Ransomware on the Move: Black Basta, Underground Team, SpaceBears, LockBit


May 21, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Black Basta

The Black Basta group, notorious for its aggressive ransomware campaigns, has been linked to several high-profile cyber attacks, targeting CMAC Transportation, Integrated Design Solutions (IDS), Swisspro AG, and Olson Steel, among others.

CMAC Transportation, a veteran-owned logistics and warehousing provider based in Brownstown, Michigan, was one of the group's victims. In this attack, Black Basta exfiltrated approximately 200 GB of sensitive data, including HR records, financial information, personal data, and personnel files.  

Despite the absence of a publicly disclosed ransom demand, the breach was significant due to the sheer volume and sensitivity of the stolen data. CMAC, with 295 employees and an annual revenue of $65.2 million, is recognized for its comprehensive logistics services, which include domestic and international warehousing, consolidation, transportation, and logistics.  

The attack highlighted potential security weaknesses, such as inadequate network segmentation and insufficient monitoring systems, which may have facilitated the extensive data theft.

Integrated Design Solutions (IDS), another victim, is a prominent architectural and engineering firm located in Troy, Michigan. IDS is known for its multidisciplinary approach across various sectors, including education, healthcare, and industrial markets.  

Black Basta managed to exfiltrate approximately 500 GB of sensitive data from IDS, which included project details, CAD drawings, user information, and corporate data. A sample of the data was leaked on the dark web, emphasizing the severity of the breach.  

IDS is actively expanding, with offices in both Troy and Grand Rapids, Michigan, and this attack underscores the critical need for robust cybersecurity measures, given the sensitive nature of the data they handle.

Swisspro AG, a key player in the Swiss business services sector specializing in electrical technology, communications, ICT, and automation solutions, also fell victim to Black Basta. The attackers exfiltrated approximately 700 GB of sensitive data, encompassing corporate information, employee personal details, and customer information.  

The breach suggests multiple potential entry points, such as phishing or exploitation of unpatched software vulnerabilities, likely due to Swisspro AG's expansive network. The company's commitment to advanced infrastructure and fair remuneration has positioned it as a leader in its field, making this attack particularly damaging.

Another significant target was Olson & Co Steel Inc., based in San Leandro, California. Olson Steel specializes in steel fabrication and erection. In their attack, Black Basta exfiltrated approximately 900 GB of sensitive data, including HR and accounting records, employee details, and confidential project files like CAD drawings.  

This breach underscored the vulnerability of Olson Steel's cybersecurity defenses. With 251-500 employees and annual revenues between $100 million and $250 million, Olson Steel stands out in its industry due to its integration of technology in detailing, fabrication, and erection processes, making it an attractive target for ransomware groups.

Black Basta, which emerged in early 2022, is a Ransomware-as-a-Service (RaaS) group believed to be an offshoot of the disbanded Conti and REvil groups. The group exfiltrates sensitive data for extortion leverage and engages in highly targeted attacks, working with a limited number of vetted affiliate attackers.  

Their ransomware can infect both Windows and Linux systems and is known for exploiting vulnerabilities in VMware ESXi. The ransomware encrypts data with ChaCha20 and uses RSA-4096 for encryption keys.  

Black Basta has been linked to over 90 victims, amassing an estimated $107 million in ransom revenue. Their sophisticated operations and persistent threats highlight the critical need for robust cybersecurity measures across all industries.

Underground Team

The cybercrime group known as Underground Team targeted Bulldog Bag Ltd., compromising their operational integrity by deploying ransomware.  

The attack resulted in the exfiltration of 91.7 GB of sensitive data, including employee details, contracts, and financial records. This data was subsequently published on the dark web, posing significant privacy and security risks to the company and its stakeholders.  

Bulldog Bag Ltd., based in Langley, British Columbia, Canada, is a prominent player in the flexible packaging industry with over 50 years of experience. Specializing in custom printed flexible packaging products, the company employs 143 individuals and reports an annual revenue of $20.6 million.  

Bulldog Bag Ltd. is recognized for its high-quality customer service and product offerings, which include biodegradable materials and water-based inks, underscoring their commitment to environmental sustainability. The primary infection vector for this ransomware is believed to involve advanced social engineering tactics.  

Phishing emails with malicious attachments or links to compromised websites are commonly used to deceive victims into initiating the ransomware. These emails are crafted to appear legitimate, often mimicking familiar entities to lure users into downloading malicious payloads disguised as software updates or legitimate applications.

