Ransomware on the Move: BlackSuit, BianLian, RansomHub, Snatch


May 4, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The Ellsworth Cooperative Creamery, renowned for its high-quality cheese products, fell victim to a ransomware attack orchestrated by the BlackSuit group, highlighting the vulnerability of businesses in the agriculture sector to cyber threats.  

With approximately 200-500 employees, the creamery boasts a wide array of cheese products, including cheese curds, barrel cheese, processed cheese, and specialty cheeses.  

The attack underscores the necessity for robust cybersecurity measures in an increasingly technology-dependent industry. Strategies such as employee education, strong passwords, multi-factor authentication, regular system updates, and backup plans are crucial for mitigating such threats.

Meanwhile, SIP, a Belgian IT partner catering to businesses with IT services, faced a similar assault from BlackSuit. With a team of 24 professionals, SIP operates in the business services sector, providing IT infrastructure management and consultation.  

The attack exemplifies the group's targeting of both large enterprises and small to medium-sized businesses across various industries, exploiting vulnerabilities in cybersecurity practices.

The impact of ransomware attacks like these can be substantial, although specifics regarding SIP's situation remain undisclosed. Nonetheless, organizations are advised to implement ransomware containment measures to halt active attacks and reduce the impact of potential data breaches.

BlackSuit, unlike traditional Ransomware-as-a-Service (RaaS) operations, operates discreetly without known affiliates, utilizing encryption mechanisms and tactics reminiscent of the Royal ransomware. Since its emergence in 2023,  

BlackSuit has targeted a diverse range of sectors, with notable focus on education and manufacturing. While specific figures on attack volume and ransom demands are scarce, victims like ZooTampa, Southwest Binding & Laminating, and Western Municipal Construction attest to the group's disruptive capabilities.

Operating independently, BlackSuit retains all profits from its operations, diverging from the typical RaaS economic model. This clandestine approach may serve to bolster operational security and maximize profits.  

As BlackSuit continues to evolve, organizations must remain vigilant, fortifying their cybersecurity posture to fend off potential attacks and safeguard critical assets.


Chambers Construction Co., a respected entity in the construction sector, was recently ensnared in a ransomware assault conducted by the notorious BianLian group.  

Established in 1955, Chambers has been a cornerstone in Eugene/Springfield and the wider Oregon and Northwest regions.  

Known for their integrity and commitment to delivering top-tier structures in collaboration with clients, they specialize in Butler Manufacturing steel buildings, offering versatile design solutions and project efficiency.  

However, the intricacies of construction project delivery render the industry susceptible to ransomware attacks, exacerbated by tight timelines, lean methodologies, and just-in-time material delivery.

To combat such threats, robust security measures are imperative. Endpoint security, network monitoring, and data loss prevention mechanisms are essential. Moreover, employee education on phishing risks and secure password practices is paramount.

Similarly targeted, On Q Financial, LLC, a finance sector player, found itself in BianLian's crosshairs. Providing mortgage services, On Q emphasizes customer satisfaction and a streamlined mortgage process.  

The finance industry's susceptibility to ransomware stems from the potential for significant financial losses and the imperative of maintaining operational continuity. BianLian's transition from traditional ransomware to extortion-based strategies compounds these risks, with prominent operations reported by cybersecurity agencies.

Mitigating BianLian's threats requires proactive monitoring, regular updates, and adherence to security best practices.  

BianLian's evolution from traditional RaaS to data extortion underscores the efficacy of this strategy, with notable attacks targeting critical infrastructure, financial institutions, healthcare, and more. While specifics on ransom demands remain unclear, victims like Air Canada, Griffing & Company, and International Biomedical Ltd. highlight the group's disruptive capabilities.

Economically, BianLian's shift towards data extortion signifies a departure from traditional ransomware models. Leveraging open-source tools and command-line scripts, they exploit compromised credentials to infiltrate diverse industries.  

The surge in their activity underscores the urgency for organizations to fortify their defenses and stay vigilant against evolving cyber threats.


Carrozzeria Aretusa srl, a prominent car body repair and maintenance company based in Milan, Italy, found itself at the mercy of the emergent ransomware group RansomHub, which distinguishes itself by backing claims with data leaks.  

