Ransomware on the Move: Play, Cactus, Qilin, Cicada 3301

Date:

July 8, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:  

During the week of June 17-23, the cybersecurity landscape was significantly impacted by the activities of several prolific ransomware groups. Among them, Play, Qilin, Cactus, and Cicada 3301 stood out for their aggressive tactics and the breadth of their targets.  

These groups have been relentless in their attacks, affecting a diverse range of industries and causing widespread disruption. A total of 73 attacks have been added to our databases this week, with these four groups responsible for 30% of the registered incidents.

This week, notable ransomware groups have targeted companies across various sectors, including real estate, manufacturing, construction, and legal services. Notably, Cicada 3301 is a newly discovered threat actor for June, along with ElDorado, which emerged earlier in the month.  

Play

The Play ransomware group, discovered in 2021, has rapidly established itself as a formidable threat within the cybercrime landscape. Operated by Ransom House, Play ransomware leverages the Babuk code and targets Linux systems, including ESXi lockers.  

The group's sophisticated tactics include advanced persistent threats (APTs) and social engineering, utilizing tools such as AnyDesk and NetCat to gain and expand access within compromised networks.  

Notably, Play ransomware employs detailed ransom notes titled "How To Restore Your Files.txt," which provide explicit instructions for victims, underscoring the group's methodical approach to extorting ransom payments. Their attacks are characterized by extensive data exfiltration and encryption, posing significant risks to the affected organizations.

The total combined revenue of Ladco Company Limited, Bunger Steel, Inc., ProMotion Holdings Global, Inc. (using the minimum estimate), and TPI Corporation is approximately $177 million.

Play ransomware's attacks typically involve the theft of substantial amounts of sensitive data, severely compromising the operations and integrity of the targeted organizations.  

For example, Ladco Company Limited, a diversified corporation based in Winnipeg, Canada, experienced a breach that compromised private and personal confidential data, including client documents, taxes, and identification records.

Another notable example is ProMotion Holdings Global, Inc., a communications consulting and content technology solutions provider in Seattle, Washington, which had its client documents, payroll, accounting records, and financial information compromised.

Significant Attacks:

  • TPI Corporation, a U.S.-based manufacturer specializing in heaters, fans, lights, controls, and process heat, headquartered in Johnson City, Tennessee, was targeted by the Play ransomware group. The breach, involving the theft of sensitive data such as client documents, payroll, and financial information, disrupted TPI's operations and posed severe risks to both company and client data. TPI Corporation, with annual revenues of approximately $109.3 million, faced significant operational and reputational challenges following the attack.
  • Harvey Construction Co. Inc., a New Hampshire-based construction management company, experienced a severe breach at the hands of the Play ransomware group. This attack led to the theft and encryption of critical data, including client documents, payroll, and financial records. Harvey Construction, a significant player in the New England construction sector since 1946, had its digital infrastructure and operational integrity severely compromised, highlighting potential vulnerabilities in its cybersecurity measures.

Cactus

The Cactus ransomware group, discovered in March 2023, has quickly established itself as a formidable threat in the cybersecurity landscape. Operating as a ransomware-as-a-service (RaaS), Cactus leverages vulnerabilities such as ZeroLogon (CVE-2020-1472) and utilizes malvertising lures for targeted attacks.  

The group's sophisticated tactics include the use of custom scripts to disable security tools and deploy ransomware, with a specific modus operandi of exploiting network vulnerabilities to gain domain administrator access.  

Cactus is particularly noted for its advanced encryption techniques and unique file extension modifications, marking encrypted files first with CTS0 and then with CTS1. This group’s operations are characterized by their indiscriminate targeting across various industries, adding multiple administrator accounts to evade detection and maintain persistence.

Cactus ransomware's attacks typically involve the theft of substantial amounts of sensitive data, posing severe risks to the affected organizations. For example, Millimages, an independent animation studio with a revenue of $12.6 million, experienced an exfiltration of 147GB of data.  

The compromised information includes personal identifiable information, corporate confidential agreements, financial documents, personnel data, and corporate correspondence. These incidents underscore the group's capability to significantly disrupt operations and compromise critical data integrity.

Significant Attacks

  • Deskcenter AG, an innovative German software manufacturer specializing in IT Asset and Lifecycle Management, was targeted by Cactus on June 20, 2024. The attack led to the exfiltration of employees' personal and corporate data, financial documents, customer information, and database backups. Deskcenter AG, generating $25.9 million in revenue, now faces significant challenges in addressing the repercussions of this breach, which underscores the vulnerabilities inherent in IT management sectors.
  • Hundhausen, a German construction company with a revenue of $150 million, experienced a significant data breach at the hands of Cactus. The attack, which took place on June 18, 2024, resulted in the exfiltration of 650GB of sensitive data, including corporate confidential information, project details, financial documents, and payrolls. This incident highlights potential vulnerabilities in Hundhausen’s cybersecurity measures, given their extensive digital and operational assets.
  • Suminoe Textile of America Corporation (STA), a leading supplier of quality textile products for the North American automotive market with a revenue of $71.3 million, was also targeted by Cactus. The attack on June 19, 2024, resulted in the exposure of 278GB of sensitive data, encompassing personal identification documents, corporate data, financial documents, supplier and customer information, and employee personal data. This breach poses severe reputational and operational risks for STA, emphasizing the group's capacity to exploit significant digital footprints.

