Ransomware on the Move: LockBit, Akira, Play, RansomHub
Date:
June 17, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: Play, LockBit, Arcus Media, and RansomHouse
LockBit
LockBit has executed high-profile attacks on 14 organizations during the week of May 27th to June 2nd. This week's targets include Smith & Caughey's, Power Test, Inc., Strike USA, Ayuntamiento de San Lorenzo de El Escorial, Heras UK, and Allied Telesis. These incidents contribute to a significant number of attacks recorded in the last week of May and the beginning of June 2024. These incidents add up to a total 161 attacks added to our database during the month of May
The total revenue of the companies targeted by LockBit during this period amounts to approximately $1.9 billion. LockBit has demanded ransom payments typically set at 3% of the victim's annual revenue, a strategy that has significantly impacted these organizations financially.
LockBit 3.0, also known as LockBit Black, is an advanced and dangerous iteration of the LockBit ransomware family. Operating under a Ransomware-as-a-Service (RaaS) model, the group allows various cybercriminal affiliates to use their sophisticated ransomware in exchange for a share of the profits. LockBit is renowned for its highly obfuscated code, advanced encryption techniques, and capabilities for lateral movement within networks.
Operation Cronos, launched in February to dismantle LockBit's infrastructure, initially succeeded through arrests and server seizures. However, LockBit quickly rebounded, reasserting its presence on the dark web and escalating attacks by releasing previously undisclosed victim data. This resilience demonstrates the group's adaptability and the ongoing challenges for law enforcement.
In the past week, LockBit has executed several attacks resulting in the exfiltration of substantial volumes of sensitive data, including financial documents, personally identifiable information (PII), intellectual property, and operational data, totaling over 5.45 TB.
Notable incidents include Strike USA, where contracts, employee ID cards, equipment management data, management reports, and safety coordinator information were compromised. Moreover, Heras UK suffered a breach involving financial private data, customer building schemes, NDAs, GDPR data, salary data, and external private audit reports.
Significant Attacks:
- The LockBit ransomware gang targeted Smith & Caughey's website, resulting in the leakage of sensitive financial, HR, accounting, management, and IT department data. This attack has severely impacted the company's ability to communicate with stakeholders and raised significant concerns about data privacy and security.
- LockBit attacked Power Test, Inc., exfiltrating 5 TB of sensitive data, including passports, bank statements, credit cards, blueprints, and personal details of clients and employees. This massive data breach has exposed the company to significant risks and potential damages.
- See more of LockBit’s recent ransomware attacks here
Akira
Akira is a rapidly growing ransomware family targeting small to medium-sized businesses across various sectors. The group is known for its double extortion tactics, where they steal data before encrypting systems and demand ransom for decryption and data deletion. Akira has a unique dark web leak site and continuously adapts its tactics to target organizations effectively. The group emerged in March 2023 and is believed to be affiliated with the now-defunct Conti ransomware gang.
Akira ransomware group has executed high-profile attacks on 8 organizations during the week of May 27th to June 2nd. This week's targets include TriLiteral LLC, New Hampshire Public Radio, Faultless Brands, DreamWall NV, MagicLand, Western Dovetail, Inc., Avelina, and Brett Slater Solicitors. These incidents contribute to a significant number of attacks recorded in the last week of May and the beginning of June 2024. The total revenue of the companies targeted by Akira during this period amounts to approximately $21.1 million.
The attacks carried out by Akira in the past week have led to the claimed exfiltration of large volumes of sensitive data, including financial documents, personal identifiable information (PII), intellectual property, and operational data. In total, approximately 245 GB of data has been confirmed as stolen during this period.
Significant Attacks:
- The Akira threat actor targeted TriLiteral LLC, leaking 24GB of data that includes detailed accounting data, client information, and other business files. This breach poses a significant risk to TriLiteral's operations and reputation, as sensitive information has been exposed to threat actors.
- Akira targeted New Hampshire Public Radio, claiming to have leaked 35GB of data including financial and accounting information, grants, and other data. This attack threatens the organization's ability to continue providing independent journalism and quality programming.
- See more of Akira’s recent ransomware attacks here
This week, Akira has demonstrated a broad focus, targeting organizations across diverse sectors including logistics, media, manufacturing, animation, amusement parks, woodworking, food production, and legal services.
In the series of attacks by the ransomware group, a total amount of data was stolen, comprising various types of sensitive information. This includes financial documents such as accounting files, bank statements, and grant information; personal identifiable information (PII) like employee addresses, emails, phone numbers, and relatives' contacts; and client information, including client details, contracts, and agreements.
Akira, also made off with medical information, encompassing medical files and sensitive health data, was breached. The attacks also affected operational data, including confidential business files, tax information, and payment records, as well as intellectual property, which includes company agreements, digital assets, and proprietary data.
Play
Play ransomware group has executed high-profile attacks on five (5) organizations during the week of May 27th to June 2nd. This week's targets include Walser Automotive Group, NTV Canada, FPL Food LLC, Elmhurst Group, and Credit Central LLC. These incidents contribute to a significant number of attacks recorded in the last week of May and the beginning of June 2024.
Play is a significant player in the cybercrime landscape, known for targeting Linux systems and deploying cryptographic lockers. The group has evolved from data theft to sophisticated ransomware tactics, showcasing advanced capabilities in encryption methods and victim communication. Play ransomware shares similarities with Baseline Babuk, particularly in terms of encryption methods and operational tactics, making it a formidable threat to organizations.
