Ransomware on the Move: BlackCat/ALPHV, Black Basta, Play, LockBit


November 28, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:




BlackCat/ALPHV emerged in late 2021and quickly gained notoriety for its sophisticated Ransomware-as-a-Service(RaaS) platform. The group is particularly adept at evading security tools and has become one of the most active ransomware families.


Notably, BlackCat/ALPHV engages in double extortion schemes, exfiltrating victim data before encrypting files. The group targets a wide range of industries, including healthcare, pharmaceuticals, finance, manufacturing, legal, and professional services.


In recent incidents, MeridianLink,a financial software company, Autonomous Flight Technologies (AFT), Hampton Newport News CSB, and The Walker School fell victim to BlackCat/ALPHV.


MeridianLink refuted claims of unauthorized access, emphasizing minimal business interruption. AFT, a leading drone systems manufacturer, and Hampton Newport News CSB, a behavioral health services provider, faced undisclosed impacts. The Walker School, a private school in Georgia, suffered a significant data breach compromising sensitive information.


BlackCat/ALPHV employs advanced techniques, such as disabling security tools, employing multiple encryption routines, and releasing API for their leak site. The group demands ransom sranging from $400,000 to $3 million, with instances exceeding $5 million.


BlackCat/ALPHV was the first to use Rust programming language and released a new ransomware variant, Sphynx, with improved evasion capabilities. The group also utilizes custom tools like Exmatter for data exfiltration.


Black Basta


Black Basta, an emerging RaaS platform since 2022, is considered an offshoot of disbanded Conti and REvil groups. The group exhibits a focus on targeted attacks, with victims including Etude Villa Florek, Agrovi, EDC, and UCH Logistics. Notably, EDC, a Danish real estate company, faced a significant attack, but official statements are yet to be released.


Black Basta's tactics involve leveraging TTPs for ingress, lateral movement, data exfiltration, and deploying ransomware payloads. Ransom demands can be as high as $2 million, and the group actively evolves its RaaS platform.


Black Basta targets manufacturing, transportation, construction, telecommunications, automotive, and healthcare sectors. The group engages in double extortion, maintaining an active leaks website for data exposure.




Play, a RaaS platform since the summer of 2022, gained notoriety with attacks on KaDeWe, PIKE Technologies, Thompson Candy, and Wyatt Detention Center. KaDeWe, a German department store group, reported secure credit card payment systems during the attack.


PIKE Technologies, a spectroscopic accessories specialist, and Thompson Candy, a historic chocolate company, face dundisclosed impacts. Wyatt Detention Center's attack involved the exfiltration of private and confidential data.


Play distinguishes itself with the use of tools like Cobalt Strike, SystemBC RAT, and exploits such as ProxyNotShell and OWASSRF. The group abuses insecure Remote Desktop Protocol(RDP) deployments and engages in double extortion, maintaining an active leaks website. Play primarily targets Latin America, especially Brazil, but extends its attacks beyond the region.




LockBit, active since 2019, is apioneer in RaaS, known for its security tool evasion and fast encryption. Recent victims include Ayuntamiento de Villanueva de la Serena, Chicago Trading Company, and The Robison Group.


LockBit demands ransoms in excess of $50 million and has targeted significant organizations like Taiwan Semiconductor Manufacturing Company (TSMC).


LockBit's innovative RaaS platform, including LockBit 3.0, supports advanced anti-analysis features and poses a threat to both Windows and Linux systems. The group exploits Remote Desktop Protocol (RDP) and spreads through Group Policy Objects and PsExec.


LockBit actively supports its older variant, LockBit 2.0, and targets larger enterprises, particularly in the healthcare sector.




NoEscape, emerging in May 2023,operates as a Ransomware-as-a-Service (RaaS) with variants targeting Windows, Linux, and VMware ESXi systems. Notable victims include Enware Australia and Kwik Industries.


Enware, a plumbing and safety equipment supplier, faced the compromise of 20 GB of sensitive data, while Kwik Industries, a construction and automotive service brand, suffered the exfiltration of over 35GB of data.


NoEscape's success lies in its 24/7technical support for affiliates and an automated RaaS platform update feature. The group rapidly escalated attack volumes in the second quarter of 2023, with affiliates reportedly receiving generous profit shares. NoEscape targets various industry verticals, specializing in double extortion schemes.




Medusa, a RaaS platform since the summer of 2021, experienced fluctuations in attack volumes in the first half of2023. The group targeted Olivetti, McCray, and Withrow LLC, a law firm, with a ransom demand deadline set for November 29th.


Medusa's tactics involve restarting infected machines in safe mode to evade detection and prevent recovery.


Medusa demands ransoms in the millions, with a focus on healthcare, pharmaceuticals, and public sector organizations. The group employs multiple means of extortion, potentially asking victims to pay for both encrypted files and sensitive information exfiltrated during the attack.




Akira, emerging in March 2023,possibly linked to the Conti gang, distinguishes itself by allowing direct negotiations between attackers and victims. Athens Technology Center fellvictim to Akira, with no further information disclosed. Akira leverages a RaaS platform written in C++ and targets both Windows and Linux systems.


Akira's tactics include exploiting VPN credentials, deploying a custom Go-based backdoor, and leveraging exploits such as a zero-day in Cisco's Adaptive Security Appliance (ASA). The group engages in data exfiltration and double extortion, targeting various industries, including education, finance, and manufacturing.




Bolidt, a synthetic applications specialist in the Netherlands, suffered a significant data leak orchestrated by BianLian. The group obtained 1.6 TB of data, including finance data, employee information, trade secrets, and internal emails.


BianLian shifted from deploying ransomware to focusing on data extortion attacks, leveraging open-source tools for credential harvesting and data exfiltration.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.