Ransomware on the Move: 8Base, BlackCat/ALPHV, Cactus, Cl0p


December 5, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The 8Base ransomware group, emerging in March 2022, has quickly risen to become one of the most active threats in 2023.

With a notable focus on the business services, manufacturing, and construction sectors, 8Base employs sophisticated techniques, possibly originating from experienced Ransomware-as-a-Service (RaaS) operators like Ransomhouse.

Notably, 8Base has showcased a preference for Windows targets, avoiding Linux systems. The group's arsenal includes advanced security evasion methods, such as modifying Windows Defender Firewall for bypass. In its attacks, 8Base engages in data exfiltration, employing double extortion tactics.

Recent victims of 8Base include Hills Legal Group in the USA, APVLINGÉNIERIE, Brown's Bay Packing in Canada, Cold Car Spa, Imperiali AG in Switzerland, and La Compabile Spa in Italy. The compromised data ranges from invoices, accounting documents, and personal data to confidential information, certificates, and employment contracts.

Despite lacking its own signature ransomware strain, 8Base has rapidly gained notoriety through a series of high-profile attacks.

The group does not openly maintain an RaaS program, instead appearing opportunistic in victim selection, often resorting to a "name and shame" strategy via their leaks site to press for ransom payment.


BlackCat/ALPHV has been a formidable force since late 2021, taking responsibility for various high-impact attacks. The group's targets include Fidelity National Financial, China Petrochemical Development, Eckell Sparks Law Firm, Nespoli Group in Germany, Spectrum Solutions, and Vertex Resource Group.

Distinguishing itself with advanced capabilities, BlackCat/ALPHV maintains a well-developed RaaS platform, encrypting with an AES algorithm.

The group, capable of impacting Windows, VMWare ESXi, and Linux systems, has an extensive target range, primarily focusing on healthcare, pharmaceutical, financial, manufacturing, legal, and professional services industries.

BlackCat/ALPHV is renowned for employing Rust, a secure programming language, and deleting Volume Shadow Copies to hinder rollback attempts. The group demands ransoms ranging from $400,000 to $3 million, with some cases exceeding $5 million.

Recently, they released an API for their leak site, intensifying pressure on victims to pay.


The Cactus ransomware group has claimed responsibility for attacks against Medi-Market, a Belgian pharmacy chain, and Paul Stuart, a luxury clothing brand based in New York City.

Operating since at least March 2023, Cactus employs known vulnerabilities in VPN appliances for initial breaches.

While Cactus maintains a low profile compared to some counterparts, its impact is substantial. Victims include Axiom Construction and Consulting, a sheet-metal contractor in the Pacific Northwest.

The group's ransomware encryptor exhibits a unique characteristic, requiring a decryption key for execution, likely to evade antivirus detection.


Akira, emerging in March 2023, has targeted Custom Engineering& Fabrication, Inc., and iQ Supply Solutions.

With potential links to the Conti gang, Akira stands out by offering a chat feature for victims to negotiate directly with attackers. The group informs paid victims about infection vectors, deviating from standard ransomware procedures.

Akira operates a RaaS in C++ targeting both Windows and Linux systems. Their ransom demands range from $200,000 to over $4 million. Employing a variety of tactics, including exploiting VPN credentials and leveraging a zero-day in Cisco's Adaptive Security Appliance, Akira has exhibited a unique approach to its attacks.


The Cl0p ransomware group recently targeted North Carolina Central University, causing disruptions to online classes and campus Wi-Fi.

Operating as a RaaS platform since 2019, Cl0p employs advanced anti-analysis capabilities and increasingly relies on automation to exploit known vulnerabilities, particularly in GoAnywhere file transfer software.

With a growing number of attacks in Q1 2023, Cl0p primarily targeted healthcare in the past but expanded its focus to organizations with vulnerable GoAnywhere installations.

Ransom demands by Cl0p vary but have been reported to reach as high as $20 million as the group emphasizes data exfiltration for triple extortion schemes.


BianLian, emerging in June 2022, initially operated as a traditional RaaS provider. However, in early 2023, the group shifted its focus from ransomware payloads to data exfiltration and extortion attacks.

Targeting organizations like Plastic Molding Technology Inc., BianLian leverages open-source tooling and command-line scripts for credential harvesting and data exfiltration.

While the ransom amounts requested by BianLian remain unclear, the group's success is evident in its increased attack volumes as it adapts to the changing landscape of ransomware threats.

BianLian's move away from traditional ransomware attacks underscores the effectiveness of double extortion strategies employed by various ransomware groups.

As these ransomware groups continue to adapt and refine their techniques, the need for proactive defense measures and international collaboration becomes increasingly critical in the ongoing battle against cyberthreats.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.