Ransomware on the Move: Play, APT73, BlackSuit, Hunters International

Date:

July 2, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Play, APT73, BlackSuit, Hunters International.

During the week of June 10 to June 16, the cybersecurity landscape saw significant activity from ransomware groups targeting various organizations across multiple sectors.  

This period was marked by a series of high-profile ransomware attacks that disrupted operations and exposed sensitive data, highlighting ongoing vulnerabilities in digital defenses.  

The top four ransomware groups during this week were APT 73, Play, BlackSuit, and Hunters International, demonstrating their relentless pursuit of ransom through sophisticated cyber-attacks.

These attacks by the four combined groups represent 52.3% of the total attacks registered in our database for the week. Notably, Play alone attacked 23 organizations, making it the most prolific out of the four.  

The sectors most targeted by these ransomware groups were varied, reflecting the wide-ranging impact of these cyber-attacks. The Construction sector was the most targeted, with five incidents reported. This was followed by Business Services and Law Firms & Legal Services, each with four reported cases.  

Some companies that were reported to have experienced ransomware attacks during this period include Amarilla Gas in the Energy, Mönsterås Metall AB in Manufacturing, Eagle Materials in Construction, and Walder Wyss and Partners in Law Firms & Legal Services which were targeted by Play.

Additionally, APT 73 targeted Great Lakes International Trading, BlackSuit attacked Western Mechanical, and Hunters International breached AlphaNovaCapital.  

Play

The Play ransomware group, operated by Ransom House, has become a significant threat actor, particularly known for targeting Linux systems. Since its emergence in 2021, the group has been linked to the Babuk code and has evolved to target ESXi lockers.  

Initially focusing on data theft without file encryption, Play ransomware has transitioned to deploying cryptographic lockers, using sophisticated encryption methods such as Sosemanuk.  

The group's unique verbose ransom notes and use of various hack tools and utilities, including AnyDesk, NetCat, and encoded PowerShell Empire scripts, highlight their advanced capabilities and evolving strategies.

During the week of June 10-16, Play ransomware was responsible for several high-profile attacks, compromising various types of sensitive data across different sectors. The total amount of data exfiltrated varied by target but typically included private and personal confidential information such as client documents, budgets, payroll records, accounting details, contracts, taxes, IDs, and financial information.  

For instance, the attack on Amarilla Gas in Argentina exposed extensive operational data, including budget and payroll details. Another notable example is Refcio & Associates, a law firm in Canada, which had significant amounts of legal and financial information compromised.  

The scale of these breaches, impacting both mid-sized companies like Amarilla Gas with $145.5 million in revenue and smaller firms like Me Too Shoes with $9 million in revenue, underscores the widespread vulnerability across industries.

Significant Attacks:

  • The Play ransomware group launched a significant attack on Amarilla Gas, a national capital company in Argentina’s oil and gas industry. The attack compromised private and personal confidential data, client documents, budget, payroll, accounting, contracts, taxes, IDs, and financial information. Amarilla Gas, established in 1962 and known for its extensive LPG distribution systems, serves over 900,000 households and around 3,500 businesses. The breach highlighted significant vulnerabilities in the company's cybersecurity measures and posed potential operational and reputational risks.
  • The Play ransomware group also targeted Celluphone, Inc., a wholesale distributor of wireless equipment based in Cerritos, California. The attack resulted in the compromise of sensitive data, including private and personal confidential information, client documents, budget details, payroll records, accounting data, contracts, tax information, IDs, and financial records. Founded in 1983 and with an annual revenue of $145.5 million, Celluphone supports several hundred active dealers across the United States. This incident underscores the critical need for robust cybersecurity in companies handling vast amounts of sensitive data.
  • Me Too Shoes, a comfort fashion footwear company headquartered in New York City, fell victim to an attack by the Play ransomware group. The breach compromised private and personal confidential data, including client documents, budget, payroll, accounting, contracts, taxes, IDs, and financial information. Established in 1996, Me Too Shoes is a prominent player in the comfort fashion market with a significant global presence. This attack highlights the vulnerabilities faced by small to medium-sized enterprises and the potential impact on their operations and reputation.

