Ransomware on the Move: Hunters International, Black Basta, RansomHub, DragonForce


April 16, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

Hunters International

The notorious ransomware gang, Hunters International, has unleashed a wave of cyberattacks targeting prominent companies across various industries. One of their high-profile victims is the Benetton Group, a renowned fashion giant headquartered in Italy.  

Hunters International claims to have infiltrated Benetton's network, siphoning off a staggering 433GB of data.  

The cybercriminals have listed Benetton on their leak site, threatening to disclose sensitive client information unless their demands are met. Despite the looming threat, specific ransom terms remain undisclosed.

DataBank, a prominent data center company catering to the AI and Edge era, also fell prey to Hunters International. The attack resulted in the exfiltration of a colossal 3.5 TB of data, compromising over 10 million files, including sensitive client data.  

DataBank's extensive infrastructure, with over 65 data centers strategically located across the US, underscores the scale of the breach.

Further escalating their spree, Hunters International targeted Paulmann Licht, a leading lighting manufacturer in Germany. The hackers issued a tight deadline for negotiation, providing little over two days for the victim to respond.  

While the ransom amount and terms remain undisclosed, evidence of the incident has surfaced on the dark web, adding to the mounting pressure on Paulmann Licht.

In another attack, T A Khoury & Co, an esteemed accounting firm in Australia, found itself in the crosshairs of Hunters International. The cybercriminals claim to have stolen 63.7 gigabytes of data, categorizing it into "Client Files" and "Financial Data."  

Despite the identical size and number of files in both categories, the specific contents of the stolen data remain shrouded in mystery.

Moreover, Hunters International targeted Robertson Cheatham Farmers Cooperative, although details of the attack are scarce. The cooperative, deeply rooted in agricultural communities across multiple locations, faces an uncertain future following the ransomware assault.

Hunters International, a Ransomware-as-a-Service (RaaS) group, has emerged as a formidable threat, leveraging sophisticated tactics to exfiltrate valuable data and extort ransom payments.

Despite their denials of any ties to previous ransomware operations, the group's modus operandi bears striking resemblances to the notorious Hive ransomware strain, raising concerns about the evolving landscape of cyber threats.

Black Basta

The Black Basta ransomware gang continues to wreak havoc across various industries, targeting organizations worldwide with sophisticated attacks.  

Among its recent victims is Paterson & Cooke, an engineering consultancy renowned for its expertise in slurry pipeline and mine backfilling services. Despite their extensive presence across several countries, details of the attack remain undisclosed.

Similarly, the Parklane Group, a prominent property and leisure company based in the UK, fell victim to Black Basta's ransomware operations, further amplifying concerns about the group's indiscriminate targeting.

Additionally, Schlesinger Law Offices, a reputable firm specializing in personal injury cases, faced an attack by Black Basta, highlighting the group's willingness to target organizations across different sectors.

Black Basta, identified as a Ransomware-as-a-Service (RaaS) group, emerged in early 2022, possibly linked to disbanded attack groups like Conti and REvil.  

Known for its strategic exfiltration of sensitive data and deployment of ransomware payloads, Black Basta has amassed substantial ransom revenue, estimated to exceed $107 million from over 90 victims in under two years.

Employing advanced techniques and malware strains such as Qakbot, Black Basta leverages vulnerabilities in systems like VMware ESXi and exploits insecure Remote Desktop Protocol (RDP) deployments to infiltrate networks.  

With a diverse target profile spanning manufacturing, transportation, healthcare, and more, Black Basta's double extortion scheme and active leaks website intensify the pressure on organizations to comply with their ransom demands, showcasing the group's ruthlessness in the cyber landscape.


The RansomHub ransomware group has expanded its list of victims, targeting diverse industries with its malicious operations.  

Among its recent victims is Farmacia Florio, a pharmacy group offering comprehensive professional services, including a galenical laboratory and cosmetics production. However, details of the attack remain undisclosed.

Additionally, RansomHub has struck Skyway Coach Lines and Shuttle Services, a Toronto-based transportation provider specializing in coach lines and airport shuttles. Despite the lack of specifics, the attack underscores RansomHub's indiscriminate targeting across various sectors.

Operating as a relatively new ransomware-as-a-service operation, RansomHub maintains a darknet site featuring an Index page listing its victims, along with About and Contact sections.  

The group, purportedly comprising hackers worldwide, emphasizes financial gain as its primary motive while prohibiting attacks against specific targets like CIS, Cuba, North Korea, and China.

Furthermore, RansomHub imposes rules on its affiliates, forbidding attacks on non-profit organizations and re-attacks on previously paid victims, indicating a level of ethical consideration amidst its illicit activities.


The DragonForce ransomware gang has allegedly targeted Saint Cecilia's Church of England School, a secondary school in Southfields, London, specializing in music and mathematics.  

Details of the attack remain undisclosed, leaving the school's administration and community in uncertainty.

Similarly, Västblekinge Miljö AB, a waste management company operating in Sweden, found itself on DragonForce's victim list. However, specifics regarding the attack are scarce, further amplifying concerns about the ransomware group's indiscriminate targeting across various sectors.

DragonForce emerged as a new ransomware operation in December 2023, with limited information available about the group responsible for its creation and dissemination.  

Operating through their dark web data leak site, DragonLeaks, the group encrypts victim systems and exfiltrates data, categorizing them as a crypto-ransomware and data broker entity.

Known for direct and double extortion tactics, DragonForce has been linked to hacktivist activities, with researchers speculating its origins in Malaysia.  

Despite claiming several high-profile attacks, investigative agencies are yet to fully comprehend the group's systems, structures, tactics, and history, owing to its relatively recent emergence.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.