious reputational damage, given its exclusive clientele and annual revenue of approximately $9.8 million.
Qilin Ransomware Group
Qilin, also known as Agenda, is a ransomware group that has been a prominent player in the cybersecurity landscape since July 2022. Operating under a Ransomware-as-a-Service (RaaS) model, Qilin provides affiliates with advanced tools to conduct ransomware operations, significantly expanding its reach.
The group has been linked to over 150 attacks across 25 countries, targeting various sectors such as healthcare, education, and large enterprises. They have gained notoriety for utilizing Rust-based malware, which enhances their evasion capabilities and allows them to effectively infiltrate Windows, Linux, and VMware ESXi systems.
Notable incidents include the group’s attack on Synnovis, a major pathology services provider in the UK, and their persistent targeting of healthcare providers and educational institutions, highlighting their focus on high-impact targets.
Qilin typically exfiltrates large volumes of sensitive data before encrypting systems, using this information as leverage to coerce victims into paying ransoms.
In a recent attack on Atlantic Refrigeration Co., a Philadelphia-based commercial refrigeration and ice machine service provider, the group exfiltrated and encrypted sensitive information related to client contracts, service agreements, and financial records. This breach has disrupted the company’s operations and potentially jeopardized its business relationships.
Another attack targeted Phoenix Air Conditioning & Heating, a family-owned HVAC service provider in Laguna Hills, California. Qilin exfiltrated customer records, including contact information, service history, and financial data.
Significant Attacks:
- EAGLE School in Fitchburg, Wisconsin, was severely affected by a ransomware attack conducted by the Qilin group. The attackers infiltrated the school's network, exfiltrating sensitive data such as student records, administrative documents, and personal information of staff and students. The breach has raised significant concerns about data privacy and operational continuity for the educational institution, which serves gifted and talented students from kindergarten through eighth grade.
- CAM Tyre Trade Systems & Solutions, a major player in the tyre industry software sector based in Dursley, Gloucestershire, was hit by Qilin, leading to the exfiltration and encryption of critical business data. The attack disrupted CAM's operations, compromising its flagship business management software, CAMEO, which is used by over 70% of the UK tyre market. This breach has highlighted vulnerabilities in CAM’s cybersecurity and could have long-term repercussions on their industry reputation and client trust.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.