Ransomware on the Move: LockBit, RansomHub, Hunters International, Fog
Date:
July 30, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:
In the week of July 15-21, 2024, the cybersecurity landscape witnessed significant disruptions as four prolific ransomware groups - LockBit, Fog, Hunters International, and RansomHub - launched attacks on various organizations across multiple sectors.
LockBit
LockBit, is a formidable ransomware group that has been active since September 2019. This group employs highly sophisticated encryption techniques, using a combination of RSA-2048 and AES-256 algorithms to encrypt victims' files. LockBit targets vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to gain access and spread rapidly across networks. Known for its "double extortion" tactics, LockBit exfiltrates sensitive data and threatens to release it publicly if the ransom is not paid. The group's widespread reach and advanced methods have made it responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023, affecting numerous industries worldwide.
LockBit's attacks typically involve the theft of large amounts of sensitive data, posing severe risks to affected organizations. For instance, Concord Direct, a direct response marketing agency, experienced a breach on July 12, 2024, where LockBit exfiltrated names, positions, companies, locations, personal and business emails, and phone numbers. Similarly, Wattle Range Council in South Australia was attacked, resulting in the theft of 103 gigabytes of data, including complaint notices, rate notices, banking applications, tax invoices, and customer details from a tourist park. These breaches highlight LockBit's ability to disrupt operations and compromise critical data integrity across various sectors.
Significant Attacks
- Great Lakes Supply, a prominent provider of HVAC solutions, fell victim to LockBit ransomware. The company, which specializes in packaged terminal air conditioners and serves sectors like hospitality, healthcare, and education, faced significant operational disruptions due to the attack. Known for its comprehensive service from specification to installation and support, Great Lakes Supply's extensive client base was at risk due to the sensitive nature of the stolen data.
- Plant Machine Works, a full-service machine shop in Baton Rouge, Louisiana, also suffered a LockBit ransomware attack on July 19, 2024. The company, with an annual revenue of $13.7 million, is known for its precision machining and repair services for rotating equipment across various industries, including oil and natural gas, petrochemical, and alternative energy. The breach compromised critical operational data, impacting the company's ability to provide essential services to its clients.
- Great Plains Tribal Leaders' Health Board (GPTLHB) was another significant target. As an organization dedicated to the health and wellness of American Indian communities across several states, the breach posed a severe risk to sensitive health data and the board's operational integrity. This attack underscores the critical need for robust cybersecurity measures in healthcare and related sectors.
RansomHub
RansomHub is a newly emerged ransomware group that has quickly established itself as a notable threat in the cyber landscape. Believed to have origins in Russia, RansomHub operates as a Ransomware-as-a-Service (RaaS) entity, with affiliates receiving 90% of the ransom payments while the core group retains the remaining 10%. This structure mirrors traditional Russian ransomware setups. RansomHub targets various countries without a specific pattern, including the US, Brazil, Indonesia, and Vietnam. Healthcare institutions have been significantly impacted, with Change Healthcare being a notable victim, having been targeted previously by other groups and now listed again by RansomHub. The group's ransomware strains are written in Golang, a trend that suggests a move towards more sophisticated and resilient malware.
RansomHub’s attacks typically involve the exfiltration of large amounts of sensitive data, posing severe risks to the affected organizations. For instance, GarudaFood, one of Indonesia's largest food and beverage companies, saw its operations disrupted with sensitive data exfiltrated. RansomHub threatened to release this data publicly, highlighting the severe risks to operational integrity and data security. Kumagai Gumi, with a capital of ¥30.1 billion, and GarudaFood, with substantial revenues from its extensive product lines, underscore the financial and operational impact of these attacks.
Significant Attacks
- Kumagai Gumi Co., Ltd., a leading Japanese construction firm, was targeted by RansomHub, resulting in over 5TB of sensitive data being exfiltrated. Founded in 1898 and headquartered in Tokyo, Kumagai Gumi is known for major infrastructure projects like the Tokuyama Dam and the Seikan Tunnel. The attack underscores vulnerabilities in the company's cybersecurity measures and poses significant risks to its operational integrity.
- GlowFM, a local radio station based in Eindhoven, Netherlands, experienced a ransomware attack that compromised all files and webmails. Known for its community engagement and diverse programming, GlowFM's breach emphasizes the widespread reach of RansomHub’s operations and the potential impact on smaller organizations.
- The City of Newcastle, Washington, faced a ransomware attack by RansomHub, threatening to publish or sell stolen data if demands were not met. The city's reliance on digital infrastructure for essential services makes it a prime target for such attacks, highlighting the significant risks to municipal operations and public services.
Hunters International
Hunters International is a ransomware group that emerged in Q3 2023, quickly establishing itself as a significant threat across various sectors. The group is believed to be an evolution or offshoot of the dismantled Hive ransomware gang, with approximately 60% of its ransomware code overlapping with Hive’s version 61. Hunters International employs double extortion tactics, exfiltrating sensitive data before encrypting systems and demanding a ransom for both decryption and data deletion. They have targeted victims in the US, UK, Germany, and Namibia, with a broad reach that underscores their adaptability and technical sophistication.
For the week of July 15 to July 21, Hunters International executed several notable attacks, exfiltrating large volumes of sensitive data. One significant victim was Arcmed Group, a Connecticut-based manufacturer of fluidic components and systems for diagnostic and analytical instruments. The attack on July 20, 2024, resulted in the theft of HR documents, confidential files, and financial records, affecting a company with an estimated revenue of $8 million and 279 employees. Another major target was Northeast Rehabilitation Hospital Network (NRHN) in New Hampshire, where 410.6GB of sensitive data was stolen. This breach posed severe risks to patient confidentiality and operational stability, impacting a healthcare provider with approximately $80 million in annual revenue and over 1,000 employees.
Significant Attacks
Fog
Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," informing victims that their files have been encrypted and urging them to contact the attackers for file recovery. Fog ransomware has been particularly disruptive in the education sector, with 80% of its victims located there, and 20% in the recreation industry. Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. There is no known decryptor available, and paying the ransom does not guarantee file restoration.
For the week of July 15 to July 21, 2024, Fog ransomware executed several significant attacks, exfiltrating substantial volumes of sensitive data. Attacks were focused on the education sector. One major victim was Verweij Elektrotechniek, a Dutch electrical engineering company specializing in energy-saving solutions and high-quality electrical installations. The attack on July 17, 2024, resulted in a data leak of 95GB, exposing crucial information vital to the company’s operations. Verweij Elektrotechniek, with around 97 employees, is known for its innovative and sustainable electrical solutions.
Significant Attacks
- Asbury Theological Seminary, a private evangelical institution in Kentucky, was hit by Fog ransomware, resulting in a 10GB data leak. The seminary, serving over 1,700 students from more than 80 denominations, had sensitive information related to its operations and stakeholders compromised, highlighting vulnerabilities in cybersecurity measures within educational institutions.
- The German University of Technology in Oman (GUtech) experienced a ransomware attack that led to a breach of 10GB of sensitive academic and administrative information. GUtech, established in 2007, offers programs in engineering, technology, and applied sciences to over 2,200 students, integrating German educational standards with Omani cultural values. This attack underscores the persistent threat to educational institutions globally.
- The West Allis-West Milwaukee School District in Wisconsin also fell victim to Fog ransomware, with a 9.5GB data leak. Serving the cities of West Allis and West Milwaukee, the district's compromised data highlighted the growing risk of cyberattacks on educational systems and the critical need for enhanced security measures to protect sensitive information.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.