Ransomware on the Move: Medusa, Play, RansomHub, Qilin
Date:
October 2, 2024
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's a detailed look at the most prolific ransomware groups of the week: Medusa, Play, RansomHub, and Qilin.
The week of September 16–22 saw an increase in ransomware activity, with high-profile incidents affecting organizations across sectors like manufacturing, business services, and hospitality.
During this period, four ransomware groups dominated the landscape:
- Medusa focused on the business services sector, launching significant breaches at companies such as Solar Foundation and Altisource Portfolio Solutions.
- Play ransomware expanded its reach into the manufacturing sector, impacting companies like Beaulieu International Group and LEDvance.
- RansomHub maintained its focus on business services and hospitality, with notable attacks on PlumbersStock and Liberty First Credit Union.
- Qilin, known for its sophisticated Rust-based malware, targeted diverse industries, including the hospitality sector, with key incidents involving 8010 Urban Living and Faith Family Church.
Medusa
Medusa, a ransomware group that emerged in late 2022, has gained significant attention for its well-executed ransomware attacks across multiple industries. As a RaaS platform, Medusa allows affiliates to launch cyberattacks on a global scale, increasing both its operational reach and impact.
The group is particularly notorious for its aggressive tactics, where it not only encrypts data but also exfiltrates large amounts of sensitive information, amplifying the pressure on victims to pay ransom.
Medusa primarily targets sectors like education, healthcare, and government, focusing on organizations in the U.S. and Europe. Their capacity to disable recovery systems makes them a persistent threat.
Medusa's most recent incidents highlight its focus on exfiltrating significant amounts of critical data. One such breach targeted Structural Concepts Corporation, a Michigan-based company specializing in food display solutions.
Medusa exfiltrated 603.1 GB of proprietary designs, financial records, and customer information, putting the company's operations and reputation at risk. Structural Concepts, with annual revenue of around $146.6 million, now faces severe financial and legal challenges.
Another victim, Fritzøe Engros AS, a Norwegian distributor of wood-based products, experienced the exfiltration of approximately 600 GB of customer contracts and internal business data, which could damage its relationships with clients. Fritzøe Engros, with an estimated $20 million in annual revenue, now contends with the fallout of this breach.
Significant Attacks:
- Compass Group Australia, the largest food and support service company, was breached by Medusa, who exfiltrated 785.5 GB of organizational data. The group mocked the company's cybersecurity measures, specifically highlighting the use of CrowdStrike Falcon EDR, by taking screenshots of the compromised domain controller. This incident demonstrates that even organizations with advanced security measures remain vulnerable to sophisticated ransomware groups.
- Providence Public Schools, a large U.S. urban school district, fell victim to Medusa, with the group stealing 201.4 GB of financial records, correspondence, and personally identifiable information (PII) of students and staff. Medusa demanded a $1,000,000 ransom and threatened to release the data if the demand wasn't met by September 25, 2024.
- AZPIRED, a business process outsourcing company based in the Philippines, was also attacked by Medusa, resulting in the theft of 205.7 GB of accounting records and employee personal information. The group demanded $100,000, threatening further exposure of the sensitive data if their ransom was not paid.
Play
Play, also known as PlayCrypt, has expanded its reach since its emergence in June 2022, spreading across regions such as North America, Latin America, Europe, and South America.
As an RaaS operation, Play empowers affiliates to conduct ransomware attacks using its sophisticated tools, often targeting critical infrastructure in industries such as IT, transportation, and construction.
Play ransomware is notorious for exploiting vulnerabilities in Microsoft Exchange, RDP servers, and FortiOS, often using tools like Mimikatz to escalate privileges. The group is also known to disable security systems, ensuring control over compromised networks.
This week, Play executed a significant attack on Noble Environmental, an environmental services company in Pittsburgh, exfiltrating 500 GB of payroll records, financial information, and other operational data. Noble Environmental, which generates annual revenues between $10 million and $25 million, now faces legal and operational repercussions.
