Ransomware on the Move: Play, NoEscape, LockBit, Snatch


October 17, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Play Ransomware Gang:

The Play ransomware gang was especially busy last week, targeting Hughes Gill Cochrane Tinetti, a community association law firm in Walnut Creek, California, as well as NachtExpress, a delivery company serving Central, Eastern, and Northwest Europe.  

WCM Europe, an automotive solutions engineer and manufacturer in the UK, also fell victim to Play. Play exposed their private and personal confidential data, contracts, and more, demanding a ransom to keep the sensitive information from being made public. Play also attacked Starr Finley, a property lawyer in San Francisco, California.

But Play's most daring assault was on Saltire Energy, a heavyweight in the oil and gas industry. Specializing in drilling equipment and pressure control solutions, Saltire Energy serves global energy sectors, including offshore drilling and onshore projects.  

On October 10th, Play posted Saltire Energy on its data leak site, threatening to unveil a treasure trove of stolen data, including private and personal confidential information, if the organization refused to pay an undisclosed ransom.

While their reach was vast, Play didn't stop there. They turned their attention to Metro, the public transportation system in the St. Louis metropolitan area, and then Centek Industries, a marine exhaust system manufacturer. In true pirate fashion, Play's demands ranged from personal data to contracts and tax information, with deadlines looming.

Emerging in the summer of 2022, Play became notorious for high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels. They also had a knack for exfiltrating data from Fedpol and the Federal Office for Customs and Border Security (FOCBS).  

With a penchant for exploiting unpatched Fortinet SSL VPN vulnerabilities, they infiltrated their victims. To ensure success, they wielded tools like Process Hacker, GMER, IOBit, and PowerTool to bypass security solutions. To add insult to injury, they leveraged PowerShell or command scripts to disable Windows Defender.

While they mainly target organizations in Latin America, Play showed no geographic boundaries, displaying a resemblance to other notorious ransomware groups such as Hive and Nokoyawa.  

They don't stop at encryption; they doubled down by exfiltrating victim data and threatening to post it on their leaks website. Play's ransom demands remained a mystery, but they were known to carry out their threats when payment wasn't met.  

NoEscape Ransomware Gang:

The NoEscape ransomware gang, another menacing crew, set their sights on unique targets. They attacked Penfield Fire Co, a volunteer fire department in Penfield, New York.  

Volunteer fire departments play a critical role in many communities, providing firefighting and emergency response services. NoEscape demonstrated no mercy by posting Penfield Fire Co on their data leak site.

They also struck Elbe Obst Fruchtverarbeitung, a German apple and apple products processor. As they expanded their list of conquests, they targeted Ordine Degli Psicologi Della Lombardia, the regional association for psychologists in Lombardy, Italy. NoEscape threatened to publish 7GB of stolen data unless an unspecified ransom was paid by October 17th.

NoEscape operates as a ransomware-as-a-service (RaaS) operation, allowing affiliates to customize their ransomware executables.  

LockBit Ransomware Gang:

LockBit, currently the most prolific threat actor, put Foremost in their crosshairs. Foremost operated in the home improvement and furniture sectors, headquartered in East Hanover, New Jersey. LockBit showed no mercy, posting Foremost on their data leak site, leaving victims to ponder their next move.

Atlanta Technical College, a two-year community and technical college in Atlanta, Georgia, also faced the wrath of LockBit. The gang demanded a ransom to decrypt systems, and their triple extortion model meant that victims might also be asked to purchase their sensitive information.  

LockBit is known for its blazing-fast encryption speed and evasive capabilities. Employing publicly available file-sharing services and custom tools like Stealbit, they exfiltrated data with precision.

With ransoms exceeding $50 million and an aggressive approach, LockBit is at the forefront of ransomware operations. Their LockBit 3.0, introduced in June 2022, incorporated advanced anti-analysis features and targeted both Windows and Linux systems. LockBit's focus on the healthcare sector made them a significant player in the ransomware world.

BlackCat/ALPHV Ransomware Gang:

BlackCat/ALPHV, the dark horse of ransomware, attacked the First Judicial Circuit of Florida, a judicial circuit within Florida's court system. Their incursion was audacious, and the victims faced the threat of their data being exposed to the world.

Wyndemere Senior Care, an assisted living facility in Wheaton, Illinois, also fell victim to BlackCat/ALPHV. The gang claimed to have stolen a substantial amount of data, leaving Wyndemere Senior Care in a state of vulnerability.

After they emerged in late 2021, BlackCat/ALPHV flexed their muscles in 2022, exfiltrating data and taking on tasks like remote access. Their Rust-based ransomware set them apart, allowing for customization across various operating systems. With the ability to encrypt files using the ChaCha20 or AES algorithm, they left their victims in distress.

Determined to wipe out the possibility of rollback, BlackCat/ALPHV deleted Volume Shadow Copies and used advanced anti-analysis techniques. With a diverse targeting strategy, they set their sights on various industries, including healthcare, pharmaceuticals, finance, manufacturing, and more. Their double extortion strategy involved exfiltrating data, selling it, and then demanding a ransom.

Snatch Ransomware Gang:

Snatch, the unassuming yet effective gang, attacked Alliance Virgil Roberts Leadership Academy. The academy, part of a network of independent public charter schools in Los Angeles, became their unsuspecting target. The victims were left in suspense, as Snatch posted their name on the data leak site.

Emerging in 2018, Snatch flew under the radar, showcasing its ability to evade security tools. Volume Shadow Copies and local Windows backups were no match for their destructive intent. In 2023, they were expected to increase their attacks by 50%.  

While their ransom demands were relatively low, ranging from several thousand to tens of thousands of dollars, their unique style set them apart. Their Go-based ransomware didn't leave security tools standing, but Snatch was also known for deleting Volume Shadow Copies to prevent encryption rollbacks.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.