Ransomware on the Move: 8Base, Akira, BianLian, Cactus


December 19, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The 8Base ransomware group has emerged as one of the most active threat actors in 2023,demonstrating a significant uptick in activity since its inception in March2022. Notably, 8Base has targeted a diverse range of organizations, showcasing a preference for those in business services, manufacturing, and construction sectors.

Among its victims is Astley, a venerable brand implementation expert based in the United Kingdom. Astley, with over a century of expertise, fell prey to 8Base's attack, resulting in the compromise of confidential information, including invoices, receipts, accounting documents, and personal data.

Calgary TELUS Convention Centre, a hub for events and ideas, also faced the brunt of8Base's onslaught. Similarly, PROMOBE Group in Luxembourg, Lischkoff &Pitts, P.C. providing financial guidance, SMG Confrere specializing in industrial subcontracting, Tim Davies Landscaping, and VISAN, a group focused on pet well-being, all experienced data breaches orchestrated by 8Base.

The group's modus operandi involves data exfiltration for double extortion and advanced security evasion techniques. 8Base is linked to experienced Ransomware-as-a-Service (RaaS) operators and has shown a connection to the leaked Babuk builder.

Although their ransom demands remain undisclosed, their focus on "name and shame" tactics via a leaks site suggests a strategy to compel victims to pay.


BlackCat/ALPHV, a ransomware group with Russian ties, has been actively targeting organizations across various sectors. In a recent attack on Deutsche Energie-Agentur GmbH, the German Energy Agency LTD, the group claimed to have stolen sensitive data, raising concerns about potential data compromise for business contacts.

Clatskanie People’s Utility District and the Traffic and Criminal Software (TraCS) of Florida also fell victim to BlackCat/ALPHV's cyber onslaught. The former suffered data theft, including customer and partner information, agreements, and financial data, while the latter's data compromise is yet to be officially confirmed.

BlackCat/ALPHV's notoriety stems from its advanced ransomware capabilities, utilizing AES algorithms, customizable code, and disabling security tools. The group demands ransoms ranging from $400,000 to $5 million, showcasing a willingness to push the boundaries for financial gain. BlackCat/ALPHV's release of an API for their leak site adds another layer of visibility to their attacks, pressuring victims to meet their ransom demands.


The Akira ransomware group, a relatively new entrant into the cyber threat landscape since March 2023, has already left its mark with attacks on Compass Group Italia and Goiasa. Infiltrating systems and exfiltrating substantial amounts of sensitive data, Akira has demonstrated a unique strategy of engaging victims indirect negotiations through a chat feature.

Possibly linked to the Conti gang, Akira's attacks involve the compromise of financial records, HR files, legal documents, and personal information. The group's ability to inform victims of infection vectors after receiving ransom payments deviates from standard ransomware procedures. The decrypter released for Akira has proven ineffective, underlining the group's commitment to its double extortion strategy.


The BianLian ransomware group, initially operating as a typical RaaS provider, has transitioned to less complicated data exfiltration and extortion attacks. This shift showcases the success of double extortion strategies, with the group leveraging open-source tools and command-line scripts for credential harvesting and data exfiltration.

Attacks on Acero Engineering and Akumin involved the exfiltration of massive amounts of data, including accidents, financial records, health and medical records, and software source code. BianLian's departure from deploying ransomware payloads in favor of pure data extortion attacks positions them as a prominent threat in2023.


Cactus, a ransomware group active since March 2023, has been observed exploiting known vulnerabilities within VPN appliances for initial breaches. Once inside the network, Cactus engages in activities such as enumerating user accounts, generating new accounts, and employing custom scripts for ransomware deployment.

CIE Automotive and ISC Consulting Engineering are among Cactus' victims, with the extent of data compromise undisclosed. Cactus's unique ransomware encryptor requires a decryption key for execution, possibly implemented to evade antivirus detection. The group's modus operandi involves a meticulous and automated approach to network compromise.


LockBit, a well-established RaaS operator since 2019, has continued to dominate the ransomware landscape with its advanced capabilities. Recent attacks on ALDO Shoes and Amsellem-Weitz Law Firm highlight the group's penchant for targeting large enterprises, often in the healthcare sector.

LockBit's fast encryption speed, multiple means of extortion, and demands exceeding $50million underscore its status as a formidable threat. The group's innovation in releasing LockBit 3.0, the first macOS ransomware variant, and continuous updates to its RaaS platform demonstrate an unwavering commitment to staying ahead of security measures.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.