Ransomware on the Move: 8Base, Akira, Cactus, LockBit


January 23, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The 8Base ransomware group has emerged as a formidable threat, claiming attacks on several high-profile organizations. International Trade Brokers and Forwarders, Anderson King Energy, Ballay Menuiseries,  

Nexus Telecom Switzerland AG, and SIVAM Coatings S.p.A are among the victims. The group's targets span business services, manufacturing, and construction sectors.  

With a focus on Windows systems, 8Base engages in data exfiltration for double extortion, utilizing advanced security evasion techniques. Having surfaced in March 2022, 8Base rapidly ascended the ranks of active ransomware operators, displaying a massive spike in activity in the first half of 2023.  

Although lacking its own signature ransomware strain or an openly recruited RaaS program, 8Base operates discreetly, potentially servicing a group of vetted affiliate attackers privately. The group's choice of victims appears opportunistic, with a penchant for "name and shame" tactics through their leaks site to pressure ransom payments.


Akira, another prominent player in the ransomware landscape, has targeted organizations such as Becker Logistics, Blackburn College, TGS Transportation, and Vincentz Network.  

Operating since March 2023, Akira distinguishes itself by maintaining a modest but growing attack volume. The group may have links to the Conti gang, leveraging an extortion platform with a unique chat feature for victim negotiations.

Akira's ransom demands range from $200,000 to over $4 million, and the group operates a RaaS capable of targeting both Windows and Linux systems. Notably, Akira engages in remote exploitation of zero-day vulnerabilities, demonstrating sophistication in its attack vectors.  

The group employs a range of techniques, including deleting Windows Shadow Volume Copies and utilizing legitimate tools for increased detection evasion.


Cactus has left its mark on organizations like Asbury Automotive Group and Intercity Investments. Operating since March 2023, Cactus employs known vulnerabilities within VPN appliances for initial breaches.  

The group's unique ransomware encryptor necessitates a decryption key for execution, concealed within a file named ntuser.dat. With a focus on real estate management and automotive sectors, Cactus exfiltrates sensitive data, including certificates and Personally Identifiable Information (PII) documents.


The LockBit ransomware group has targeted Amenitek and Tura Scandinavia AB, displaying a high level of sophistication in its attacks. With a history dating back to 2019, LockBit continues to evolve its RaaS platform, demanding ransoms exceeding $50 million.  

The group innovates with the introduction of a macOS ransomware variant and employs advanced anti-analysis features. LockBit's extensive reach includes the targeting of large enterprises, particularly in the healthcare sector.  

The group leverages remote desktop protocol (RDP) exploitation and spreads across networks using Group Policy Objects and PsExec. With a reputation for a well-run affiliate program and high payouts, LockBit remains a formidable force in the ransomware landscape.

The recent spate of ransomware attacks by 8Base, Akira, Cactus, and LockBit underscores the escalating threat faced by organizations across various industries. These groups employ sophisticated techniques, demand substantial ransoms, and exhibit a capacity for innovation in their malicious activities.  

The imperative for robust cybersecurity measures has never been more evident, as organizations grapple with the evolving tactics of these ransomware operators.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.