Ransomware on the Move: LockBit, 8Base, RansomHub, Black Suit


June 4, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit has executed high-profile attacks on various organizations during the last week, including Morris Group International, Keuka College, Ewin Marion Kauffman School, JMJ Workplace Interiors, and the Hesperia Unified School District.  

These incidents contribute to a total of 141 attacks recorded this month up to May 19th.The data stolen in these attacks encompass sensitive information such as personally identifiable information (PII), financial data, employee records, commercial contracts, and proprietary information, reflecting the broad impact and severity of LockBit activities.

The education sector has been the most affected by LockBit, with seven attacks reported last week. The volume of stolen data is substantial, with nearly 1TB reported in two significant attacks, while the remaining 14 attacks lacked detailed data size information. The stolen data types indicate a severe compromise of confidentiality, affecting individuals and organizations' operational integrity.

LockBit is a significant advancement in the LockBit ransomware family, which has been active since January2020. As a Ransomware-as-a-Service (RaaS) model, it enables affiliates to utilize their malware, expanding the group's impact.  

Emerging in July 2022 as part of the LockBit, LockBit boasts enhanced infection capabilities, advanced obfuscation techniques, and improved lateral movement within networks, with notable victims such as Boeing and ICBC's US division.  

Operation Cronos, launched in February to dismantle LockBit infrastructure, initially succeeded through arrests and server seizures. However, LockBit quickly rebounded, reasserting its presence on the dark web and escalating attacks by releasing previously undisclosed victim data. This resilience demonstrates the group's adaptability and the ongoing challenges for law enforcement.

Despite claims of avoiding healthcare, educational, and charity institutions, LockBit has notably targeted the education sector. This contradiction underscores the opportunistic nature of ransomware groups and the need for vigilance across all sectors.

On May 16th, the Union Township School District experienced a significant network disruption believed to be the result of a cyber-attack, prompting an immediate and fast response under the leadership of Superintendent Dr. Gerry Benaquista.  

In response to the attack, the district has taken critical systems offline and launched a thorough investigation with the aid of external cybersecurity experts. Superintendent Benaquista stated in a letter to the district that the focus of these efforts is to secure the network, determine the extent of the intrusion, and restore full operational functionality as swiftly as possible.  

As the investigation and restoration processes continue, the district remains cautious but proactive in mitigating any further risks. The district has not released additional details but promises to keep all relevant parties updated on any significant developments. The district also urges staff to refer any external inquiries to Mrs. Watson, emphasizing the sensitive nature of the ongoing investigation and the importance of handling communications carefully.


8Base is a relatively new player in the ransomware landscape. Despite its recent inception, the group has quickly gained notoriety for its aggressive and sophisticated attack strategies. 8Base continued their trend to report on Mondays weekly, claiming 9 attacks across the world and across a wide range of industries last week.

8Base, although relatively new, has quickly established itself as a major threat. Their sophisticated methods and broad industry targeting, particularly in manufacturing and business services, demonstrate their growing influence.  Some notable companies attacked last week by 8Base include New Boston Dental Care, Fic Expertise, Cushman Contracting Corporation, and others.  

In each incident, 8Base breached and published confidential data, including invoices, receipts, personal data, and employment contracts, leading to significant privacy and security issues.

The victim's website was compromised, resulting in the exposure of sensitive information. Various types of confidential data were compromised, including invoices, receipts, accounting documents, personal data, certificates, employment contracts, confidentiality agreements, personal files, and more. Furthermore, the leaked data has been fully published, indicating a serious breach of security.

8Base operates with a high level of sophistication, utilizing a combination of phishing attacks, exploit kits, and brute force attacks to gain initial access to victims' networks. Once inside, they deploy strong encryption methods to lock data and demand “ransoms.” The group is particularly adept at identifying and exploiting vulnerabilities in outdated software and weak security protocols.

In April, the United Nations Development Programme (UNDP) confirmed a ransomware attack, resulting in data theft. The stolen data included personal information of staff and procurement details of suppliers. UNDP notified the affected parties, reporting no evidence of data misuse. UNDP stated it did not pay any ransom. The agency works on projects in 170 countries addressing poverty and inequality. All data was subsequently made public.

8Base typically gains access to victim networks through a combination of social engineering techniques, such as phishing emails, and technical exploits, including vulnerabilities in unpatched software. Once inside, the group moves laterally through the network, deploying ransomware payloads across multiple systems to maximize disruption.

The geographical spread of the victims, with companies from Spain, Germany, Norway, Belgium, the USA, France, and Italy, highlights the global reach of the 8Base ransomware group. This international impact underscores the widespread threat ransomware poses to businesses.

The targeted industries are diverse, encompassing chemical manufacturing, security services, manufacturing, public services, dental care, accounting, engineering contracting, botanical gardens, zoos management, and precision mechanical components manufacturing. This variety indicates that 8Base targets a wide array of sectors without discrimination.

Coplosa, a manufacturing company in Spain, experienced a severe operational disruption due to the 8Base attack. The ransomware encrypted critical production and administrative data, causing significant downtime and financial losses. The attackers demanded a substantial ransom, leveraging the threat of data publication to increase pressure on the company.

W.I.S. Sicherheit + Service GmbH & Co. KG, a German security service provider faced a crippling ransomware attack that compromised sensitive client data and disrupted business operations. The attackers used double extortion tactics threatening to leak client information if the ransom was not paid. The incident highlighted vulnerabilities within the business services sector and emphasized the need for enhanced cybersecurity measures.  