The attacks carried out by Play in the past week have led to the exfiltration of large volumes of sensitive data, including financial documents, personal identifiable information (PII), operational data, and client-related information. The total amount of stolen data across all reported attacks is significant. In total, approximately 300 GB of data has been confirmed as pilfered during this period.
Significant Attacks:
- The Play ransomware group targeted Walser Automotive Group, leading to a ransomware attack that was disclosed on the dark web on June 2, 2024. The breach, which was added to records on May 30, 2024, has garnered significant attention. The attackers have published compromised files online, posing a serious threat to the company's data security.
- Play targeted NTV Canada, leaking data that included private and personal confidential information, client documents, budget details, contracts, taxes, IDs, and financial information. This breach poses a significant risk to the company's operations and reputation.
- See more of Play’s recent ransomware attacks here
Play continues to maintain its position as a significant ransomware group in the cybercrime landscape. This week, Play has demonstrated a broad focus, targeting organizations across diverse sectors including automotive, media, food processing, real estate, and financial services. The group's strategy appears to be centered on maximizing ransom demands by targeting high-revenue companies with significant operational dependencies on their digital infrastructure.
FPL Food LLC, the number one privately owned beef processor in the Southeast with approximately 657 employees, faces significant risks from an attack on their systems. Such an event can severely disrupt their supply chain and operational processes, leading to major financial setbacks.
Similarly, Credit Central LLC, which employs 182 people and operates over 160 loan offices, would experience severe disruptions in their financial services due to a breach. This could adversely affect both their operational capabilities and financial stability.
In total, the reported combined revenue of the companies attacked by Play ransomware this week amounts to approximately $212.5 - $314 million, in reported sources. The extent of these targets and the types of data stolen indicate Play's strategy of leveraging the high operational and financial impact on these companies to demand substantial ransoms. The significant revenues and employee count of the targeted organizations highlight the potential for very high ransom demands, as the disruption caused by these attacks can lead to severe financial and logistical problems for the affected companies.
RansomHub
RansomHub ransomware group has executed high-profile attacks on 5 organizations during the week of May 27th to June 2nd. This week's targets include Frontier Communications, PSG Banatski Dvor D.O.O., SIAED S.p.A., Bjurholms kommun, and Christie's Auction House. These incidents contribute to a significant number of attacks recorded in the last week of May and the beginning of June 2024.
RansomHub is a new ransomware group operating as a Ransomware-as-a-Service (RaaS) entity. They have targeted various countries and industries, including the US, Brazil, and healthcare-related institutions. RansomHub distinguishes itself by making claims and backing them up with data leaks. The group's ransomware strains are written in Golang, a language choice that sets them apart in the cyber threat landscape.
The amount of exfiltrated data theft across the reported attacks is significant. PSG Banatski Dvor D.O.O. suffered a ransomware attack involving the theft of approximately 80 GB of sensitive data, including files from IT, Accounting, Finance, Projects, Client databases, Budgets, Taxes, Logistics, Production data, HR, Legal documents, KPIs, and R&D documents.
In a similar vein, SIAED S.p.A. experienced a massive data theft of 1.6 terabytes of sensitive data, encompassing critical source code, proprietary algorithms, software designs, extensive databases, financial records, and personal information of clients from major banks.
In total, approximately 1.78 terabytes of data have been confirmed as exfiltrated during this period. The attacks carried out have resulted in serious financial and legal repercussions to the companies involved.
Significant Attacks:
- RansomHub targeted Frontier Communications, claiming to have leaked data of more than 2 million customers, including sensitive information such as names, addresses, emails, SSNs, credit scores, dates of birth, and phone numbers. The company was given a deadline to contact the group, but they did not respond, leading to the data leak. Frontier Communications is now confronting three class action lawsuits, after the data breach.
- RansomHub also targeted Christie's Auction House, leaking data including personal information of 500,000 clients during an $840 million auction event. The attack caused significant disruption and led to the website being taken offline for investigation. The stolen data was ultimately sold to an anonymous third-party, after failed negotiations and expired due date. Christie’s is now facing a customer class-action suit.
- See more of RansomHub’s recent ransomware attacks here
This week, RansomHub has demonstrated a broad focus, targeting organizations across diverse sectors including telecommunications, gas storage, IT services, government, and art auction. The group's strategy appears to be centered on maximizing ransom demands by targeting high-revenue companies with significant operational dependencies on their digital infrastructure. The attacks carried out have resulted in serious financial and legal repercussions to the companies involved.
With a revenue of $5.77 billion and approximately 13,230 employees, the ransomware attack on Frontier Communications poses substantial financial and logistical problems, potentially disrupting their extensive range of communication services and customer operations.
Generating $18.5 million in revenue with a workforce of 251-500 people, the breach exposing 1.6 terabytes of data at SIAED S.p.A. can severely impact their IT services and consulting operations, leading to potential financial losses and reputational damage. Similarly, Christie's Auction House, with a record of selling US$8.4 billion in art and luxury goods, faces severe risks to client privacy and operational integrity due to the breach during an $840 million auction event.
In total, the combined revenue of the companies attacked by RansomHub this week amounts to approximately $5.8 billion. The breadth of these targets and the types of data stolen indicate RansomHub's strategy of leveraging the high operational and financial impact on these companies to demand substantial ransoms. The significant revenues and employee count of the targeted organizations highlight the potential for very high ransom demands, as the disruption caused by these attacks can lead to severe financial and logistical problems for the affected companies. This information is based on reported and alleged incidents.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.