Ransomware on the Move: Play, BlackByte, NoEscape, INC, ALPHV


September 26, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

The BlackByte Ransomware Gang Targets Hoteles Xcaret: In the idyllic beaches of the Riviera Maya, Mexico, Hoteles Xcaret, a beacon of eco-friendly luxury, found itself under siege by the BlackByte ransomware gang. These digital marauders, known for their double-extortion tactics, struck in July 2021, leaving victims in desperate need of decryption assistance. However, early on, they made a critical mistake, using the same encryption key in every campaign, leading researchers to create a decrypter.

But the hackers weren't about to give up. In February 2022, they shifted to GoLang, a less familiar programming language, making analysis more challenging. Their attacks may not be as high-profile as some, but they're persistent.  

Play Striking Worldwide, Evolving Swiftly: Play, a rising star in the ransomware underworld, burst onto the scene in 2022, targeting entities as diverse as the City of Oakland, Argentina's Judiciary, and German hotel chains. They specialize in evading security tools and disabling antivirus programs, using tools like Cobalt Strike for lateral movement. Play has a penchant for targeting Latin America, especially Brazil, but their reach extends beyond.

Their tactics mirror those of Hive and Nokoyawa ransomware groups, employing double extortion to ensure compliance. And Play's evolution continues, with innovations like intermittent encryption for better evasion.

Snatch: Attacking from the Shadows: In the world of high-end fashion in Paris, France, ZILLI faced an unexpected foe: the Snatch ransomware gang. Snatch may have been dormant since 2018, but they re-emerged with a vengeance in 2021, evading security tools and deleting Volume Shadow Copies to prevent file recovery.

While their attack volume might not be as high as some, Snatch is steadily increasing its activity, particularly in 2023. And they keep their ransom demands relatively low.

Knight Ransomware - Stealthy and Seductive: Knight ransomware decided to put its elegant twist on the world of cybercrime by targeting Hacketts Printing Service. This Irish printing company became a victim without knowing the full details of their attackers. Knight ransomware came to life in July, offering affiliates a 'lite' version for more widespread, indiscriminate attacks.

Their modus operandi? A deceptive TripAdvisor complaint, leading to a nasty ransomware surprise. The victims are then hit with a $5,000 ransom demand.

Donut Leaks: A Sugary Surprise for Agilitas IT Solutions: Donut Leaks emerged when an employee blew the whistle on their nefarious activities. This group primarily specializes in data extortion, and Sheppard Robson disclosed that they had encountered ransomware in their recent attack. Researchers suspect ties to Ragnar Locker and Hive ransomware gangs.

BlackCat/ALPHV: Technical Prowess and Extortion Expertise: In the sunny landscape of Dubai, UAE, Al Ashram Contracting felt the sting of BlackCat/ALPHV ransomware. This group surfaced in late 2021, showcasing an impressive array of technical capabilities. They target Windows, VMWare ESXi, and Linux systems, with ransom demands ranging from hundreds of thousands to millions of dollars.

BlackCat/ALPHV uses Rust, a secure but unfamiliar programming language, and they're fond of intermittent encryption. Their targets are diverse, but they've even stooped to publishing compromising clinical photos of medical patients in some cases.

INC Ransom: A Taste for Corporate Extortion: Elemetal, once a giant in the precious metals industry, faced the INC Ransom gang. INC Ransom takes a corporate approach, encrypting files and demanding ransom payments from businesses. They're known for stealing sensitive data and giving victims a tight deadline for compliance. The ransom note claims they can restore files without loss, a promise rarely kept in the world of ransomware.

LockBit: Triple Extortion and High Ransoms: Fersan, an automotive parts supplier in Turkey, fell victim to LockBit ransomware. LockBit is a formidable force, known for its triple extortion model. Victims are often asked to buy back their own data, in addition to paying for decryption.

Cactus Ransomware - A Thorny Situation for First Line: Cactus Ransomware chose the automotive parts industry as its hunting ground, targeting First Line. They're notable for using known vulnerabilities in VPN appliances to initiate breaches. Cactus adds an extra layer of security by requiring a decryption key for ransomware execution.

Trigona Scanning and Exploiting the Vulnerable: Trigona, a relatively new entrant, started scanning for vulnerable Microsoft SQL servers in 2022. They have both Windows and Linux versions and are known for targeting various industries. While their demands remain a mystery, they've been steadily increasing their attack volume.

NoEscape - Creating Ransomware Your Way: NoEscape is a fresh face in the ransomware scene, offering a user-friendly builder interface. Their ransom demands come with threats of releasing stolen data if victims don't comply. Their reach is still expanding, and they specialize in targeting businesses.

Ragnar Locker - Disruptive and Opportunistic: Ragnar Locker set its sights on Citizen Systems Europe, a player in the printing and imaging solutions industry. They've been active since December 2019 and are known for targeting larger enterprises. Ragnar Locker demands often exceed $10 million and is infamous for data exfiltration and its "Wall of Shame" leaks site.

NoEscape Strikes Küng AG Bern: NoEscape, another emerging player in the ransomware arena, targeted Küng AG Bern in Switzerland. Their modus operandi includes encrypting files, stealing data, and demanding a ransom.

As these ransomware gangs continue to evolve and innovate, it's clear that cybercrime remains a persistent threat. Businesses and organizations must remain vigilant and prioritize robust cybersecurity measures to stay one step ahead of these digital predators.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile (PDF).