The Underground Team also targeted Frencken Group, compromising their digital infrastructure. The attackers managed to exfiltrate a substantial amount of data, approximately 439.4 GB, from the company's systems. This data was subsequently leaked online, posing significant risks to the confidentiality and integrity of both the company and its clients.  

Frencken Group Limited, a prominent player in the global technology solutions market, is known for its extensive range of services and products across various industries. With a workforce of approximately 3,600 employees and a trailing twelve months revenue of SGD 742.86 million (over 550,000 USD), the company stands out due to its innovative approach in the fields of Mechatronics and Integrated Manufacturing Services (IMS).  

Frencken Group has a significant presence in Europe, Asia, and the US, enhancing its global footprint and operational capabilities. Frencken Group's extensive reliance on digital technology and global connectivity may have increased its vulnerability to cyber-attacks such as this.  

The integration of various technologies across multiple sectors and regions potentially opens up multiple vectors for cyber threats. Additionally, the company's high-profile collaborations with leading technology firms may make it an attractive target for ransomware attacks aiming to disrupt operations or extract valuable intellectual property.

The Underground also attacked Synology involved the exfiltration of a substantial amount of data, which was fully published online, exposing sensitive information. The cybercriminals managed to exfiltrate 51 GB of data from Synology's systems, which was subsequently published online, indicating a significant data breach.  

The Underground Team likely utilized sophisticated social engineering tactics to infiltrate Synology's systems. Common methods include phishing emails with malicious attachments or links to compromised websites, designed to appear legitimate to deceive employees into initiating the malware.  

Additionally, the ransomware could have been disguised as a legitimate software update or application, further tricking users into downloading and executing the malicious payload.

The Underground Team also claimed responsibility for a severe attack on TPA Slovakia. This incident involved the deployment of a sophisticated ransomware strain, leading to the exfiltration of approximately 183.3 GB of sensitive data.  

The compromised data includes email communications, confidential agreements, accounting and tax reports, audit documents, financial records, and personal identification documents of clients. This breach has not only jeopardized the privacy of TPA Slovakia's clients but also exposed critical business information.  

TPA Slovakia, a significant entity within the TPA Group, specializes in audit, tax advisory, and business consulting primarily in Slovakia. Operating from Bratislava and Košice, the company employs over 100 staff.  

As part of the larger TPA Group, which boasts more than 1,500 employees across Central and South Eastern Europe, TPA Slovakia stands out for its effective communication, tailored solutions, and a strong focus on client success.  

The group's affiliation with the Baker Tilly Europe Alliance enhances its global reach and expertise in tax, audit, and consulting services. TPA Slovakia's vulnerabilities could stem from several areas, including but not limited to, insufficient employee training on phishing, inadequate endpoint protection, or gaps in network security.  

Given the nature of the data handled by TPA Slovakia, the firm is a high-value target for cybercriminals looking to exploit sensitive financial and personal information for monetary gain.

The cybercriminal group, Underground Team, utilizes a 64-bit GUI based ransomware application, known for its capability to delete backups, modify registry settings, and halt critical services like MSSQLSERVER.  

This group's ransomware can identify system volumes, encrypt files while avoiding certain directories and file types, and disseminate a ransom note across multiple system folders. The primary infection vectors include phishing and other social engineering tactics, often involving deceptive emails and compromised website links.


SpaceBears, a ransomware group suspected to operate from Moscow, Russia, has recently claimed responsibility for multiple high-profile attacks, showcasing their sophisticated tactics in the cyber threat landscape.  

Among their latest victims is CORTEX Chiropractic & Clinical Neuroscience, a prominent healthcare provider in Johnstown, PA, known for its personalized chiropractic and clinical neuroscience services.  

The attack on CORTEX, which operates multiple clinics serving underserved and uninsured populations, threatens significant operational disruptions, data loss, financial repercussions, and reputational damage. Healthcare organizations like CORTEX are prime targets due to the sensitive nature of patient data and the critical need for uninterrupted access to medical records and systems.

SpaceBears' modus operandi involves deploying sophisticated ransomware to encrypt victims' data, followed by demands for large ransoms to provide decryption keys. This group's clearnet presence in Moscow hints at a well-organized, corporate-like structure that adds an international dimension to their operations.  

The attack on CORTEX underscores the vulnerabilities in the healthcare sector, where outdated systems, inadequate cybersecurity measures, and the critical nature of medical data make institutions particularly susceptible to ransomware attacks.

In addition to CORTEX, SpaceBears has also targeted Mr Bean Group Limited, a company with a substantial digital and physical presence, making it vulnerable to cyber threats. Specific details of the breach are undisclosed, but common vulnerabilities such as phishing attacks, inadequate firewall protections, and unpatched software can provide entry points for such sophisticated cybercriminal groups.

