Ransomware on the Move: Play, Hunters, BlackSuit, Cactus, RansomHub


May 14, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


Yale Mortgage Funding LLC, a significant mortgage lender from Miami Beach, Florida, recently became a victim of a ransomware attack by the cybercriminal group Play. The breach was publicized on Play's dark web leak site, exposing serious vulnerabilities in Yale's digital security.  

Founded in 1992, Yale Mortgage specializes in hard equity loans without requiring income or credit verification, making it Florida's largest direct hard equity lender. This breach compromised a vast array of sensitive data, including client documents, financial records, and personal identification details.

Play also targeted Toolmarts, a prominent home improvement retailer based in Escondido, California. Established in 1986, Toolmarts provides professional-grade tools from leading brands and serves North American craftsmen.  

Their breach, similarly announced on Play's dark web site, involved sensitive data such as payroll and accounting records. With $17.6 million in annual revenue and around 28 employees, this attack impacts both the company's operational security and its reputation.

Another victim of Play's attacks is Precision Fluid Controls, Inc., an aerospace industry player based in Lincoln, California. Established in 2004, the company manufactures components for aerospace vehicles and ground support, serving major clients like NASA and the U.S. Air Force.  The April 2024 attack compromised crucial data such as payroll details and client documents, threatening both security and business integrity.

Original Herkimer Cheese also suffered from a Play ransomware attack. This family-owned business, known for its artisanal cheeses, faced potential leaks of client, payroll, and financial information due to the compromise of their website.  

Founded in 1949 and operating with less than 25 employees, this breach could severely affect their small-scale operations and innovation-driven reputation.

Play, or PlayCrypt, is a Ransomware-as-a-Service (RaaS) that surfaced in mid-2022 and has quickly become a significant threat. It targets vulnerabilities, notably in unpatched Fortinet SSL VPN setups, using a variety of tools and techniques for intrusion and persistence, including Cobalt Strike, SystemBC RAT, and custom tools like Grixba information stealer.  

The FBI and CISA have noted that since its emergence, Play has compromised over 300 organizations, underscoring its rapid rise and evolving threat capabilities in the cybercriminal landscape.

Hunters International

Magicolor Peinture Industrielle, a leading industrial painting service provider in Quebec, Canada, has suffered a ransomware attack by the cybercriminal group Hunters International.  

Established in 1993 by Jacques and Pierre Tremblay, Magicolor has become a specialist in industrial coatings, liquid and powder coatings, sandblasting, and distribution of industrial paints.  

Johnny Morency, the current sole shareholder since 2017, has guided the company through significant growth, including the acquisition of Peintures Prolux's liquid coatings distribution business in 2023. This attack marks a tactical shift by Hunters from encryption to data exfiltration, using the threat of releasing stolen data to extort ransom payments.

Hunters International also targeted SSS Australia, a major supplier in the Australian healthcare sector, extracting about 67.1 GB of data, totaling over 60,255 files.  

SSS Australia has been an integral part of the healthcare supply industry for over 45 years, offering products and services to healthcare professionals and maintaining a strong focus on customer service, competitive pricing, and regulatory compliance. With annual revenues of $16.9 million and 78 employees, the company's comprehensive role makes it an attractive target for cybercriminal activities.

Another victim of Hunters' attacks was Rocky Mountain Sales Inc., based in Golden, Colorado. This U.S. company, which provides outsourced sales and service solutions primarily in the wholesale building materials industry, had approximately 301.1 GB of data compromised, involving 293,308 files.  

Established in 1971, the company supports large projects across Colorado, Wyoming, and Montana, generating about $3 million in annual revenue with 14 employees.

Central Power Systems and Services, a significant entity in the power systems sector headquartered in Liberty, Missouri, was also breached, resulting in the exfiltration of roughly 1.3 terabytes of data, which included over 2 million files.  

Since 1954, Central Power Systems has been a pivotal player as the exclusive distributor for major brands like Allison Transmissions and Detroit Diesel, boasting a strong market presence with $71 million in annual revenues and over 400 employees across 21 locations.

Hunters International, evolved from the remnants of the Hive ransomware group, operates as a Ransomware-as-a-Service (RaaS). Utilizing sophisticated techniques such as data exfiltration and double extortion, Hunters has shifted to simpler encryption practices and targeted industries likely to pay ransoms, such as healthcare and critical infrastructure.  

The group's use of Rust for their payload enhances their evasion capabilities, indicating a strategic refinement in their operations to maximize the efficiency and reliability of their extortion schemes.


BlackSuit, a ransomware group that emerged in 2023 and has ties to the Royal ransomware group, has claimed responsibility for multiple attacks, including one on Herron Todd White, an Australian property valuation and advisory group.  

The attack compromised 279 GB of documents and a 20 GB SQL database containing sensitive customer and transaction information. Herron Todd White, established in 1968, employs around 700 staff and is recognized for its property valuations, advisory services, and specialization in tax depreciation schedules and replacement cost estimate reports.

Another victim of BlackSuit's operations is Peter Condakes Company, Inc., a major fresh produce distributor in New England. Founded in 1900 and operating from Everett, Massachusetts, the company has evolved from a small pushcart operation to a key supplier in the grocery and related product merchant wholesaler industry, with annual revenues between $5 million to $10 million.  

BlackSuit's attack on this company underscores its targeting of essential infrastructure, further evidenced by their method of encrypting files, adding a .blacksuit extension, and directing victims to negotiate via a Tor chat site.