Another major incident involved Multidata, a property management software provider, where Play ransomware stole 450 GB of business data, including client records and payroll information, exposing the company to significant risks.
Significant Attacks:
- Pacific Coast Building Products, a leader in the building materials sector, was hit by Play ransomware, resulting in the theft of payroll records, financial statements, and client contracts. This breach led to severe operational disruptions.
- Thompson Construction Supply, another prominent player in the construction materials industry, also experienced a Play ransomware attack, with the exfiltration of internal financial records and personal employee data, creating additional security and operational risks for the company.
RansomHub
RansomHub, a ransomware group that surfaced in February 2024, has quickly established itself as a significant player in the ransomware ecosystem. The group operates as a RaaS platform, allowing affiliates to use its tools for launching cyberattacks, particularly targeting industries like healthcare, financial services, and government.
RansomHub is known for its rapid encryption processes and modular ransomware architecture, which allows the group to quickly encrypt large datasets while evading detection.
Recent incidents highlight RansomHub's focus on exfiltrating critical data. Liberty First Credit Union, one of the largest credit unions in Nebraska, USA, fell victim to an attack in which 254 GB of sensitive data, including client databases, passports, and financial records, were exfiltrated. The group has imposed a ransom deadline of September 29, 2024.
Similarly, RAR Holding, a UAE-based manufacturer of paints and coatings, faced a breach in which 62 GB of internal data was stolen. RAR Holding, a diversified entity operating across multiple sectors, now faces significant operational and reputational risks due to the compromise.
Significant Attacks:
- TopDoctors.com, a Spanish company offering an online platform for finding specialist doctors, booking appointments, and providing telemedicine services, was targeted by RansomHub. The attackers claim to have accessed 40 GB of sensitive data, including patient information, insurance details, and personal data from subsidiaries in countries such as Spain, Italy, Mexico, Colombia, Chile, Argentina, the UK, Saudi Arabia, and the U.S. The ransom deadline was set for September 22, 2024. However, TopDoctors denied the severity of the breach, stating that the unauthorized access was limited to a test database used for development purposes, affecting a small portion of its Latin American data.
- Acho Software Inc, which operates under the domain Acho.io, became another victim of RansomHub. The group claimed to have breached the Germany-based data platform, releasing sensitive corporate data. Acho.io is known for providing data integration and transformation tools, allowing businesses to manage and analyze large datasets. The breach is particularly concerning given the company's role in helping enterprises streamline operations through advanced data workflows.
Qilin
Qilin, also known as Agenda, has been active since July 2022 and is recognized for its complex cyberattacks across various sectors.
Operating as an RaaS platform, Qilin allows affiliates to carry out ransomware campaigns, and its recent adoption of Rust-based malware has made it a particularly dangerous group, capable of targeting Windows, Linux, and VMware ESXi environments.
Qilin primarily targets industries like healthcare, education, and large enterprises, and it employs double extortion tactics to maximize leverage over its victims.
Recent incidents reflect Qilin’s focus on exfiltrating critical data. One attack targeted Bertelkamp Automation, a Knoxville-based industrial automation provider. The breach exposed sensitive internal data, disrupting the company’s operations and threatening its reputation.
Another attack hit Agricola International SA, a major Romanian agri-food company. The breach disrupted Agricola’s integrated meat production processes and exposed supply chain details, putting the company at risk of further operational and reputational damage.
Significant Attacks:
- Woodard, Hernandez, Roth & Day, LLC, a Kansas-based law firm, suffered a breach by Qilin, which exfiltrated confidential internal documents. This attack threatens the integrity of the firm’s legal cases and client confidentiality.
- KW Realty Group, a real estate agency under Keller Williams Realty, was targeted by Qilin, which accessed and leaked sensitive internal data. This breach highlights the vulnerabilities in the real estate sector, particularly in organizations handling large volumes of client information.
Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile
