Ransomware on the Move: Black Basta, 8Base, Qilin, Knight


January 17, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Black Basta

Black Basta, a relatively new group that surfaced in early 2022, has quickly risen to infamy. Believed to be an offshoot of the disbanded Conti and REvil attack groups, Black Basta specializes in highly targeted attacks, particularly against manufacturing, transportation, construction, telecommunications, automotive, and healthcare sectors.

The group's approach involves exfiltrating sensitive data for additional extortion leverage, with reports of ransom demands reaching as high as $2 million. Black Basta exhibits versatility by deploying ransomware payloads capable of infecting both Windows and Linux systems. Notably, the group exploits vulnerabilities in VMware ESXi running on enterprise servers, showcasing a keen understanding of its targets' infrastructure.

To maximize their reach, Black Basta leverages malware strains like Qakbot and exploits vulnerabilities such as PrintNightmare during the infection process. The group also favors exploiting insecure Remote Desktop Protocol (RDP) deployments, a leading infection vector for ransomware. Employing a double extortion scheme, Black Basta maintains an active leaks website where exfiltrated data is posted if the targeted organization refuses to pay the ransom.


The 8Base ransomware group, emerging in March 2022, has rapidly become one of the most active players, particularly in the business services, manufacturing, and construction sectors. Experts suggest a potential connection to Ransomhouse and the leaked Babuk builder, indicating an experienced lineage.

Known for advanced security evasion techniques, 8Base engages in data exfiltration for double extortion. Despite lacking a specific ransomware strain or a public RaaS program, the group demonstrates opportunistic targeting, focusing on organizations in business services, manufacturing, financial, and information technology sectors. Notably, 8Base tends to target Windows systems and employs customized Phobos with SmokeLoader as prevalent ransomware payloads.

The group's surge in activity in the first half of 2023 underscores its growing influence, showcasing a unique blend of tactics to maximize impact and extort victims.


Qilin, operating as a RaaS, has gained notoriety for its targeted attacks using a Rust-based ransomware. The group, proficient in Windows and ESXi versions, employs multiple encryption modes under the operator's control. Qilin's modus operandi involves not only encrypting sensitive data but also exfiltrating it for double extortion.

Promoting its ransomware on the dark web with a dedicated leak site, Qilin demands payment for a decryptor and insists on non-disclosure of stolen data even after ransom payment. The group's ability to generate samples for various operating systems underscores its adaptability and sophistication.


The Knight ransomware group gained attention by overhauling the Cyclops ransomware interface and code. This group employs a tactical shift, offering a 'lite' version suitable for spam, spray-and-pray, and batch distribution campaigns. Using social engineering techniques, Knight lures victims with deceptive attachments, such as a simulated TripAdvisor complaint.

The group's activities span across various sectors, with a recent attack on Grupo SCA involving the exfiltration of over 100GB of sensitive data. The introduction of a 'lite' version reflects Knight's flexibility in adapting to different attack scenarios.


LockBit, active since 2019, continues to be a leading threat in the ransomware landscape. Known for its fast encryption speed and multiple means of extortion, LockBit demands high ransoms and targets large enterprises, particularly in the healthcare sector.

Innovating its RaaS platform with the release of LockBit 3.0 in June 2022, the group introduced the first iteration of a macOS ransomware variant in April 2023. LockBit's adaptability extends to both Windows and Linux systems, with a focus on exploiting vulnerabilities in Remote Desktop Protocol (RDP) and utilizing custom tools like Stealbit for data exfiltration.


Akira, emerging in March 2023, has links to the notorious Conti gang. This group introduces unique features to its extortion platform, including a chat feature for direct negotiation with victims. Akira informs victims of the infection vectors post-ransom payment, deviating from the standard ransomware procedure.

Using a RaaS platform capable of targeting both Windows and Linux systems, Akira leverages various tools like PowerShell, PCHunter64, and exploits zero-days, showcasing a diverse and evolving toolkit. The group's attacks extend across multiple industries, with an emphasis on education, finance, and manufacturing.


Play, emerging in the summer of 2022, operates as a RaaS platform exhibiting similarities to Hive and Nokoyawa ransomware strains. The group gained notoriety with high-profile attacks on the City of Oakland, Argentina's Judiciary, and German hotel chain H-Hotels.

Play employs a variety of tools for security evasion, such as Process Hacker, GMER, and IOBit. The group focuses on compromising unpatched Fortinet SSL VPN vulnerabilities, demonstrating an opportunistic approach. Play's data exfiltration tools, including the Grixba information stealer and AlphaVSS, enhance its efficiency in stealing sensitive information.

In conclusion, the rise of ransomware groups poses a significant threat to organizations across various sectors. As these groups continue to evolve and adapt, the need for robust cybersecurity measures becomes paramount. Understanding their tactics, targets, and motivations is crucial for developing effective strategies to mitigate the impact of ransomware attacks.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.