Furthermore, SpaceBears claimed responsibility for an attack on SM EMBALLAGE, a Moroccan family-owned business specializing in innovative packaging solutions. This incident has caused significant disruption for the company, highlighting the potential for substantial data loss and financial impact.  

SM EMBALLAGE is recognized for its commitment to sustainability and eco-design in the packaging industry, employing a workforce of 11-50 individuals and emphasizing waste recovery and traceability in its operations.

Another victim of SpaceBears is SureWerx USA, a leading supplier of safety products and personal protective equipment (PPE). The attack raises concerns about potential data loss and significant operational disruption.  

SureWerx USA, a subsidiary of the Canadian-based SureWerx, integrates technology deeply into its operations, making rigorous cybersecurity measures crucial. Common entry points for ransomware in such manufacturing firms include phishing attacks, compromised credentials, and unpatched systems.

SpaceBears' strategic targeting of diverse sectors demonstrates their operational sophistication and the broad impact of their attacks. The group's ability to exploit vulnerabilities across various industries highlights the importance of robust cybersecurity measures to defend against such threats.  

The international nature of their operations and their corporate-like presentation further complicate efforts to combat their activities and mitigate the damage caused by their ransomware attacks.


LockBit , also known as LockBit Black, recently claimed responsibility for a cyberattack on Yupo Synthetic Papers, a prominent manufacturer in the synthetic paper industry.  

Known for its Ransomware-as-a-Service (RaaS) operations, LockBit  has orchestrated numerous high-profile cyberattacks since its inception. The group announced the attack on their dark web leak site, indicating that Yupo's cybersecurity defenses were breached.  

LockBit 's attack strategy includes encrypting files, altering filenames, changing desktop wallpapers, and leaving a ransom note. The group’s sophisticated infiltration techniques suggest they might have exploited vulnerabilities in Yupo's network through methods such as phishing, unpatched systems, or compromised credentials.

Yupo Synthetic Papers, a subsidiary of Yupo Corporation America, is renowned for its innovative, durable, and environmentally friendly products. Established in 1969 as a joint venture between Mitsubishi Chemical Corporation and Oji Paper Co. Ltd, Yupo has carved a niche in sectors like food contact and toy industries with its PVC-free, water-repellent, and tear-resistant papers.  

Based in Chesapeake, Virginia, Yupo's U.S. operations are housed in a state-of-the-art manufacturing facility. This attack highlights the vulnerabilities even specialized manufacturing entities face in the cyber realm, with potential severe implications on customer trust and regulatory compliance.

LockBit  also targeted Select Business Systems of Bakersfield (SBS), a provider of document production and management solutions. SBS, serving Southern and Central California for over four decades, specializes in multifunctional printers, copiers, and document management technologies.  

The ransomware attack involved encrypting critical data files, rendering them inaccessible. Given SBS’s size and digital reliance, potential vulnerabilities might include insufficient network segmentation, outdated software patches, or weak endpoint security measures.

Another victim of LockBit  was Pease Construction, a family-owned general contractor based in Lakewood, Washington. Known for its commitment to safety, quality workmanship, and customer service, Pease Construction specializes in both public and private sector projects. The attack led to significant disruptions in the company’s operations.  

Common entry points for such attacks include phishing, exploitation of unpatched systems, or compromised credentials. For a construction firm, the integration of technology with on-site operations can open up vectors for cyberattacks if cybersecurity measures are not adequately enforced.

Additionally, LockBit  targeted OttLite Technologies, encrypting data on their website and demanding a ransom. Founded in 1989 and headquartered in Tampa, Florida, OttLite specializes in designing and manufacturing high-efficiency lighting solutions.  

The company’s significant online presence and dependency on digital platforms for business operations increased their vulnerability to cyberattacks. Factors such as outdated security measures, lack of robust endpoint protection, or insufficient employee training on phishing could have been exploited.

LockBit , active since 2019, is known for its fast encryption speed and multiple means of extortion, often demanding ransoms in cryptocurrency. Despite an international law enforcement task force seizing their administration environment in early 2024, LockBit resumed operations within days.  

The group continues to innovate, recently introducing a macOS ransomware variant and employing advanced anti-analysis features. They exploit remote desktop protocol (RDP) and use tools like Group Policy Objects and PsExec to spread across networks.  

Despite facing competition from other ransomware groups like Cl0p, LockBit remains one of the most prolific ransomware operations, demonstrating their capability to follow through on threats, as seen in their exposure of exfiltrated Boeing data.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.