Ransomware on the Move: BlackCat/ALPHV, 8Base, LockBit, Akira, Medusa


December 12, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:




Lanificio Luigi Colombo S.p.A., the world's largest producer of cashmere and noble fibers fabrics, fell victim to8Base's ransomware attack. The group asserted access to a trove of sensitive data, including invoices, personal information, employment contracts, and confidentiality agreements.


Not stopping there, 8Base extended its reach to Leezer Agency, an insurance company specializing in farm sales andproperty insurance, and Moderngrab S.A., a prepress solutions company based in Spain.


The scope of 8Base's attacks widened to include Parsons Investments, a Canadian real estate player, and Scheidt GmbH, a renowned company operating in diverse sectors. Storey Trucking Company, Inc., a trucking company based in Alabama, and Wild Republic, a prominent toy maker focusing on wildlife education, also found themselves in the crosshairs of the relentless 8Base ransomware group.


Having surfaced in March 2022,8Base quickly rose through the ranks of active ransomware operators, exhibiting a substantial increase in activity in the first half of 2023.


Their targets span a range of sectors, with a particular focus on business services, manufacturing, and construction. The group's tactics involve data exfiltration for double extortion, advanced security evasion techniques, and a preference for customized Phobos with SmokeLoader as their primary ransomware payload.


Unlike other ransomware groups,8Base does not seem to have its own signature strain or maintain a public Ransomware-as-a-Service (RaaS) program. However, researchers speculate that the group may privately collaborate with vetted affiliate attackers.


The absence of a fixed ransom demand complicates the assessment of their monetary motives, but their leaks site serves as a potent tool for name-and-shame tactics to pressure victims into paying.




Another prominent player in the ransomware arena is the Akira group, which launched a series of attacks targeting diverse organizations. Iptor, a provider of integrated enterprise solutions, faced the brunt of Akira's assault, with the group claiming access to 20GB of data, including confidential agreements and operational files.


Akira then set its sights on Bern Hotels and Resorts in Panama, harvesting a dozen gigabytes of operational files laden with detailed personal information.


In Italy, Akira attacked Getrix, the most used real estate management software, snatching 10GB of corporate information, including client details, contracts, and real estate data. The Bauwerk Boen Group, a significant player in the parquet industry, also suffered a blow from Akira, with the group obtaining a staggering 40GB of sensitivedata.


The emergence of Akira in March2023 raised eyebrows, and its potential connection to the notorious Conti gang remains a subject of speculation. Unique features, such as a chat feature for direct negotiation with victims and informing paying victims about infection vectors, distinguish Akira from other ransomware operators.


Operating a RaaS written in C++,Akira exhibits versatility by targeting both Windows and Linux systems, often exploiting VPN credentials for intrusion.


July saw Akira diversifying its portfolio by introducing a Linux variant, and the group was observed exploiting a zero-day vulnerability in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software.


This multi-pronged approachreflects Akira's adaptability and determination to penetrate various industries, including education, finance, and manufacturing.




BlackCat/ALPHV, another formidable ransomware group, flexed its muscles in attacks against Lisa Mayer CA Professional Corporation and IRC Engineering in Belgium. The former, specializing in taxation, accounting, bookkeeping, and payroll, experienced a breach resulting in the theft of confidential corporate documents.


Meanwhile, IRC Engineering faced the brunt of BlackCat/ALPHV's assault, compromising its business tools and corporate information.


Active since late 2021,BlackCat/ALPHV has established itself as a force to be reckoned with, boasting a well-developed RaaS platform equipped with AES encryption. The group's agility in disabling security tools, evading analysis, and leveraging multiple encryption routines sets it apart in the ransomware landscape.


BlackCat/ALPHV's affinity for healthcare, pharmaceutical, financial, manufacturing, legal, and professional services sectors makes it a versatile threat. With ransom demands ranging from$400,000 to over $5 million, BlackCat/ALPHV maintains a strong position in the ransomware arena.


Recent innovations, such as releasing an API for their leak site and incorporating the secure programming language Rust, showcase the group's commitment to staying ahead of the cybersecurity curve.




The LockBit ransomware group orchestrated attacks against Elsewedy Electric in Egypt and Pacific Cataract and Laser Institute. Elsewedy Electric, operating across five key business sectors, suffered the theft of accounting information, audit data, contracts, HR information, and proprietary data.


In a cyber onslaught against Pacific Cataract and Laser Institute, LockBit disrupted communications systems, underscoring the group's persistent and diversified approach.


Active since 2019, LockBit has maintained its status as a RaaS powerhouse, excelling in security tool evasion and rapid encryption. Known for its multiple means of extortion, including the exfiltration of sensitive information, LockBit has demanded ransoms exceeding$50 million.


The group's audacity was evident in its $70 million ransom demand to Taiwan Semiconductor Manufacturing Company(TSMC) in July.


LockBit's continuous innovation, marked by the release of LockBit 3.0 and the introduction of a macOS ransomware variant, reflects its commitment to staying ahead of security measures.


