Ransomware on the Move: INC, 8Base, Akira, BlackCat/ALPHV, BianLian

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

‍

INC Ransom

‍

INC Ransom, a relatively new player in the ransomware landscape, has been making waves with a series of attacks on diverse organizations.  

‍

The group claimed responsibility for infiltrating CellNetix Pathology and Laboratories, a major anatomic pathology provider based in Seattle, Washington. The breach led to the unauthorized access of sensitive consumer information, including names, Social Security numbers, driver’s license numbers, and health insurance details.

‍

Moreover, INC Ransom struck Sykes Consulting and the Washington School for the Deaf, obtaining various pieces of corporate data. Sykes Consulting, a structural engineering services provider, and the Washington School for the Deaf in Vancouver, Washington, fell victim to the group's targeted attacks.

‍

INC Ransom's modus operandi involves leveraging compromised Remote Desktop Protocol (RDP) credentials for initial access, followed by lateral movement within the target environment.  

‍

The group utilizes legitimate tools like WMIC, PSEXEC, and Living-off-the-Land (LOTL) techniques, abusing applications such as MSPaint, WordPad, NotePad, MS Internet Explorer, MS Windows Explorer, and AnyDesk.

‍

The group employs double extortion tactics, threatening to expose sensitive data if the ransom demand is not met. INC Ransom, coded in C++, deploys AES-128 in CTR mode for file encryption and has a Linux version.  

‍

While the extent of advanced security evasion techniques remains unclear, there are indications that the group may attempt to delete Volume Shadow Copies (VSS) to hinder encryption rollback attempts.

‍

8Base

‍

The 8Base ransomware group has rapidly ascended as one of the most active threats since its emergence in March 2022. Displaying a "massive spike in activity" in 2023, the group has targeted ARPEGE, Glimstedt, and Midwest Service Center, obtaining a trove of sensitive corporate data from each victim.

‍

8Base primarily focuses on business services, manufacturing, and construction sectors, employing data exfiltration for double extortion. The group's sophistication suggests a connection to experienced RaaS operators, potentially linked to Ransomhouse or the leaked Babuk builder.  

‍

8Base engages in advanced security evasion techniques, modifying Windows Defender Firewall for bypass, and utilizes various ransomware payloads, notably customized Phobos with SmokeLoader.

‍

Despite lacking a signature ransomware strain or an open RaaS program, 8Base operates opportunistically, targeting victims with a "name and shame" approach through their leaks site.  

In Q4-2023, 8Base introduced a new variant of the Phobos ransomware payload, continuing its aggressive campaign against Windows targets.

‍

Akira

‍

Akira, a ransomware group emerging in March 2023, has set itself apart with distinct tactics. The group targeted Hamilton-Madison House, a non-profit settlement house in New York City, and Bestway Sales, a leading agricultural sprayer manufacturer.  

‍

Akira also attacked HydraTek, a consulting engineering firm specializing in water hammer problems.

‍

What sets Akira apart is its extortion platform, featuring a chat feature for direct negotiation with victims. The group, possibly linked to the Conti gang, reveals infection vectors to paid ransom victims, deviating from the standard practice of multiple attacks on the same target. Operating a RaaS written in C++, Akira demands ransoms ranging from $200,000 to over $4 million.

‍

In a notable move, Akira released a Linux variant and exploited a zero-day vulnerability in Cisco’s Adaptive Security Appliance and Firepower Threat Defense software. The group also targeted VMware ESXi vulnerabilities for lateral movement.  

‍

Akira's attacks span across various sectors, including education, finance, and manufacturing, employing data exfiltration for double extortion.

‍

BlackCat/ALPHV

‍

BlackCat/ALPHV has established itself as a formidable ransomware group, claiming attacks on MBC Law Professional Corporation, ANS Computer, and Busse & Busse, P.C. The group reportedly obtained massive amounts of sensitive data, showcasing the scale and severity of their attacks.

‍

First observed in late 2021, BlackCat/ALPHV maintains a well-developed RaaS platform employing an AES algorithm for encryption. Notably, they were the first to use Rust, a secure programming language, displaying advanced technological prowess.  

‍

The group deletes Volume Shadow Copies using utility tools, attains privilege escalation through CMSTPLUA COM interface, and encrypts files with ChaCha20 or AES algorithms.

‍

In Q4-2023, BlackCat/ALPHV faced potential disruption by law enforcement, with their websites taken down. However, the group managed to restore some infrastructure. BlackCat/ALPHV's attacks extend across Windows, VMWare ESXi, and Linux systems, displaying capabilities to impact diverse environments.

‍

BianLian

‍

The BianLian data extortion group, initially emerging as a typical RaaS provider in June 2022, has evolved its strategies. Initially deploying Golang-based ransomware, the group transitioned to data exfiltration and extortion attacks in early 2023.  

‍

BianLian abandoned ransomware payloads in favor of open-source tooling and command-line scripts for credential harvesting and data exfiltration.

‍

Increasing attack volumes, BianLian now ranks among prominent groups in Q1-2023, targeting financial institutions, healthcare, manufacturing, education, entertainment, and energy sectors.

‍

The group, rarely deploying ransomware payloads, utilizes a custom Go-based backdoor for remote access, exploiting compromised Remote Desktop Protocol (RDP) credentials.

‍

‍

‍Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.