Ransomware on the Move: Medusa, BlackSuit, Black Basta, 8Base

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

‍

Medusa

‍

The Council of Fashion Designers of America (CFDA), an influential trade association in the American fashion industry, has reportedly fallen victim to a cyberattack orchestrated by the Medusa ransomware group.  

‍

The breach involved the exfiltration of a substantial amount of sensitive data, totaling 423.3 GB, which includes confidential information such as invoices, email exchanges, vendor details, and employee records.  

‍

A portion of this data has been made public, with the attackers demanding a ransom of $100,000 by May 1st to prevent further disclosure.

‍

In addition to CFDA, other organizations have also been targeted by Medusa, including Principle Cleaning Services and the Quebec Order of Nurses (OIIQ).  

‍

Principle Cleaning Services, a prominent provider of corporate cleaning services based in London, had 220.58 GB of data compromised, with a ransom demand set at $1,000,000.  

‍

Similarly, OIIQ, a significant professional order in Quebec with nearly 72,000 members, saw 111.68 GB of sensitive information breached, with a ransom demand of $200,000.

‍

Furthermore, Ted Brown Music, a well-established family-owned music store, fell victim to Medusa's attack, with 29.4 GB of data compromised. The attackers have given Ted Brown Music a seven-day deadline to pay the ransom or risk having their information publicly disclosed.

‍

Northeast Ohio Neighborhood Health Services (NEON) was also attacked by the ransomware gang Medusa. No other information is available. NEON is a Federally Qualified Health Center (FQHC) network of community health centers dedicated to improving access to health care and reducing health disparities in Greater Cleveland.

‍

Medusa ransomware has been an active threat in the cyber landscape since its emergence in 2021, employs sophisticated tactics to infiltrate and compromise victim networks.

‍

The group utilizes techniques such as restarting infected machines in safe mode to evade detection by security software and deleting local backups to prevent recovery.  

‍

Additionally, Medusa employs a double extortion scheme, exfiltrating data before encryption, and only offering a portion of the ransom to affiliate attackers.

‍

Despite fluctuations in its activity, Medusa has targeted various industry sectors, particularly healthcare, pharmaceuticals, and public sector organizations. Their ransom demands often reach millions of dollars, tailored to the financial capabilities of the targeted organizations.

‍

Overall, the recent string of attacks highlights the growing threat posed by ransomware groups like Medusa and underscores the importance of robust cybersecurity measures for organizations across different sectors.

‍

BlackSuit

‍

The BlackSuit ransomware gang has recently launched attacks on multiple organizations, including The Post and Courier, Octapharma Plasma, UPC Technology Corporation, and Precision Pulley & Idler.  

‍

The Post and Courier, Charleston's main daily newspaper, suffered a breach resulting in the exfiltration of 500GB of internal files and subscriber data, including sensitive employee information and credit card payment details.  

‍

Initially demanding $1,750,000 in ransom, BlackSuit later offered a 50% discount if paid within 48 hours.

‍

Octapharma Plasma, a major supplier of human blood plasma for medical therapies, also fell victim to BlackSuit's attack, forcing the closure of over 150 of its centers.  

‍

Similarly, UPC Technology Corporation, a chemical company under the MiTAC-Synnex Group, was targeted, although details of the attack remain undisclosed. Additionally, Precision Pulley & Idler, a leading provider of conveying components, was attacked, but specific information about the incident is yet to be revealed.

‍

BlackSuit is a newly emerged ransomware group exhibiting similarities to the Royal ransomware gang, known for its association with the Conti operation.  

‍

BlackSuit targets both Windows and Linux systems, with significant overlap in functionality and code structure with Royal. While utilizing similar encryption techniques and ransomware notes, BlackSuit employs additional command line arguments and extension naming conventions.

‍

The group employs a double extortion model, threatening to leak stolen information in addition to encrypting files unless a ransom is paid. BlackSuit's attacks underscore the evolving threat landscape of ransomware, where organizations face not only data encryption but also the risk of sensitive information exposure.

‍

The similarities between BlackSuit and Royal, as noted by researchers, suggest a potential connection between the two groups, highlighting the persistence and adaptability of cybercriminal operations.  

‍

As organizations strive to enhance their cybersecurity posture, understanding the tactics and techniques employed by ransomware groups like BlackSuit is crucial in mitigating the risk of successful attacks and minimizing their impact.

‍

Black Basta

‍

The Black Basta ransomware group has conducted targeted attacks on various organizations, including Doyon, Hymer, and Fluent Home. Doyon, a drilling company operating in Alaska's extreme conditions, had 700GB of data compromised.  

‍

Similarly, Hymer, one of Europe's largest motorhome manufacturers, was also targeted, though details are undisclosed. Fluent Home, a smart home alarm system provider, also fell victim to Black Basta's attack.

‍

Black Basta, emerging in early 2022, is believed to be connected to the disbanded Conti and REvil groups. Known for exfiltrating sensitive data and employing a double extortion scheme, Black Basta has become one of the most prolific ransomware groups, with reported revenues exceeding $107 million in under two years.  

‍

The group targets various sectors, including manufacturing, transportation, construction, telecommunications, automotive, and healthcare, exploiting vulnerabilities in VMware ESXi and insecure Remote Desktop Protocol (RDP) deployments.

‍

Using a ransomware payload that can infect both Windows and Linux systems, Black Basta encrypts data with ChaCha20 and RSA-4096 for rapid network-wide encryption. It also utilizes malware strains like Qakbot and exploits such as PrintNightmare during infections.  

‍

With a reputation for leveraging unique tactics, techniques, and procedures (TTPs) for ingress and data exfiltration, Black Basta maintains an active leaks website to pressure organizations into paying ransom demands, which can reach as high as $2 million.

‍

8Base

‍

The 8Base ransomware group has launched attacks on Bieler+Lang GmbH and Speedy in France, compromising sensitive information such as invoices, personal data, and employment contracts.  

‍

Bieler+Lang specializes in providing rugged gas detectors for various industries, while Speedy retails automotive products and services.

‍

Emerging in March 2022, 8Base quickly rose to prominence, showing a significant increase in activity in late 2023.  

‍

The group primarily targets business services, manufacturing, and construction sectors, exhibiting sophisticated tactics reminiscent of experienced RaaS operators like Ransomhouse or the leaked Babuk builder.

‍

Utilizing data exfiltration for double extortion and advanced security evasion techniques, 8Base modifies Windows Defender Firewall for bypass.  

‍

Although their ransom demands are unclear, they prefer customized Phobos with SmokeLoader as their ransomware payload, often wiping Volume Shadow Copies (VSS) to prevent file recovery.

‍

While 8Base focuses on Windows systems, it does not maintain a RaaS program openly. Instead, it operates opportunistically, targeting victims from various sectors, including manufacturing, financial, and information technology.  

‍

The group emphasizes "name and shame" tactics through their leaks site to coerce ransom payments from victims.

‍

‍

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.