Ransomware Roundup: 07.15.22

This week’s round up …

  • Doxxed: Because paying for that surgery wasn’t enough
  • BlackCat claims credit for Bandai Namco breach
  • Ransomware statistics for June are out, and it’s kind of encouraging (narrator: It is not)
  • A new player has joined the game: Lilith ransomware
  • From North Korea, with love

Doxxed: Because paying for that surgery wasn’t enough

Professional Finance Company issued a statement that a ransomware group was able to access databases holding personal information of patients at 657 healthcare organizations in Feb. 2022. PFC handles payments for many hospitals and the information includes names, addresses and Social Security numbers of account holders.

“PFC found no evidence that personal information has been specifically misused; however, it is possible that the following information could have been accessed by an unauthorized third party: first and last name, address, accounts receivable balance and information regarding payments made to accounts, and, in some cases, date of birth, social security number, and health insurance and medical treatment information,” the company wrote in a statement.

PFC states that they had notified the affected organizations and an investigation is ongoing. However, the Quantum ransomware group has been attributed to the attack.  

BlackCat claims credit for Bandai Namco breach

The malware intelligence group, vx-underground, posted a screenshot on their official Twitter account that shows the (ALPHV) BlackCat ransomware group seemingly taking credit for the Bandai Namco breach that occurred this week.

“On July 3, 2022, Bandai Namco Holdings Inc. confirmed that it experienced an unauthorized access by third party to the internal systems of several Group companies in Asian regions (excluding Japan). After we confirmed the unauthorized access, we have taken measures such as blocking access to the servers to prevent the damage from spreading. In addition, there is a possibility that customer information related to the Toys and Hobby Business in Asian regions (excluding Japan) was included in the servers and PCs, and we are currently identifying the status about existence of leakage, scope of the damage, and investigating the cause,” the company wrote in an official statement.

Bandai Namco is a video game publisher of popular franchises such as Elden Ring, Soulcaliber and Dark Souls.

A new player has joined the game: Lilith ransomware

An independent malware hunter discovered a new ransomware operation, dubbed Lilith, that claimed its first victim in South Africa.

“Lilith is a C/C++ console-based ransomware discovered by JAMESWT and designed for 64-bit versions of Windows. Like most ransomware operations launching today, Lilith performs double-extortions attacks, which is when the threat actors steal data before encrypting devices,” reported Bill Toulas at Bleeping Computer.

Threat Intelligence firm Cyble published a report detailing the technical analysis of Lilith. Admittedly, the RaaS group is in the early days of operations but worth watching.  

From North Korea, with love

The Microsoft Threat Intelligence Security Center (MSTIC) released research detailing the HolyGh0st ransomware group (whom Microsoft tracks as DEV-0530), which has been active since 2021 and is reportedly acting out of North Korea. Attribution is notoriously fraught for malware researchers, but the MSTIC team provides compelling evidence.

“MSTIC assesses there is likely some overlap between DEV-0530 and PLUTONIUM. PLUTONIUM is a North Korean threat actor group affiliated with clusters of activity that are also known as DarkSeoul and Andariel. Active since at least 2014, PLUTONIUM has primarily targeted the energy and defense industries in India, South Korea, and the United States using a variety of tactics and techniques.

“MSTIC has observed known DEV-0530 email accounts communicating with known PLUTONIUM attacker accounts. MSTIC has also observed both groups operating from the same infrastructure set, and even using custom malware controllers with similar names,” the team wrote in their report.

HolyGh0st attempted to legitimize their activities by claiming to help increase victim organizations’ security posture but … you know, extortion.

Thanks to the reporters and researchers

Shout out to the following people for their original reporting and research referenced in this week’s Ransomware Roundup.

Jonathan Greig at The Record - Recorded Future for their reporting on Medical debt collection firm says ransomware attack exposed info on 650+ healthcare orgs and Bandai Namco confirms cyberattack after ransomware group threatens leak.  

Sergiu Gatlan at Bleeping Computer for their reporting on Quantum ransomware attack affects 657 healthcare orgs. 

Adam Janofsky at The Record - Recorded Future for their reporting on Ransomware tracker: the latest figures [July 2022].

vx-underground at for their research on vx-underground on Twitter: "ALPHV ransomware group (alternatively referred to as BlackCat ransomware group) claims to have ransomed Bandai Namco.

JAMESWT at for their reporting on JAMESWT on Twitter: "#Ransomware #Lilith.

Bill Toulas at Bleeping Computer for their reporting on New Lilith ransomware emerges with extortion site, lists first victim. 

Cyble for their research on New Ransomware Groups on the Rise.

Microsoft Threat Intelligence Center at Microsoft Threat Intelligence for their research on North Korean threat actor targets small and midsize businesses with H0lyGh0st ransomware - Microsoft Security Blog. 

The Halcyon Platform

Halcyon is the industry’s first dedicated, adaptive security platform focused specifically on stopping ransomware attacks. Halcyon is built by offensive security experts to stop attackers. Our platform is a lightweight agent that combines multiple proprietary advanced prevention engines along with AI models trained solely on ransomware.

Ready to get a demo? Fill out the form and let’s talk!

Get a Demo

Meet with a Halcyon Anti-Ransomware Expert