RansomHub has also made notable strides, leveraging advanced phishing and social engineering techniques to target diverse sectors. Their high ransom demands, and extensive data exfiltration further emphasize the serious threat they represent.  

Some notable companies attacked this third week of May by RansomHub include Confins Transportes, Eucatex, Rocky Mountain Sales, City of Neodesha and more.

RansomHub is a relatively new ransomware group that has quickly made a name for itself in the cyber threat landscape. Known for its sophisticated phishing and social engineering techniques, RansomHub targets a variety of sectors, demanding high ransoms for decryption keys.

Last week RansomHub targeted a variety of sectors, demanding high ransoms for decryption keys. The group has executed nine notable attacks, fully publishing data from all of them, and exfiltrating a total of1829.42 GB of sensitive information.  

Some notable companies attacked last week are RansomHub has attacked several companies across different industries, notably impacting manufacturing and business services. Four of these attacks occurred in the United States and three in Brazil.  

Among the most significant attacks was the one on Porto de São Francisco do Sul in Brazil, where 548.72 GB of data, including accounting, human resources, financial reports, and employee details, were compromised. The vital trade hub for fertilizer imports with extensive infrastructure and significant port providing crucial connectivity to global shipping routes, experienced a ransomware attack compromising over 880,000 sensitive documents, totaling 548.72 GB.  

The breached data encompasses accounting, human resources, financial reports, reception, contracts, operations, and employee details, significantly impacting the port's operations and security. RansomHub employs a highly organized approach, utilizing advanced phishing schemes and social engineering tactics to infiltrate networks. RansomHub operations are characterized by their meticulous planning and execution.  

They often conduct extensive reconnaissance on their targets before launching an attack, ensuring maximum impact and disruption. The group's targets are diverse, ranging from real estate companies to waste management firms.  The group’s most attacked sector is Manufacturing, which had two attacks from May 13th to May 18th. Their ransom demands are typically high, reflecting the value of the data they encrypt and the potential impact on the victim's operations.

RansomHub emerged from the aftermath of the ALPHV ransomware group's attack on Change Healthcare, a major healthcare payment processing company. ALPHV allegedly received a $22 million ransom payment from Change Healthcare's parent company, UnitedHealth Group, but failed to share the proceeds with its affiliate "Notchy" who carried out the attack. Notchy and other former ALPHV affiliates then formed RansomHub, which extorted Change Healthcare a second time and began leaking the company's data in April 2024.

RansomHub attacks often begin with sophisticated phishing emails designed to trick recipients into revealing login credentials or downloading malware. The group also uses social engineering tactics to gain access to networks, exploiting human vulnerabilities to bypass security measures. The group's ransom notes are detailed and often include threats to publish stolen data, increasing pressure on victims to comply.

The attack on Houston Waste Solutions, a waste management company, resulted in significant service disruptions and data loss. The ransomware encrypted critical operational data, impacting the company's ability to provide services to its clients. The attackers demanded a substantial ransom, leveraging the threat of data publication to increase pressure on the company.

Okuant Limited, a real estate investment company, experienced a significant ransomware attack that compromised sensitive financial data. The attackers encrypted critical operational data and demanded a high ransom, threatening to publish the stolen information if their demands were not met.

Black Suit

Black Suit, with its focus on manufacturing and industrial sectors, exemplifies the severe operational and financial disruptions that ransomware can cause. Their targeted attacks on critical industries underscore the need for enhanced cybersecurity measures.  

Last week three USA-based companies—Cat-I Glass, Vision Mechanical, and Pier Foundry & Pattern Shop—have been targeted by the cybercriminal group known as Black Suit in a series of ransomware attacks.

Black Suit is another emerging ransomware group that has quickly gained a reputation for targeting manufacturing and industrial sectors. Known for their sophisticated attacks and high ransom demands, BlackSuit has become a significant threat to companies in these critical industries.

All three companies targeted by Black Suit are based in the USA and faced ransomware attacks that involved substantial data exfiltration and publication. These incidents underscore the severe impact of ransomware attacks, including financial demands and extensive data breaches.  

Across all three attacks, the types of data compromised included employee data, financial data, business data, and partners' information. The publication of some of this exfiltrated data further exacerbated the impact, highlighting the significant privacy and security risks involved.

Black Suit operates with a high degree of technical sophistication, using spear-phishing campaigns and exploiting known vulnerabilities to infiltrate networks. Once they gain access, they deploy advanced encryption tools to lock down data and systems, demanding payment in cryptocurrency for decryption keys.  

Black Suit primarily targets manufacturing and industrial companies, where the disruption of production can have severe financial and operational consequences. Their ransom demands are often high, reflecting the critical nature of their targets' operations.

Black Suit's attacks typically begin with spear-phishing emails, which are highly targeted and designed to trick recipients into revealing login credentials or downloading malware. The group also exploits vulnerabilities in unpatched software to gain access to networks.  

Once inside, they deploy ransomware payloads across multiple systems, encrypting data and demanding payment for its release. The group's ransom notes are detailed and often include threats to publish stolen data if the ransom is not paid. They use encrypted communication channels to negotiate with victims, further complicating efforts to track and stop their activities.

The attack on Cat-i Glass Manufacturing halted production and caused significant data loss. The ransomware encrypted critical manufacturing and operational data, leading to substantial financial losses and production delays. The attackers demanded a high ransom of$100,000 to restore access to the company's systems and data.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.