Qilin

The Qilin ransomware group, also known as Agenda, emerged in 2022 and has quickly become a significant player in the ransomware-as-a-service (RaaS) ecosystem. Qilin targets critical infrastructure and essential services globally, including healthcare and education sectors.  

Their attacks are customized for each victim, with ransomware written in Rust and Go, which enhances their ability to evade detection and complicates decryption efforts. The group's tactics include double extortion, where they not only encrypt a victim’s data but also exfiltrate it, threatening to release the data unless a ransom is paid.  

Qilin employs phishing emails with malicious links to gain initial access and then moves laterally across the victim's network to identify and encrypt critical data. The group is notable for its extensive reach, having targeted organizations in the United States, Australia, Brazil, and several European countries, and offers affiliates up to 85% of the ransom, making it an attractive option for cybercriminals.

Qilin ransomware's attacks typically involve the theft of substantial amounts of sensitive data, posing severe risks to the affected organizations. For example, Ashtons Legal LLP, a full-service law firm in the UK, experienced an attack where the exact size of the data breach remains unclear, but it significantly disrupted the firm's operations and website functionality.  

Similarly, Wise Construction, a mid-sized company with an annual revenue of approximately $50 million, faced a breach that led to the publication of stolen data samples on the dark web. These incidents underscore the group's capability to significantly disrupt operations and compromise critical data integrity across various sectors.

Significant Attacks

  • Ashtons Legal LLP, a prestigious law firm headquartered in Bury St Edmunds, England, with additional offices in Cambridge, Ipswich, Norwich, and Leeds, fell victim to a Qilin ransomware attack. The breach severely impacted the firm's operations, encrypting critical data and affecting their website. Ashtons Legal LLP, known for its comprehensive legal services, faced considerable operational challenges due to this incident, which highlights the vulnerabilities in the legal sector's cybersecurity defenses.
  • Wise Construction, a well-established construction firm with a revenue of $50 million and employing over 200 professionals, was targeted by Qilin. The attack, discovered when stolen data samples were published on the dark web, led to the exfiltration of sensitive corporate and project data. Wise Construction specializes in commercial, residential, and industrial projects, and this breach exposed critical information, underscoring the significant risks faced by construction firms in the digital age.
  • Next Step Healthcare, operating nursing and rehabilitation facilities across Massachusetts, New Hampshire, and Maine, experienced a Qilin ransomware attack that resulted in threats to publicly release sensitive data unless a ransom was paid. This incident, targeting a company with a revenue of $71.3 million, showcased the group's ability to exploit vulnerabilities in the healthcare sector, which often handles extensive and sensitive data.

Cicada 3301

The Cicada 3301 ransomware group, discovered in June 2024, has quickly emerged as a significant threat in the cybersecurity landscape. Known for its sophisticated attack methods, Cicada 3301 targets vulnerabilities within network infrastructures to execute high-profile ransomware attacks.  

While the exact details of their operations are still under investigation and somewhat speculative based on patterns observed in similar groups, initial reports suggest the use of advanced techniques such as deep reconnaissance and exploitation of unpatched systems.  

To clarify, the name “Cicada 3301” was originally associated with an online puzzle that gained notoriety between 2012-2014. However, the name has since been appropriated by a separate and unrelated ransomware group, which has been the focus of recent reports, including ours.

Halcyon fully respects the legacy of the original “Cicada 3301” organization and recognizes their distinction from the activities of the ransomware group using the same name. Our reporting on the ransomware group is consistent with fair use, aiming to inform the public about cybersecurity threats.  For those interested in the original “Cicada 3301” and their official stance on this matter, we encourage you to visit their statement here.

We appreciate your understanding as we strive to maintain clarity and accuracy in our reporting.

Cicada's modus operandi likely involves custom scripts to infiltrate networks, exfiltrate sensitive data, and deploy ransomware. Their attacks are characterized by precision and the substantial amounts of data exfiltrated, posing severe risks to the targeted organizations.  

Ongoing investigations will be detailed in our Emerging Threat Actors in Ransomware series, providing further insights into their methods and impacts.

Cicada 3301's attacks typically involve the theft of large volumes of sensitive data, significantly impacting the affected organizations. For instance, ASST Rhodense, a healthcare organization in Lombardy, Italy, experienced the exfiltration of 1TB of data.  

Basement Systems, Inc., a company specializing in basement waterproofing and foundation repair in the United States, had 739 GB of data stolen, affecting proprietary business information and customer data. These incidents highlight Cicada's capability to disrupt operations and compromise critical data integrity.

Significant Attacks

  • Basement Systems, Inc., a leading company in basement waterproofing and foundation repair headquartered in Seymour, Connecticut, faced an attack on June 18, 2024. The breach resulted in the theft of 739 GB of data, including proprietary business information and customer data. This incident significantly impacted the company’s operations, highlighting vulnerabilities in their cybersecurity measures. Basement Systems, with an annual revenue of $125 million, now faces substantial challenges in recovering from this breach.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.