Ransomware on the Move: LockBit, Arcus Media, Play, RansomHouse

Date:

June 12, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

LockBit

LockBit has executed high-profile attacks on various organizations with targets that include Valley Land Title Co., University of Siena, Schmitty & Sons, Ramfoam Ltd, and Quality Plumbing Associates Inc. These incidents contribute to a total of 150 attacks recorded in May up to May 26th, 2024.

Operating under a Ransomware-as-a-Service (RaaS) model, LockBit allows various cybercriminal affiliates to use their sophisticated ransomware in exchange for a share of the profits. LockBit is renowned for its highly obfuscated code, advanced encryption techniques, and capabilities for lateral movement within networks. These features make it particularly challenging for security researchers to detect and mitigate.

Operation Cronos, launched in February to dismantle LockBit's infrastructure, initially succeeded through arrests and server seizures. However, LockBit quickly rebounded, reasserting its presence on the dark web and escalating attacks by releasing previously undisclosed victim data. This resilience demonstrates the group's adaptability and the ongoing challenges for law enforcement.

The attacks carried out by LockBit in the past week have led to the exfiltration of large volumes of sensitive data, including financial documents, personal identifiable information (PII), intellectual property, and operational data. The total amount of exfiltrated data across all reported attacks is as follows:

Recent attacks include:

  • The University of Siena has been compromised, resulting in the leakage of 514 GB of budgetary documents, project financing details, and sensitive agreements (Read More)
  • Equinox, Inc. suffered a breach involving 49 GB of financial documents, bank records, and personal data (Read More).  
  • Similarly, Groupe CARCAJOU experienced a substantial data breach, with 270 GB of sensitive data, including photos, videos, financial statements, and project plans, being exposed (Read More)
  • The Valley Land Title Co. attack disrupted operations and compromised data security, though details about the ransom demand and the extent of data compromised have not been disclosed (Read More)

In total, over 833 GB of data has been confirmed as exfiltrated, with additional volumes undisclosed for some victims. LockBit continues to maintain its position as a leading ransomware group in the cybercrime landscape.  

Its sophisticated ransomware, advanced evasion techniques, and robust affiliate network contribute to its sustained impact and reach. The group’s continuous attacks across various sectors underscore the critical need for enhanced cybersecurity measures and vigilance.

See more of LockBit’s recent ransomware attacks here

Arcus Media

The Arcus Media ransomware group, newly emerged in May 2024, has quickly become a significant threat in the cybersecurity landscape. Known for their sophisticated techniques and aggressive strategies, Arcus Media has conducted multiple attacks within the past week, targeting various sectors globally.

Arcus Media conducted a total of 11 ransomware attacks during the week of May 20th to May 26th, primarily focusing on organizations within Brazil and South America, though their reach extended to other regions as well.

Arcus Media has shown a prolific start, with a concentrated focus on Brazilian and South American companies during this week. Their aggressive tactics and successful breaches have put numerous organizations on high alert, urging them to bolster their cybersecurity defenses.

Arcus Media operates as a Ransomware-as-a-Service (RaaS) model, allowing affiliates to use their ransomware in exchange for a share of the profits. The group's operations are characterized by the use of phishing emails for initial access, deployment of custom ransomware binaries, and advanced obfuscation techniques to evade detection. Their affiliate program requires referrals and thorough vetting to maintain a level of trust and operational security.

Arcus Media is known for exfiltrating a wide range of data types, including sensitive personal information, financial records, intellectual property, and operational data. During the week of May 20th to May 26th, it is estimated that the group exfiltrated over 500 GB of data from various organizations.

Recent attacks include:

  • One of the significant attacks exemplifying the theft of data occurred at Braz Assessoria Contábil Ltda, a Brazilian firm specializing in accounting and financial advisory services. The attackers infiltrated the company's systems using phishing emails, gaining access to sensitive financial and personal data. The exfiltrated data included detailed financial reports, tax documents, and client information, posing severe risks to both the firm's operations and its clients' privacy (Read More)
  • Thibabem Atacadista, a Brazilian wholesaler of children's clothing, was targeted by Arcus Media. The attack involved phishing emails that led to the deployment of ransomware, encrypting the company's data. The attackers demanded a substantial ransom for decryption, threatening to release sensitive business data publicly if the ransom was not paid. Read More
  • FILSCAP, the Filipino Society of Composers, Authors, and Publishers, also fell victim to Arcus Media. The attack compromised sensitive information related to intellectual property rights and royalty payments. The group's ability to infiltrate an organization dedicated to protecting music creators' rights underscores their capacity to target and impact diverse sectors. Read More

See more of Arcus Media’s recent ransomware attacks here

Play

During the week of May 20th to May 26th, the Play ransomware group executed a series of sophisticated cyberattacks targeting various sectors. This details the group's activities, highlighting notable incidents, and provides an overview of their current operations and history.

The Play ransomware group carried out eight notable attacks during this week, affecting companies across diverse sectors, including construction, technology, finance, real estate, and local government.

