Ransomware on the Move: LockBit, Trigona, Rancoz, Akira, INC, NoEscape, Play


September 20, 2023

World map

Ransomware gangs on the move last week:

Trigona Ransomware Gang Attack on Cyberport, Hong Kong

The Trigona ransomware gang, a relatively new player on the cybercrime scene. This group has set its sights on Cyberport, a thriving technology and digital entertainment hub in Hong Kong. Established in 1999, Cyberport is a beacon of innovation, nurturing the ICT industry's growth in the region.

On September 7th, 400GB of precious data fell into Trigona's clutches, and they demanded a staggering $300,000 for its safe return. Trigona's unconventional approach involves scanning for vulnerable Microsoft SQL servers and maintaining a Linux version of their malware. While their encryption techniques are formidable, they have a reputation for providing decryption sequences once the ransom is paid.

The Trigona gang's reach extends to legitimate programs like AteraAgent, Splash Top, ScreenConnect, AnyDesk, LogMeIn, and TeamViewer, making them a formidable adversary in the cyber underworld.

Rancoz Ransomware Gang Target: DDB Unlimited

Next up is the Rancoz ransomware gang, which has zeroed in on DDB Unlimited, a company specializing in enclosures, cabinets, and racks for the telecommunications industry. Rancoz made its debut in May 2023 and operates as a multi-extortion group.

The gang's modus operandi involves encrypting files, deleting Volume Shadow Copies (VSS), and adjusting RDP/Terminal Server settings. Encrypted files bear the ".rec_rans" extension, and victims are directed to a ransom note for payment instructions.

LockBit Ransomware Gang Assault on Eljay Oil

Eljay Oil, a family-owned fuel and lubricant provider, became LockBit's latest victim. LockBit, a notorious Ransomware-as-a-Service (RaaS) platform, is known for its speedy encryption and triple extortion model. This gang has been relentless since 2019, targeting large enterprises and, notably, the healthcare sector.

LockBit's arsenal includes a custom Salsa20 encryption algorithm and the exploitation of Remote Desktop Protocol (RDP) vulnerabilities. Their affiliate program offers attractive payouts to attackers, making it a popular choice among cybercriminals.

Akira Ransomware Gang: Energy One Under Siege

Energy One, an Australian software company serving the energy industry, faced a relentless attack by the Akira ransomware gang. Akira, identified in May 2023, employs the Windows Restart Manager API to close processes, allowing for uninterrupted encryption.

Akira's ransom note includes a chilling warning, promising to sell stolen data on the dark market if negotiations fail. The gang infiltrates networks, exfiltrates data, and uses it as leverage to extract ransoms.

Cactus Ransomware Gang Targeting Italian and Danish Companies

The Cactus ransomware gang has been making headlines with attacks on Italian company Foroni SPA and Danish conglomerate Hornsyld Købmandsgaard. Cactus has been active since at least March 2023 and utilizes known vulnerabilities within VPN appliances for initial breaches.

Unique to Cactus is its ransomware encryptor, which requires a decryption key hidden within a file named ntuser.dat. The gang demands ransoms for both decryption and data retrieval.

NoEscape Ransomware Gang GM&F and Mulkay Cardiology

NoEscape is a newcomer to the ransomware scene, operating as a Ransomware-as-a-Service (RaaS). The gang has attacked law firm GM and F and healthcare consultancy Mulkay Cardiology Consultant.

Victims of NoEscape are faced with encrypted files and threats to expose confidential data. Payment is demanded in exchange for a special recovery tool, with a strict deadline for compliance.

INC Ransom Ransomware Gang Targeting IT4 Solutions Robras

INC Ransom is a formidable threat, encrypting files and demanding payment for decryption services. This ransomware primarily targets businesses, appending the ".INC" extension to encrypted files. Victims receive a ransom message detailing the compromise of their company's confidential data.

Play Ransomware Gang Assaults on Global Brands

Play, a Ransomware-as-a-Service platform, has made headlines with high-profile attacks on organizations like Kikkerland Design, Markentrainer Werbeagentur, and Meroso Foods.

Play leverages vulnerabilities, disables antivirus tools, and conducts data exfiltration. Victims who refuse payment face data exposure on the dark web.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).