Ransomware on the Move: INC Ransom, Rhysida, Akira, RA World


April 9, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:

INC Ransom

INC Ransom, a notorious cybercriminal group, has launched a series of devastating ransomware attacks on various organizations, including NHS Dumfries and Galloway, Florida Memorial University (FMU), Tech-Quip, PSEC Church, and Leicester City Council. The attacks involve threatening to publish sensitive data unless a ransom is paid.

In the case of NHS Dumfries and Galloway, the attackers have obtained a significant amount of patient and staff information, leading to fears of privacy breaches and potential harm. The organization, committed to providing excellent and person-centered care, faces a grave threat to its data security.

FMU, a respected historically black college in Miami Gardens, Florida, has also fallen victim to INC Ransom. The attackers have exposed confidential documents, including passports and Social Security numbers, raising concerns about identity theft and financial fraud.

Tech-Quip, a major manufacturer's representative for instrumentation and analytical products, suffered a similar fate, although specific details of the attack remain undisclosed.

PSEC Church and Leicester City Council have also been targeted, with the attackers threatening to expose sensitive data unless their ransom demands are met. These attacks have far-reaching implications for the affected organizations and their stakeholders, jeopardizing data privacy, financial stability, and public trust.

INC Ransom employs sophisticated tactics, such as leveraging compromised credentials and utilizing legitimate tools for reconnaissance and lateral movement within targeted networks. The group practices double extortion, demanding payment while also threatening to leak stolen data if demands are not met.

The wide array of industries targeted by INC Ransom underscores the indiscriminate nature of their attacks, affecting sectors ranging from healthcare and education to manufacturing and public administration. Despite efforts to combat cybercrime, organizations remain vulnerable to ransomware threats, highlighting the urgent need for robust cybersecurity measures and proactive defense strategies.


The Rhysida ransomware group has targeted two prominent entities: Seven Seas Technology (SSTech) and El Debate. SSTech, a leading provider of ICT solutions with over 40 years of experience, faces a ransom demand of 6 BTC after a compromising attack that involved miscellaneous data, including personally identifiable information (PII).

El Debate, a Mexican newspaper publisher established in 1972, has also fallen victim to Rhysida, with a ransom demand of 5 BTC following an attack involving contracts and PII documents, with a sample of the data already leaked.

Rhysida, a Ransomware-as-a-Service (RaaS) operation observed since May 2023, is known for its data exfiltration tactics for double extortion. The group operates leak sites and victim support portals on TOR, targeting various industries.

Although its attack volume is modest compared to other groups, Rhysida is notable for its use of Cobalt Strike frameworks and phishing campaigns. While lacking some standard ransomware features, such as VSS removal, Rhysida threatens to publicly distribute stolen data to enforce ransom payments.

Victims are directed to contact the attackers via TOR-based portals for payment instructions, demonstrating the group's sophisticated ransomware deployment and payment procedures.


The Akira ransomware group has targeted Santa Cruz Seaside Company and Lakes Precision, adding to its list of victims across various industries. Santa Cruz Seaside Company, known for operating the historic Santa Cruz Beach Boardwalk amusement park, suffered a significant breach resulting in the theft of financial documents, HR records, and other business data.

Meanwhile, Lakes Precision, a provider of wire processing tooling, also faced an attack, though specific details remain undisclosed.

Akira, emerging in March 2023, demonstrates links to the Conti gang and utilizes an extortion platform with unique features such as direct negotiation via chat and informing paid victims about attack vectors.

While offering a decrypter, its efficacy has been limited. Despite a moderate attack volume, ranging from $200,000 to over $4 million in ransom demands, Akira employs sophisticated techniques, including targeting both Windows and Linux systems and exploiting vulnerabilities in Cisco and VMware software.

Operating a Ransomware-as-a-Service (RaaS) model, Akira utilizes C++ code capable of evading detection and deleting Windows Shadow Volume Copies. Its tactics include data exfiltration for double extortion, posing significant risks to victims' data privacy and financial security. With a history of targeting organizations in education, finance, and manufacturing, Akira remains a formidable threat in the ransomware landscape.

RA World

RA World, a prominent ransomware group, has targeted TUBEX Aluminium Tubes and Innomotive-Systems-Hainichen-GmbH in its recent attacks. TUBEX, a manufacturer of aluminum tubes with over 70 years of experience, stands as a pioneer in packaging development, boasting extensive production capacities across multiple locations. Meanwhile, Innomotive Systems Hainichen specializes in automotive parts production, including vehicle hinges and oil pumps, and has been a key player in the industry for years.

RA World, formerly known as the RA Group, has been active since April 2023, employing a strategy that involves data exfiltration followed by encryption deployment. The group operates leak sites on both TOR and non-TOR platforms, posing significant threats to victims' data privacy. Notably, the ransomware is designed to eliminate Volume Shadow Copies and system backups, thwarting recovery efforts.

While specific infection pathways remain undisclosed, RA World's modus operandi likely aligns with standard ransomware tactics. Instances of RA World attacks have been reported globally, with victims hailing from countries such as the Netherlands, France, the United Kingdom, and Colombia. Data leak sites associated with RA World have affected numerous organizations across various sectors, underscoring the group's widespread impact and the urgent need for robust cybersecurity measures.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.