Ransomware on the Move: BlackCat/ALPHV, Medusa, NoEscape, Black Basta


October 24, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


On October 16th, BlackCat/ALPHV targeted QSI Inc., a credit card and transaction processing services provider based in Kentucky, USA. BlackCat/ALPHV claimed to have stolen a massive 5TB of sensitive data, including financial records, client information, SQL databases, and more.

The following day, they struck Catarineau & Givens P.A., a full-service accounting firm in Miami, Florida, and published the stolen data on their leak site. Additionally, they attacked The Law Offices of Julian Lewis Sanders and Associates in Atlanta, Georgia, stealing 1TB of legal, criminal, and medical records.  

Finally, SIIX Corporation, a Japanese multinational specializing in electronics manufacturing services, also fell victim to the group's attack, although no specific data details were provided.

BlackCat/ALPHV is a highly sophisticated ransomware group, using a well-developed Ransomware-as-a-Service (RaaS) platform. This platform employs an AES encryption algorithm and is highly customizable. The group can disable security tools, evade analysis, and affect systems running Windows, VMWare ESXi, and various Linux distributions.

The group is known for its extensive targeting, focusing on healthcare, pharmaceutical, financial, manufacturing, legal, and professional services industries. In a shocking move, they published compromising clinical photographs of breast cancer patients, demonstrating their ruthless approach to extortion.

BlackCat/ALPHV is infamous for exfiltrating victim data prior to ransomware execution, often leveraging double extortion schemes. Affiliates receive a generous share of the ransom proceeds, ranging from 80-90%.


Medusa is another ransomware group that made its debut in the summer of 2021 and rapidly gained notoriety. The gang recently targeted Symposia Organizzazione Congressi, an event planning service in Genova, Italy, and threatened to release all stolen data if a $100,000 ransom was not paid by October 30th.

ATI Traduction, a translation services company in France, was another victim. The gang demanded a $100,000 ransom, with a deadline set for October 24th. Additionally, they attacked EDB Soluzioni Eloctronique, an electronic solutions provider in Italy, threatening to publish 76.6GB of stolen data by October 26th.

Medusa has a unique modus operandi, restarting infected machines in safe mode to avoid detection and erasing local backups, which prevents recovery. The group is known for demanding multi-million-dollar ransoms, with amounts varying based on the victim's ability to pay.  

Medusa targets healthcare, pharmaceutical companies, and the public sector, employing double extortion schemes.

Black Basta

This ransomware group attacked Edwardian Hotels London, Haffner GmbH, a chemical supplier in Germany, and Piemme, an Italian publishing house. However, they provided limited details on these attacks.

Black Basta emerged in early 2022 and quickly became one of the most prolific groups. It's believed to be a revival of the Conti and REvil attack groups, known for exfiltrating sensitive data from victims for double extortion.

The group conducts highly targeted attacks, primarily focusing on manufacturing, transportation, construction, telecommunications, the automotive sector, and healthcare providers. Reports suggest that their ransom demands can be as high as $2 million.


Knight targeted Faieta Motor Company, a Yamaha dealership in Italy, and Mario De Cecco, a workwear manufacturer in Italy. The group overhauled the Cyclops ransomware in July, recruiting affiliates to enhance data theft from both Windows and Linux systems.

The gang uses deceptive HTML attachments and employs a 'lite' version of their ransomware for mass distribution. Victims are lured into downloading an Excel file, which triggers the activation of ransomware. The group typically demands a $5,000 ransom payment, with no guarantee of decryption.


NoEscape attacked Mount Holly Nissan in New Jersey and KBS Accountants in the Netherlands. The group operates as a ransomware-as-a-service, offering affiliates the ability to customize their ransomware executables.

Victims receive a note informing them of the encryption of their data, with a demand for payment in exchange for a recovery tool. Non-compliance results in files remaining encrypted and stolen information being sold on the darknet. The group advises victims to use the TOR browser for the payment process.

NoEscape – assessed to be a spinoff of the disbanded Avaddon gang - emerged in May of 2023 and operates as a Ransomware-as-a-Service (RaaS) and emerged with variants for targeting both Windows, Linux and VMware ESXi systems. NoEscape provides affiliates with 24/7 technical support, communications, negotiation assistance, as well as an automated RaaS platform update feature.


LockBit attacked Kasparek Optical in Michigan and SD Products in the UK. The group has been active since 2019, known for its fast encryption and a triple extortion model.

LockBit targets larger enterprises across various industry verticals, particularly favoring healthcare. The group demanded ransoms in excess of $50 million in 2022 and introduced LockBit 3.0 with advanced anti-analysis features. Affiliates can receive up to 75% of the attack proceeds.

LockBit is noted for using a triple extortion model where the victim may also be asked to purchase their sensitive information in addition to paying the ransom demand for decrypting systems.  

LockBit employs publicly available file sharing services and a custom tool dubbed Stealbit for data exfiltration. LockBit was by far the most active attack group in 2022 and continued to be one of the top attack groups in Q1 of 2023


Snatch attacked Intech, an IT and telecom solutions provider in Texas. The group has been active since 2018 and specializes in evading security tools and preventing recovery.

Snatch operates moderately in terms of attack volume but is on track to increase activity by 50% in 2023 compared to 2022. Their ransom demands are relatively low, ranging from several thousand to tens of thousands of dollars. Snatch targets vary widely, and they employ double extortion schemes.

Snatch can evade security tools and deletes Volume Shadow Copies to prevent rollbacks and any local Windows backups to thwart recovery. There has also been a Linux version observed. Snatch attack volume has been modest compared to leading ransomware operators but is on pace to increase about 50% in 2023 compared to 2022 levels.


Cactus targeted Omnivision Technologies, a digital imaging solutions company. Not much is known about Cactus, as they are maintaining a low profile and have attacked a limited number of organizations.

Once gaining entry to the network, Cactus operators engage in activities such as enumerating local and network user accounts and identifying accessible endpoints. They then proceed to generate new user accounts and utilize custom scripts for the automated rollout and activation of the ransomware encryptor through scheduled tasks.  

It is noteworthy that the ransomware encryptor utilized by Cactus exhibits a unique characteristic – it necessitates a decryption key for the execution of the binary, likely implemented to evade detection by anti-virus software.


INC Ransom targeted Greenpoint Technologies, a luxury aircraft interior design company. They encrypted files and demanded a ransom for decryption services. Victims received a 72-hour window to contact the attackers and make the payment, with the threat of data exposure if they didn't comply.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.