APT73

APT73, a newly emerged ransomware group, has rapidly positioned itself as a significant threat within the cyber landscape. This group, which surfaced in December 2023, mirrors the operational strategies of the notorious LockBit ransomware variant, particularly in its use of a TOR-based data leak site (DLS) named "ERALEIGNEWS."  

APT73 primarily executes its attacks through phishing, compromising organizational systems to deploy its ransomware. Despite its amateurish approach in some respects, such as the lack of active mirrors for its DLS, APT73’s capability to exfiltrate and threaten to leak sensitive data underscores its potential impact on targeted entities.

APT73’s modus operandi includes the theft and subsequent threat of leaking sensitive organizational data. The group’s attacks have led to the exfiltration of substantial amounts of critical data, posing severe risks to the affected organizations.  

For instance, in an attack on Gannons Solicitors, a UK-based commercial law firm, APT73 managed to exfiltrate 2.3MB of documentation and agreements, which includes sensitive legal documents and client information. Similarly, Borrer Executive Search, a boutique executive search firm in Switzerland, faced a breach where 2.5MB of internal documents and agreements were compromised.  

These firms operate in specialized and profitable sectors. Gannons Solicitors, a boutique law firm, serves a niche market with a stable revenue stream from high-quality, cost-effective services. Borrer Executive Search's global placements suggest substantial financial success due to premium fees. AlphaNovaCapital likely manages significant assets in global alternative investments, reflecting robust financial health. Apex Engineering Services generates substantial revenue through innovative and cost-effective engineering solutions for major construction projects.

Significant Attacks:

  • Gannons Solicitors, established in 2014, fell victim to a ransomware attack orchestrated by APT73 in June 2024. This boutique law firm in London, known for providing specialized legal services to private companies, entrepreneurs, and investors, faces the threat of having 2.3MB of sensitive documentation and agreements released if the attackers' demands are not met by June 25, 2024. The compromised data includes sensitive legal documents and client information, posing significant risks to the firm's reputation and client trust.
  • AlphaNovaCapital, a boutique investment firm specializing in global alternative investments, was targeted by APT73 in a sophisticated cyber attack. Licensed by the Securities and Futures Commission of Hong Kong, the firm provides investment management and advisory services to high-net-worth individuals, institutional investors, and corporate clients. APT73 exfiltrated 272KB of sensitive documents and agreements from AlphaNovaCapital, which were later leaked on their dark web site, ERALEIGNEWS. The attack highlights the vulnerabilities of financial institutions to advanced cyber threats.
  • Apex Engineering Services, a UK-based company, experienced a severe data breach executed by APT73. Specializing in comprehensive engineering solutions across various industries, the company employs a team of seasoned freelance engineers and specialist contractors. The attack resulted in the exfiltration of 26MB of sensitive data, including passwords and internal files. A sample of the stolen data was leaked, underscoring the breach's severity and the company's cybersecurity vulnerabilities.

BlackSuit

BlackSuit, a newly emerged ransomware group, has rapidly positioned itself as a significant threat within the cyber landscape. This group, which surfaced in 2023, mirrors the operational strategies of the notorious Royal ransomware variant, particularly in its ability to target both Windows and Linux systems, including VMware ESXi servers.  

BlackSuit appends the .blacksuit extension to encrypted files and leaves a ransom note directing victims to a Tor chat site. Despite its recent emergence, BlackSuit’s high degree of similarity with Royal ransomware—98% in functions and 99.5% in code blocks—suggests it may be a variant developed by the same authors, a copycat, or an affiliate. The ransomware's capability to exfiltrate and threaten to leak sensitive data underscores its potential impact on targeted entities.

BlackSuit’s modus operandi includes the theft and subsequent threat of leaking sensitive organizational data. The group’s attacks have led to the exfiltration of substantial amounts of critical data, posing severe risks to the affected organizations.  

For instance, in an attack on Peregrine Petroleum, a Dallas-based oil and gas company, BlackSuit exfiltrated 202 gigabytes of data, including 178 gigabytes from operational directories and 24 gigabytes from a private SQL database. Similarly, the Colfax School District in Wisconsin faced a breach where extensive educational resources and sensitive student information were compromised.These firms operate in specialized and profitable sectors.  

