An Inside Look at Emerging Ransomware Groups: Play, Qilin, and RansomHub

Ransomware attacks have grown increasingly sophisticated over the years, posing a significant threat to organizations across various sectors. Let’s dive into three notable ransomware groups: Play, Qilin, and RansomHub. Each operates with unique strategies and target demographics, highlighting the evolving landscape of cybercrime.

Play Ransomware Group

How It Works

Play, a somewhat enigmatic player in the ransomware game, typically follows a multi-step approach to its attacks. Initially, the group exfiltrates sensitive data from targeted systems before encrypting them. By keeping a low profile, Play avoids direct advertising on dark web forums, relying instead on its leak site for visibility. Interestingly, they have claimed to maintain a “closed group” for transactions, a statement that raises eyebrows given the evidence suggesting otherwise. According to Donovan from Searchlight Cyber, this suggests Play may not operate strictly as a Ransomware-as-a-Service (RaaS) entity.

Targeted Victims

The Play group has targeted various industries, with particular focus on critical sectors such as healthcare, telecommunications, finance, and government services. Their choice of victims points to a strategic attack plan, often seeking out organizations that manage sensitive or impactful data.

Attribution

Recent investigations have indicated potential links between Play and North Korean state-aligned Advanced Persistent Threat (APT) groups. In October 2024, researchers from Palo Alto Networks’ Unit 42 uncovered evidence suggesting that North Korean-backed APT45 may be involved with Play’s operations. Although the nature of this connection remains ambiguous, it demonstrates a troubling crossover between state-sponsored cyber activities and the realm of independent cybercrime networks.

Qilin Ransomware Group

History

Qilin, also recognized by its alias Agenda, emerged as a formidable entity in the ransomware domain in May 2022. Operating primarily from Russia, this RaaS group has quickly gained notoriety for its aggressive tactics.

How It Works

Qilin has developed ransomware variants that target Windows and Linux systems, including VMware ESXi servers. Written in robust programming languages like Golang and Rust, these variants follow a double extortion model, encrypting victims’ files and threatening to leak stolen data if ransom demands are not met. This tactic increases pressure on victims, making it more likely they will pay.

Targeted Victims

Distinctively, Qilin works through an affiliate model, recruiting partners on underground forums. However, they impose specific restrictions, prohibiting attacks on organizations located in the Commonwealth of Independent States (CIS) bordering modern-day Russia. This limitation showcases an intriguing blend of collaborative criminality with regional sensibilities.

Attribution

While the exact makeup of Qilin remains shrouded in mystery, its operations are strongly suspected to be run by a Russian-speaking organized cybercrime group. This connection underscores the growing trend of cybercriminal enterprises standardizing and refining their operational frameworks.

RansomHub Ransomware Group

History

RansomHub made its entrance into the cybercriminal world in February 2024, quickly establishing itself as a significant cybersecurity threat. The group, which has undergone several rebrandings—initially known as Cyclops and later Knight—expanded its influence by incorporating affiliates from other defunct ransomware entities like LockBit and ALPHV/BlackCat.

How It Works

RansomHub affiliates adopt a two-phased approach when infiltrating networks: first exfiltrating sensitive data, then deploying encryption tools to lock down systems. They often utilize legitimate administrative utilities in their attacks, which furthers their stealthiness. Notably, RansomHub operates under an “affiliate-friendly” RaaS model, guaranteeing a fixed 10% fee for affiliates. This payment structure, which allows affiliates to collect ransom payments directly from victims, makes RansomHub particularly attractive to new cybercriminal recruits seeking reliability in payout, unlike other groups that may falter in this regard.

Targeted Victims

RansomHub has been linked to over 210 victims across essential sectors such as healthcare, finance, government services, and critical infrastructure within Europe and North America. Their broad target base indicates an opportunistic approach to identifying vulnerable systems in high-impact industries.

Attribution

Attribution for RansomHub remains less concrete, but existing circumstantial evidence points toward an organized Russian-speaking cybercrime operation. This connection to established ransomware actors adds to the complexity of tracking and countering their operations.

In summary, the evolving tactics, strategies, and structures of ransomware groups like Play, Qilin, and RansomHub demonstrate a continuously shifting landscape in the realm of cybercrime. Their operations highlight the necessity for enhanced cybersecurity measures across various sectors, as they remain key targets in an ever-increasing digital threat landscape.