Ransomware on the Move: LockBit, RansomHub, Hunters International, Fog

Date:

July 30, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:  

In the week of July 15-21, 2024, the cybersecurity landscape witnessed significant disruptions as four prolific ransomware groups - LockBit, Fog, Hunters International, and RansomHub - launched attacks on various organizations across multiple sectors.  

LockBit

LockBit, is a formidable ransomware group that has been active since September 2019. This group employs highly sophisticated encryption techniques, using a combination of RSA-2048 and AES-256 algorithms to encrypt victims' files. LockBit targets vulnerabilities in Remote Desktop Protocol (RDP) services and unsecured network shares to gain access and spread rapidly across networks. Known for its "double extortion" tactics, LockBit exfiltrates sensitive data and threatens to release it publicly if the ransom is not paid. The group's widespread reach and advanced methods have made it responsible for over one-third of all ransomware attacks in the latter half of 2022 and the first quarter of 2023, affecting numerous industries worldwide.

LockBit's attacks typically involve the theft of large amounts of sensitive data, posing severe risks to affected organizations. For instance, Concord Direct, a direct response marketing agency, experienced a breach on July 12, 2024, where LockBit exfiltrated names, positions, companies, locations, personal and business emails, and phone numbers. Similarly, Wattle Range Council in South Australia was attacked, resulting in the theft of 103 gigabytes of data, including complaint notices, rate notices, banking applications, tax invoices, and customer details from a tourist park. These breaches highlight LockBit's ability to disrupt operations and compromise critical data integrity across various sectors.

Significant Attacks

  • Great Lakes Supply, a prominent provider of HVAC solutions, fell victim to LockBit ransomware. The company, which specializes in packaged terminal air conditioners and serves sectors like hospitality, healthcare, and education, faced significant operational disruptions due to the attack. Known for its comprehensive service from specification to installation and support, Great Lakes Supply's extensive client base was at risk due to the sensitive nature of the stolen data.
  • Plant Machine Works, a full-service machine shop in Baton Rouge, Louisiana, also suffered a LockBit ransomware attack on July 19, 2024. The company, with an annual revenue of $13.7 million, is known for its precision machining and repair services for rotating equipment across various industries, including oil and natural gas, petrochemical, and alternative energy. The breach compromised critical operational data, impacting the company's ability to provide essential services to its clients.

RansomHub

RansomHub is a newly emerged ransomware group that has quickly established itself as a notable threat in the cyber landscape. Believed to have origins in Russia, RansomHub operates as a Ransomware-as-a-Service (RaaS) entity, with affiliates receiving 90% of the ransom payments while the core group retains the remaining 10%. This structure mirrors traditional Russian ransomware setups. RansomHub targets various countries without a specific pattern, including the US, Brazil, Indonesia, and Vietnam. Healthcare institutions have been significantly impacted, with Change Healthcare being a notable victim, having been targeted previously by other groups and now listed again by RansomHub. The group's ransomware strains are written in Golang, a trend that suggests a move towards more sophisticated and resilient malware.

RansomHub’s attacks typically involve the exfiltration of large amounts of sensitive data, posing severe risks to the affected organizations. For instance, GarudaFood, one of Indonesia's largest food and beverage companies, saw its operations disrupted with sensitive data exfiltrated. RansomHub threatened to release this data publicly, highlighting the severe risks to operational integrity and data security. Kumagai Gumi, with a capital of ¥30.1 billion, and GarudaFood, with substantial revenues from its extensive product lines, underscore the financial and operational impact of these attacks.

Significant Attacks

  • GlowFM, a local radio station based in Eindhoven, Netherlands, experienced a ransomware attack that compromised all files and webmails. Known for its community engagement and diverse programming, GlowFM's breach emphasizes the widespread reach of RansomHub’s operations and the potential impact on smaller organizations.

Hunters International

Hunters International is a ransomware group that emerged in Q3 2023, quickly establishing itself as a significant threat across various sectors. The group is believed to be an evolution or offshoot of the dismantled Hive ransomware gang, with approximately 60% of its ransomware code overlapping with Hive’s version 61. Hunters International employs double extortion tactics, exfiltrating sensitive data before encrypting systems and demanding a ransom for both decryption and data deletion. They have targeted victims in the US, UK, Germany, and Namibia, with a broad reach that underscores their adaptability and technical sophistication.

For the week of July 15 to July 21, Hunters International executed several notable attacks, exfiltrating large volumes of sensitive data. One significant victim was Arcmed Group, a Connecticut-based manufacturer of fluidic components and systems for diagnostic and analytical instruments. The attack on July 20, 2024, resulted in the theft of HR documents, confidential files, and financial records, affecting a company with an estimated revenue of $8 million and 279 employees. Another major target was Northeast Rehabilitation Hospital Network (NRHN) in New Hampshire, where 410.6GB of sensitive data was stolen. This breach posed severe risks to patient confidentiality and operational stability, impacting a healthcare provider with approximately $80 million in annual revenue and over 1,000 employees.

Significant Attacks

  • Braum's Inc., a family-owned business with over 300 locations, was hit by Hunters International, resulting in the exfiltration of 1.5TB of sensitive data. This included employee records with Social Security Numbers, proprietary product formulas, financial data, and CEO's personal information. The breach had profound implications, impacting the company’s operational integrity and exposing significant vulnerabilities within their cybersecurity infrastructure.
  • Lantronix Inc., an IoT solutions provider based in Irvine, California, also fell victim to Hunters International. The ransomware attack resulted in the compromise of 587.6GB of data, including sensitive employee medical records, background checks, financial data, and proprietary encryption DLL practices. With a reported revenue of $33.3 million, the attack exposed critical weaknesses in Lantronix’s security measures and highlighted the increasing targeting of tech companies by ransomware groups.
  • RZO, a New York-based real estate investment and management firm, experienced a substantial breach when Hunters International exfiltrated 1.1TB of data. The stolen information included sensitive financial documents, proprietary investment strategies, and personal data of top executives. This attack underscored the heightened risk faced by companies in the financial sector and the significant operational and reputational damage that can result from such cybersecurity breaches.
  • See more of Hunter’s International’s Recent Ransomware Attacks here
  • Fog

    Fog ransomware is a malicious software variant that emerged in November 2021, primarily targeting Windows systems. It is known for encrypting files and appending the extensions ".FOG" or ".FLOCKED" to the affected filenames. The ransomware drops a ransom note named "readme.txt" or "HELP_YOUR_FILES.HTML," informing victims that their files have been encrypted and urging them to contact the attackers for file recovery. Fog ransomware has been particularly disruptive in the education sector, with 80% of its victims located there, and 20% in the recreation industry. Attackers typically gain access to systems by exploiting compromised VPN credentials from two different vendors, allowing for remote infiltration. Once inside, Fog ransomware can disable Windows Defender, encrypt Virtual Machine Disk (VMDK) files, delete backups from Veeam, and remove volume shadow copies, making recovery extremely difficult. There is no known decryptor available, and paying the ransom does not guarantee file restoration.

    For the week of July 15 to July 21, 2024, Fog ransomware executed several significant attacks, exfiltrating substantial volumes of sensitive data. Attacks were focused on the education sector. One major victim was Verweij Elektrotechniek, a Dutch electrical engineering company specializing in energy-saving solutions and high-quality electrical installations. The attack on July 17, 2024, resulted in a data leak of 95GB, exposing crucial information vital to the company’s operations. Verweij Elektrotechniek, with around 97 employees, is known for its innovative and sustainable electrical solutions.

    Significant Attacks

    Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.