The Play ransomware group is known for exfiltrating a wide array of sensitive data before encrypting systems. The types of stolen data include private and personal confidential information, client documents, budget details, payroll records, accounting data, contracts, tax information, IDs, and financial data.

The Play ransomware group emerged in 2022, quickly establishing itself within the cybercriminal landscape. Initially associated with the Babuk ransomware code, Play has expanded its operations globally, targeting various sectors.  

The group is particularly noted for exploiting vulnerabilities in Microsoft Exchange servers, such as the ProxyNotShell vulnerabilities, and targeting Linux systems with a double-extortion model.

Recent attacks include:

  • Visa Lighting, a prominent US manufacturer of architectural lighting solutions, suffered a significant ransomware attack by the Play ransomware group. The attackers infiltrated Visa Lighting's systems, encrypting vast amounts of sensitive data, including client documents, budget details, payroll information, accounting records, contracts, tax documents, and personal identification information. This breach severely disrupted the company's operations and compromised its data security. The amount of data exfiltrated is estimated to be approximately 2 terabytes (Read More)
  • Tri-State General Contractors, a prominent US-based construction company, experienced significant operational disruptions due to a ransomware attack on their supply management website, affecting their supply chain operations. The attackers exfiltrated around 1.5 terabytes of sensitive data, including project plans, financial records, and client information (Read More)
  • Experis Technology Group, a Hybrid Cloud architecture firm, faced severe data breaches, with the attackers exfiltrating approximately 2.5 terabytes of sensitive data. The stolen data included private and personal confidential information, client documents, budget details, payroll records, accounting data, contracts, tax information, and IDs. (Read More)
  • Levin Porter Associates, a renowned architecture firm known for its innovative use of technologies, suffered a major ransomware attack, compromising around 1 terabyte of sensitive data, including project files, client contracts, financial records, and design plans (Read More)
  • Ardenbrook, a real estate investment and property management company, was targeted in an attack that resulted in the exfiltration of approximately 1 terabyte of data. This data included private and personal confidential information, client documents, budget details, payroll records, accounting data, contracts, tax information, IDs, and financial data. (Read More)

See more of Play’s recent ransomware attacks here

RansomHouse

During the week of May 20th to May 26th, the RansomHouse ransomware group executed a series of sophisticated cyberattacks targeting various sectors. Here are details of the group's activities, highlighting notable incidents, and providing an overview of their current operations and history.

The RansomHouse ransomware group carried out seven notable attacks during this week, affecting companies across diverse sectors, including healthcare, charity, business services, education, construction, stone industry, and maritime transport.

During the reported week, several organizations, including United Urology Group, Royal Star & Garter, Advance Press, Cressex Community School, Hedbergs AB, J & N Stone, and Berge Bulk, fell victim to ransomware attacks by the cybercriminal group RansomHouse. These attacks typically involved the exfiltration of approximately 300GB of sensitive data, leading to severe operational disruptions, legal costs, potential fines, and significant investments in cybersecurity enhancements.

The types of stolen data include private and personal confidential information, client documents, budget details, payroll records, accounting data, contracts, tax information, IDs, and financial data. The total amount of exfiltrated data across the attacks this week is estimated to be approximately 2.1 terabytes.

RansomHouse distinguishes itself by focusing on data exfiltration instead of encryption. Emerging in late 2021, the group exploits compromised credentials through Remote Desktop Services gateways and uses tools like PowerShell and Mimikatz to maintain access and exfiltrate data. They communicate with victims through a Tor-based chat room and data leak blog, demanding ransom payments in Bitcoin.

Recent attack include:

  • United Urology Group, a leading national network of urology specialists, fell victim to a ransomware attack orchestrated by RansomHouse on April 5, 2024. The attack resulted in the exfiltration and encryption of sensitive data, including patient records, medical histories, financial documents, and operational data. This breach severely disrupted United Urology Group's operations, compromising its data security and patient confidentiality  (Read More)
  • Royal Star & Garter, a charity organization for military veterans, was attacked on April 3, 2024, resulting in the encryption of approximately 300GB of data and leading to operational disruptions and legal costs (Read More)
  • Advance Press, a printing company, faced a ransomware attack on March 17, 2024, with approximately 300GB of data encrypted. Cressex Community School in High Wycombe, Buckinghamshire, suffered an attack on March 22, 2024, compromising approximately 300GB of data (Read More)

RansomHouse targeted companies across various sectors, reflecting their adaptability and wide-reaching impact. The total combined revenue of these affected organizations amounts to $129.9 million.  

The financial impacts include direct ransom payments, operational disruption, loss of revenue due to client attrition, legal fees, and costs associated with strengthening cybersecurity defenses. These attacks highlight the substantial economic damage ransomware can inflict, emphasizing the need for comprehensive cybersecurity strategies to protect against such threats.

See more of RansomHouses’s recent ransomware attacks here

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.