Additionally, BlackSuit orchestrated a ransomware attack on Octapharma Plasma, encrypting sensitive data across multiple systems and compromising social security numbers, personal health information, financial records, and internal business documents. Octapharma Plasma, a major player in the global healthcare sector and a subsidiary of Octapharma AG, operates numerous donation centers across the U.S., specializing in haematology, immunotherapy, and critical care.

Unlike typical Ransomware-as-a-Service (RaaS) operations, BlackSuit maintains a high level of operational secrecy, operating privately without known affiliates and exhibiting technical similarities to the Royal ransomware. It is believed that BlackSuit might be a rebranding of Royal, itself a rebranding of Conti.  

This strategy of keeping its operations tight and controlled without relying on affiliates could be aimed at maintaining operational security and maximizing profits. This approach shows a strategic evolution in ransomware operations, focusing on impactful targets across critical sectors.  


The Cactus ransomware group, known for its sophisticated cyberattack methodologies, has been actively compromising prominent companies across various industries, leveraging their vulnerabilities and extracting significant amounts of data.  

One notable victim, SA.Global, a leading Microsoft Partner specializing in Microsoft Dynamics 365-based solutions, was targeted with a cyberattack resulting in the exfiltration of 41 GB of data. Founded in 1990, SA.Global operates in 80 countries and boasts a revenue of approximately $205.4 million, emphasizing their significant presence in the ERP, CRM, HCM, and business intelligence markets.

Another target of Cactus was the Canadian real estate giant, Concorde Group Corp. The attack on their main operational website led to the leak of about 2 GB of sensitive data after the company presumably failed to meet the ransom demands. Concorde Group, established in 1961 and based in Saskatoon, Saskatchewan, manages over 1 million square feet of property, underscoring their substantial role in the real estate sector.

In Europe, EBIR ILUMINACION SL, a leader in the Spanish bathroom lighting market, also fell victim to Cactus. The group exfiltrated 200 GB of data by deploying ransomware that encrypted files and changed their extensions to ".cts1". EBIR is known for its commitment to quality and innovation in bathroom lighting solutions and has a significant presence in 26 countries.

In the U.S., Coastal Cargo Company, LLC, a major player in the Gulf market's transportation and stevedoring industry, experienced an attack where 3 GB of data were stolen. This incident underscores the vulnerability of logistics and cargo management operations to cyber threats, particularly those handling extensive amounts of sensitive data. Coastal Cargo, with nearly a century of operational experience and an annual revenue of $36.6 million, is an important entity in its industry.

The Cactus ransomware group, which emerged in March 2023, has quickly escalated its operations by exploiting known vulnerabilities, particularly in VPN appliances, and employing sophisticated techniques such as Living-off-the-Land and leveraging legitimate network tools for lateral movement.  

The group's method involves using encrypted payloads that require a decryption key to execute, which helps evade detection by security tools. Cactus also employs tools like Cobalt Strike and utilizes scripts like TotalExec to automate the encryption process, closely mirroring tactics used by the BlackBasta gang.  

This group's strategic focus on targeting high-value entities with potentially lucrative data makes it a formidable force in the cybersecurity landscape.


RansomHub, an emerging ransomware group and Ransomware-as-a-Service (RaaS) platform, has been conducting sophisticated cyberattacks against various companies globally. One of its recent targets was POLARIS INFORMATICA Y COMUNICACIONES, a Spanish technology solutions provider.  

The group exfiltrated about 165 GB of data, including potentially unlicensed software, from POLARIS' systems. Founded in 1996 and based in Madrid, POLARIS is known for its custom application development, IT consulting, and a revenue of approximately $3 million annually. The attack not only exposed sensitive data but also hinted at potential lapses in POLARIS' software management and security practices.

In Australia, Design Intoto Pty Ltd, a communications agency specializing in retail merchandising and brand communications, also fell victim to RansomHub. The attackers breached the company’s network and stole over 700 GB of confidential data, threatening to release it unless their demands were met.  

Established in 1985 and based in McMahons Point, New South Wales, Design Intoto has been recognized for its creative solutions in brand identity, photography, and digital technology integration.

Another target was Precision Time Systems, based in Bolivia, North Carolina, specializing in parking solutions and access control systems. RansomHub exfiltrated over 700 GB of sensitive data from the company and demanded a ransom for its return. Precision Time Systems, founded in 1993, is notable for its cutting-edge technology solutions in parking and security, operating primarily in the New York Metro Tri-State, Mid-Atlantic, and Eastern Pennsylvania regions.

Jute Trading Ltd., a UK-based company specializing in eco-friendly jute bags, also suffered an attack by RansomHub, resulting in the theft of approximately 20 GB of sensitive data. With its operations spanning 18 years and headquartered in Borehamwood, Hertfordshire, the company is known for its ethical trading practices and a diverse range of promotional jute bags.

Corient Capital Partners LLC, a wealth management firm, and Europeanprof, a Spanish company specializing in safety at heights, were also compromised. RansomHub claimed responsibility for exfiltrating 30 GB and 50 GB of data respectively from these firms. Both companies handle substantial sensitive information, making them attractive targets for ransomware attacks.

RansomHub has been attracting attention for its aggressive tactics and sophisticated deployment of ransomware, allowing affiliates to keep up to 90% of ransom proceeds. Emerging around early 2024, the group benefits from the dissolution of other ransomware groups by absorbing their affiliates and enhancing their operational capacity.  

RansomHub’s strict policies ensure compliance during negotiations, indicating a well-organized and formidable presence in the cybercrime landscape.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.