Significant Attacks:

  • The BlackSuit ransomware group launched a significant attack on Peregrine Petroleum, an oil and gas company headquartered in Dallas, Texas. The cybercriminals infiltrated the company’s network and exfiltrated 202 gigabytes of data, which included 178 gigabytes from operational directories and 24 gigabytes from a private SQL database. The compromised data encompassed sensitive folders related to acquisitions, budget planning, accounting records, and employee files. This breach not only exposed crucial administrative and financial information but also highlighted the vulnerabilities in Peregrine Petroleum’s cybersecurity measures. With an annual revenue of approximately $17 million, this attack demonstrates the potential financial and operational disruption caused by ransomware groups like BlackSuit.
  • The Colfax School District in Wisconsin fell victim to a significant attack by the BlackSuit ransomware group. BlackSuit accessed the district’s internal network drives, exfiltrating data from directories labeled Public, Staff, and Students. The stolen data included a wide array of educational and administrative resources, such as yearbooks, research projects, and photos. This attack underscores the vulnerability of educational institutions to ransomware threats and the potential risks to sensitive student and staff information. The Colfax School District, which serves around 334 students, faced substantial concerns regarding data security and the continuity of its educational operations. This incident highlights the broader implications of ransomware attacks on the educational sector, affecting not just financial stability but also the integrity of the learning environment.

Hunters International

Hunters International, a ransomware group active since the disruption of the Hive ransomware group, has already been responsible for multiple high-profile incidents. Unlike Hive, Hunters International specializes in data theft rather than data encryption, using modified versions of Hive’s ransomware to enhance simplicity and efficiency.  

The group targets a wide range of sectors, including healthcare, automotive, manufacturing, logistics, financial, educational, and food industries. With operations linked to Nigeria through domain registrations and email addresses, Hunters International has emerged as a significant threat in the cyber landscape.

This week’s targets include Legrand CRM Pty Ltd, Manufacturing Resources International, Inc. (MRI), and Harper Industries. The group’s dark web leak site lists victim details, revealing a sophisticated approach to data theft. Hunters International’s operations have shown similarities to those of Hive, REvil, and LockBit but with a distinct focus on data exfiltration.

The attacks carried out by Hunters International in the past week have led to the exfiltration of large volumes of sensitive data, including financial documents, IT data, project information, and operational data. The total amount of exfiltrated data across all reported attacks is significant, impacting the operational capabilities of the affected organizations.  

Legrand CRM Pty Ltd, a Sydney-based CRM solutions provider, suffered a data breach involving a minor amount of stolen data, some of which belonged to other businesses. Manufacturing Resources International, Inc., an Atlanta-based manufacturer of digital LCD displays, reported the theft of extensive financial and project-related data. Harper Industries, a Kansas-based manufacturer, experienced both data exfiltration and encryption, severely disrupting its operations.

Significant Attacks:

  • Legrand CRM Pty Ltd, a small Sydney-based provider of CRM solutions, was targeted by Hunters International, resulting in the theft of a minor amount of data. Despite the group’s inflated claims, the breach involved files belonging to other businesses, highlighting potential exaggeration by the attackers. Legrand CRM, with a revenue of less than $750k and a small team, emphasized inaccuracies in the threat group’s listing, suggesting either a deliberate attempt to inflate the attack’s significance or a case of mistaken identity with the larger electrical distributor Legrand Australia.
  • Manufacturing Resources International, Inc. (MRI), an Atlanta-based manufacturer of high-performance digital LCD displays, faced a significant data breach. Hunters International exfiltrated sensitive financial documents, IT data, and project information, affecting MRI's operational integrity and exposing confidential business details. With a revenue of $25 million and a workforce of 392 employees, MRI's breach exemplifies the extensive reach and disruptive potential of Hunters International's operations.
  • Harper Industries, a Kansas-based manufacturer known for its high-quality agricultural, hydraulics, and landscaping equipment, reported a severe breach involving both data exfiltration and encryption. The attack significantly impacted the company's operations, disrupting its production processes and compromising sensitive business information. With an annual revenue of around $20.7 million, Harper Industries faced considerable operational and reputational damage. The company’s reliance on advanced manufacturing technologies may have introduced vulnerabilities that Hunters International exploited, underscoring the need for robust cybersecurity measures in technology-driven sectors.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.