Founded in 1960, Carrozzeria Aretusa srl boasts a well-established reputation in the hospitality sector, offering expert car bodywork and mechanical repairs.  

However, the ransomware attack underscores the imperative for robust cybersecurity measures to safeguard against such threats, especially as AI technology enhances the efficacy and frequency of attacks.

Similarly targeted, HCI Systems, Inc., a provider of fire protection, nurse call, security, and DAS solutions, fell prey to RansomHub's indiscriminate targeting across various countries, including the US, Brazil, Indonesia, and Vietnam.  

This attack highlights vulnerabilities in infrastructure, such as outdated software or unpatched equipment, underscoring the necessity for simulation and training programs to bolster security awareness.

Furthermore, Better Accounting Solutions, a small business dedicated to delivering quality accounting services, faced the onslaught of RansomHub, operating as a Ransomware-as-a-Service (RaaS) group.  

Accounting firms, with their wealth of sensitive client information, have become prime targets, necessitating robust cybersecurity measures, including software updates, strong passwords, and regular data backups. Mitigation strategies also involve comprehensive response plans and ongoing employee training to enhance security awareness.

RansomHub's emergence as a RaaS platform signals a concerning development in the cybercrime landscape, with affiliates retaining the lion's share of ransom proceeds.


Notable victims, including Change Healthcare and Kovra, attest to the group's aggressive expansion strategy and substantial ransom demands, underscoring their focus on targeting large organizations capable of meeting hefty payments.  

With a strong emphasis on the healthcare sector, RansomHub's economic model incentivizes the recruitment of skilled affiliates, amplifying the threat posed to organizations worldwide. As such, vigilance, preparedness, and proactive cybersecurity measures are imperative in the face of evolving ransomware threats.


Seven Seas Group, a major player in maritime services, faced a severe setback as it fell prey to a ransomware attack orchestrated by the notorious Snatch group.  

With a global presence and a commitment to superior service, Seven Seas Group's specialization in ship supplies and technical maritime brands makes it an attractive target for cybercriminals seeking to exploit vulnerabilities in its network.

This incident is part of a broader trend of ransomware attacks affecting various industries, underscoring the urgent need for robust cybersecurity measures across sectors.

Similarly targeted, Retirement Line, the UK's largest pension annuity broker, found itself entangled in the web of a Snatch ransomware attack.  

Renowned for its expertise in securing optimal annuity rates for retirees, Retirement Line's prominence in the finance sector makes it a prime target for cyber threats. The attack underscores the ongoing danger posed by cybercriminals to businesses, regardless of industry, emphasizing the critical importance of maintaining strong cybersecurity protocols.

Furthermore, the jewelry retail giant Malabar Gold & Diamonds faced a ransomware onslaught from the Snatch group, jeopardizing its operations and customer data.

With a significant global presence and a focus on modern designs and customer-friendly services, Malabar Gold & Diamonds stands as a leader in the jewelry industry.

However, its prominence makes it an attractive target for cyberattacks, highlighting the need for heightened vigilance and robust cybersecurity measures to mitigate such threats effectively.

In the construction sector, Hawbaker Engineering, renowned for its integrated design and construction services, found itself targeted by the Snatch ransomware group.

With a diverse portfolio of projects and a sizable workforce, Hawbaker Engineering's vulnerability to cyber threats underscores the imperative for companies to prioritize cybersecurity protocols, including regular software updates and strong authentication measures.

Moreover, HSPG & Associates, a firm providing tax, accounting, and auditing services, encountered a ransomware attack from the Snatch group, jeopardizing sensitive financial data.

With a significant presence in the finance sector and a commitment to integrity, HSPG & Associates' vulnerability to cyber threats underscores the pervasive nature of ransomware attacks across industries, necessitating proactive cybersecurity measures to safeguard valuable data and operations.

Snatch's emergence as a Ransomware-as-a-Service (RaaS) platform presents a concerning development in the cybercrime landscape, with affiliates leveraging sophisticated techniques to evade security measures and exploit vulnerabilities.

The group's diverse targeting across industries, including defense, agriculture, and information technology, underscores the need for comprehensive cybersecurity strategies tailored to specific threats.

As cybercriminals continue to evolve their tactics, organizations must remain vigilant and proactive in fortifying their defenses against ransomware attacks to mitigate potential risks effectively.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.