Emerging Threat Actor: Orca Ransomware
Orca ransomware, which surfaced in September 2024, is a new player in the ransomware ecosystem, emerging at a time when larger groups like LockBit and ALPHV have faced disruption.
Orca functions primarily as a data broker, focusing heavily on exfiltration prior to encryption. The group has absorbed affiliates from larger organizations, which has amplified its operational capacity and allowed it to employ aggressive double-extortion tactics with precision.
Orca’s approach involves extensive data exfiltration before encryption, using tools like Azure Storage Explorer to extract data from victim networks without triggering conventional security systems.
By the time encryption begins, a significant amount of sensitive data has already been stolen, which the group leverages to enhance ransom demands. Files are encrypted with the .ORCA extension, and a ransom note titled HOW_TO_RECOVER_DATA.hta is deployed, outlining the demands.
Orca is derived from the Zeppelin malware family, inheriting its strong encryption capabilities. It targets a wide range of file types, including documents, databases, and images.
Orca typically demands ransoms in Bitcoin, with a tight deadline of 72 hours, threatening to publicly leak the stolen data if payment is not received.
Recent Attacks:
- Chernan Technology Co., Ltd., a Taiwanese manufacturing firm, suffered an attack from Orca, resulting in the exfiltration of 18GB of financial records and infrastructure documentation. This attack highlights Orca’s increasing presence in the ransomware ecosystem, particularly in high-value targets.
- ExcelPlast Tunisie, a plastics manufacturing company, was also breached by Orca. The group claims to have exfiltrated 20GB of sensitive data, including operational and client information, further validating Orca’s expertise in high-impact double-extortion operations.
Halcyon.ai eliminates the business impact of ransomware, drastically reduces downtime, prevents data exfiltration, and enables organizations to quickly and easily recover from attacks without paying ransoms or relying on backups – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!