Ransomware on the Move: 8Base, LockBit, Cactus, BianLian


January 3, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


8Base, a relatively new but highly active ransomware group, has claimed responsibility for a series of attacks on prominent organizations, showcasing their capability to infiltrate diverse sectors.

CETEC Ingénierie, an engineering firm specializing in project management and technical design, fell victim to 8Base's ransomware assault. The attackers exfiltrated a plethora of data, including invoices, accounting documents, and confidential information, jeopardizing the firm's sensitive operations.

Davis, Cedillo & Mendoza Inc., a law firm specializing in business litigation, real estate, and tort defense, also felt the brunt of 8Base's onslaught. The group obtained crucial corporate data, emphasizing their ability to target organizations across different industries.

Employ Milwaukee, a local workforce development board, and Horizon Spa & Pool Parts, a wholesale distributor, also succumbed to 8Base's ransomware attacks. The compromised data, which included personal files and confidential information, puts both organizations at risk of severe consequences.

Insidesource, a global furniture dealer, and LCGB, a trade union committed to defending employees' interests, were not spared either. 8Base's attacks on these organizations further underline the indiscriminate nature of their targeting.

Socadis, a Canadian distribution company in the book industry, and The International School of Management in Paris, France, also found themselves in the crosshairs of 8Base. While the extent of the damage remains unclear, the sheer breadth of targeted sectors is alarming.

The 8Base ransomware gang, emerging in March 2022, quickly rose to infamy with a "massive spike in activity" in the first half of 2023. Business services, manufacturing, and construction sectors are prime targets for 8Base, aligning with their strategy to exploit vulnerable organizations. The group's sophistication suggests a connection to experienced Ransomhouse operators, or possibly the leaked Babuk builder.

Employing advanced security evasion techniques, 8Base engages in double extortion through data exfiltration. Their preferred ransomware payloads, notably customized Phobos with SmokeLoader, underscore their adaptability. Focused primarily on Windows targets, 8Base aims to "name and shame" victims on their leaks site to coerce ransom payments.

Despite lacking a distinctive ransomware strain or an open Ransomware-as-a-Service (RaaS) program, 8Base's opportunistic approach and high attack volume position them as a significant threat in the ransomware landscape.


LockBit, another prominent ransomware group, has orchestrated attacks on organizations within the legal and manufacturing sectors, causing significant disruptions and data breaches.

CTS, an IT services company catering to the legal sector, suffered a service outage affecting over 80 UK law firms. The attack, associated with the recent CitrixBleed incidents, showcases LockBit's ability to exploit vulnerabilities and disrupt critical services.

PARAT Technology, specializing in plastic trim parts, and Rodo Limited, the largest supplier of decorating sundry products in the UK, both fell prey to LockBit's ransomware attacks. The compromised data, including corporate information and financial details, poses a severe threat to their operations.

LockBit's attacks extended to Austen Consultants, a provider of secure and innovative IT solutions, and Robert F. Pagano & Associates, an accounting and business advisory firm. The nature and extent of the compromised data remain undisclosed, leaving these organizations in a precarious position.

The modus operandi of LockBit involves exploiting known vulnerabilities within VPN appliances for initial breaches. Once inside the network, the group engages in user account enumeration, creating new accounts, and deploying ransomware through custom scripts. Notably, LockBit's ransomware encryptor exhibits a unique characteristic, requiring a decryption key for execution, likely evading antivirus detection.


Cactus ransomware group has left a trail of chaos in the security and legal sectors, compromising sensitive data and disrupting operations across diverse organizations.

Dillard Door, a provider of security solutions, and Fenwick Elliot, the largest construction and energy law firm in the UK, both fell victim to Cactus's attacks. The group obtained confidential corporate data, signaling their ability to breach security systems in organizations focused on safeguarding others.

La Jolla Group, an apparel and accessories company, and CIE Automotive, a global supplier to the automotive market, also succumbed to Cactus's ransomware attacks. The compromised data, including passports and financial information, exposes the vulnerabilities within their systems.

Operating since at least March 2023, Cactus utilizes known vulnerabilities within VPN appliances for initial breaches. The group employs custom scripts for automated ransomware deployment, ensuring a seamless and damaging attack. The unique characteristic of Cactus's ransomware encryptor, requiring a decryption key for execution, adds an extra layer of complexity to their attacks.


BianLian, once a traditional Ransomware-as-a-Service (RaaS) provider, has evolved into a data extortion group, abandoning ransomware payloads for more straightforward attacks. This shift highlights the effectiveness of the double extortion strategy.

ASA Holidays, a leading online travel agency in Singapore, and Commonwealth Capital Group, a Singapore-based investment company, both fell victim to BianLian's data extortion attacks. Enormous amounts of sensitive data, including financial details, HR information, and trade secrets, were extracted, posing a severe threat to the affected organizations.

Chaney, Couch & Associates Family Dentistry, Electrical Connections, and Greenbox Loans also faced the brunt of BianLian's attacks. The compromised data includes finance information, patient records, and confidential details, emphasizing the indiscriminate nature of BianLian's targeting.

BianLian's modus operandi involves leveraging open-source tools and command-line scripts for credential harvesting and data exfiltration. Abandoning ransomware payloads, they focus on pure data extortion attacks, targeting financial institutions, healthcare, manufacturing, education, entertainment, and energy sectors.

The sophistication, adaptability, and indiscriminate targeting of these ransomware groups underscore the urgent need for enhanced cybersecurity measures to protect sensitive data and critical infrastructure. The global community must unite in the fight against cybercrime to mitigate the potentially devastating consequences of future attacks.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.