With a modular and configurable structure, LockBit poses a persistent threat to both Windows and Linux systems, targeting larger enterprises across diverse industries, with a particular focus on healthcare organizations.


Black Basta


The Black Basta ransomware group expanded its victim list by targeting Inspired Entertainment, a global provider of content, technology, hardware, and services for regulated gaming, betting, lottery, and leisure operators.


While details of the attack remain undisclosed, the impact on Inspired's operations is a testament to the group's relentless pursuit of victims across various industries.


Black Basta continues to evolve their RaaS platform, with ransomware payloads that can infect systems running both Windows and Linux systems. Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers.


Black Basta ransomware is written in C++ and can target both Windows and Linux systems, encrypts data withChaCha20, and then the encryption key is encrypted with RSA-4096 for rapid encryption of the targeted network.


In some cases, Black Basta leverages malware strains like Qakbot and exploits such as PrintNightmare during the infection process. Black Basta also favors abuse of insecure Remote Desktop Protocol (RDP) deployments, one of the leading infection vectors for ransomware.




Medusa, a RaaS platform that surfaced in the summer of 2021, claimed responsibility fora ransomware attack against Rosens Diversified Inc. With a diverse portfolio spanning agriculture products, beef processing, transportation, and marketing, Rosens Diversified Inc faced the brunt of Medusa's assault.


While Medusa's attack volumes fluctuated in the first half of 2023, the group's tactics, including restarting infected machines in safe mode and preventing recovery by deleting backups, showcase its commitment to evading detection.


With ransom demands reaching millions of dollars, Medusa remains a potent force in the ransomware landscape, particularly targeting healthcare, pharmaceutical,and public sector organizations.


The Medusa RaaS operation (not to be confused with the operators of the earlier MedusaLocker ransomware) typically compromises victim networks through brute-forcing RDP credentials, malicious email attachments (macros), torrent websites, or through malicious ad libraries.


Medusa can terminate over 280 Windows services and processes without command line arguments (there may be a Linux version as well, but it is unclear at this time). Medusa encrypts with AES256 algorithm using an encrypted RSA public key.


Medusa deletes the Volume Shadow Copies abusing the vss admin command to thwart rollback efforts. Medusa can disable over 200 services and released a more advanced variant in September with faster encryption speeds and the ability to delete backups to complicate recovery.




NoEscape, a recently emerged RaaS operation, targeted Grupo PRIDES, an Information and Communication Technology(ICT) company. Despite limited public information, Grupo PRIDES fell victim to the rapid ascent of NoEscape, demonstrating the group's potential as a new contender in the ransomware arena.


NoEscape is written in C++ and is relatively unique in the space in that the developers opted to build the RaaS platform from scratch rather than rely on code re-use from other ransomware variants.


NoEscape ransomware payloads target both Windows and Linux systems and support multiple encryption options ranging from extra fast to extra strong encryption and leverages RSA and ChaCHA20encryption algorithms and may use a single key for all impacted files for faster decryption of a ransom is paid.


NoEscape can operate in safe mode to bypass security tools, terminates processes, erases VSS shadow copies and system back-ups to thwart recovery efforts, and abuses Windows Restart Manager to circumvent processes not terminated.




Qilin, another RaaS operation employing a Rust-based ransomware, claimed an attack against Great Lakes Technologies, a provider of device repair and IT services. With a focus on altering filename extensions, terminating processes, and exfiltrating sensitive data, Qilin showcases the adaptability and sophistication of modern ransomware tactics.


Qilin have rapidly risen in prominence, with the former offering attractive profit-sharing models for affiliates and the latter leveraging Rust for efficient and customizable attacks across different operating systems.


Qilin (aka Agenda) is a RaaS operation that first emerged in July of 2022 that is written in the Go and Rust programming languages and is capable of targeting Windows and Linux systems.


Rust is a secure, cross-platform programming language that offers exceptional performance for concurrent processing, making it easier to evade security controls and develop variants to target multiple OSes. Qilin operators are known to exploit vulnerable applications including Remote Desktop Protocol (RDP).




Snatch, a RaaS platform active since 2018, claimed responsibility for an attack against ALVImedica, a company specializing in innovative product portfolios in endovascular and interventional cardiology. Despite its modest attack volumes compared to leading ransomware operators, Snatch stands out for its traditional approach, rebooting in safe mode to disable security tools and leveraging legitimate tools for its attacks.

Written in Go, Snatch's unique reboot in safe mode distinguishes it from other ransomware operators, showcasing a more traditional RaaS platform. Despite its lower ransom demands, Snatch remains a potent threat, especially with its focus on healthcare and pharmaceutical sectors.


The ransomware threat landscape continues to evolve, with multiple groups showcasing diverse tactics and expanding their reach across industries. From established players like LockBit and BlackCat/ALPHV to new contenders like NoEscape and Qilin, the ransomware ecosystem is dynamic and persistent.


Organizations must remain vigilant, invest in robust cybersecurity measures, and stay informed about the evolving tactics employed by these ransomware groups to effectively combat this escalating cyber threat.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.