Ransomware on the Move: LockBit, BianLian, Medusa, Hunters International


March 25, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


El Ezaby Pharmacy, a cornerstone of Egypt's healthcare sector, has fallen prey to the notorious LockBit ransomware gang. The perpetrators have issued a ransom deadline set for a significant date in March 2024, although specifics remain undisclosed.  

Established in 1975, El Ezaby Pharmacies has grown into Egypt's leading provider of health and personal care products, with an ambitious plan to solidify its regional leadership. This cyber attack underscores the vulnerability of even the most established institutions to digital threats.

Similarly, Crinetics Pharmaceuticals finds itself on LockBit's radar, facing a demand of $4 million with a deadline looming on March 23.  

While Crinetics remained silent on whether they were dealing with a ransomware attack, they disclosed detecting suspicious activity in a staff member's account, promptly initiating cybersecurity protocols. Crinetics Pharmaceuticals, focused on endocrine disease therapeutics, emphasizes patient welfare amidst the breach.

Journey Freight International joins the list of LockBit's victims, facing a ransom deadline of March 24, with compromised financial data and personal information. The company, known for its personalized logistics solutions, confronts the harsh reality of modern cyber threats despite its global presence.

Meanwhile, Worthen Industries faces its third ransomware attack in two months, this time from LockBit, with a demand to contact attackers within three days. Founded in 1866, Worthen Industries' legacy as a chemical and technology manufacturer faces a digital challenge in safeguarding its corporate and personal data.

The LockBit ransomware gang, known for its sophisticated tactics and exorbitant ransom demands, continues to wreak havoc across industries worldwide despite recent law enforcement takedown attempts.  

With a track record of targeting high-profile entities and exploiting vulnerabilities across operating systems, LockBit still poses a significant threat to cybersecurity.  


Keboda Technology, a prominent automotive electronics enterprise based in Shanghai, has fallen victim to the BianLian data extortion group. Keboda Technology, founded in 2003, focuses on research, development, and industrialization of automotive electronics, playing a crucial role in the industry.

The breach, which reportedly involved the exfiltration of a massive 1.2 terabytes of data, includes sensitive personal information and proprietary data belonging to both Chinese and international customers such as Geely, Zeekr, Volkswagen, BMW, and others.  

The BianLian data extortion group has also targeted Consolidated Benefits Resources, a long-standing claims administrator for Oklahoma workers. While details regarding the breach remain scarce, the attack highlights the vulnerability of essential services to cyber threats.  

Consolidated Benefits Resources, serving over 1,000 employers, faces the challenge of securing sensitive information amid escalating cyber risks.

In addition to these attacks, the BianLian group has targeted Mayer Antonellis Jachowicz & Haranas, LLP, a reputable law firm offering diverse legal services. Though specifics of the attack are undisclosed, it underscores the pervasive nature of cyber threats across various sectors, including legal services.

Furthermore, Dr Leeman ENT, a medical practice specializing in ear, nose, and throat treatments, has also fallen prey to BianLian's attacks. While details are scarce, the incident highlights the broader impact of cyber threats on critical healthcare services.

BianLian's evolving tactics, moving away from traditional ransomware to data exfiltration and extortion, pose significant challenges for cybersecurity.  

Leveraging open-source tools and command-line scripts, BianLian targets a wide range of sectors, including financial institutions, healthcare, and manufacturing, by exploiting compromised credentials and bypassing security measures.


The notorious ransomware group Medusa has struck again, this time targeting prominent organizations across various sectors.  

ADSP Mar Tirreno Settentrionale, responsible for managing key ports in Tuscany, Italy, fell victim to the attack, resulting in the leakage of sensitive internal data, financial documents, and personally identifiable information.  

As a crucial public entity involved in EU-funded projects, the implications of this breach extend beyond regional borders, raising concerns about cybersecurity in critical infrastructure.

Additionally, Romark Laboratories, dedicated to advancing innovative medicines, found itself under siege by Medusa, although details of the attack remain undisclosed. The incident underscores the vulnerability of pharmaceutical companies to cyber threats, potentially disrupting vital research and development efforts.

Furthermore, Elior UK, a leading contract caterer serving diverse sectors, including workplace, education, and healthcare, has allegedly been targeted by Medusa. While specifics regarding the attack are scarce, the potential impact on essential services underscores the far-reaching consequences of ransomware attacks on public and private enterprises alike.

Medusa, known for its ransomware-as-a-service (RaaS) model, has emerged as a significant player in the cyber threat landscape since its debut in 2021. With fluctuating attack volumes and sophisticated evasion tactics, including restarting infected machines in safe mode, Medusa poses a formidable challenge to cybersecurity efforts.

The group's preference for targeting healthcare, pharmaceutical, and public sector organizations highlights the need for heightened vigilance and robust defense mechanisms across industries.  

Moreover, Medusa's utilization of a double extortion scheme, coupled with demands reaching into the millions of dollars, underscores the urgency for organizations to fortify their cybersecurity posture and implement proactive measures to mitigate risks.

As Medusa continues to evolve and adapt its tactics, organizations must remain vigilant and prioritize cybersecurity investments to safeguard sensitive data, protect critical infrastructure, and mitigate the potential fallout of ransomware attacks.  

Hunters International

ATL Leasing and Miki Travel have fallen victim to the Hunters International ransomware group, signaling the group's growing threat to businesses worldwide. ATL Leasing, a key player in the Tunisian market since 1993, saw 162.1 GB of data exfiltrated, impacting its operations and potentially compromising sensitive information.  

Similarly, Miki Travel, a global travel company with over 36 offices, faced an alleged 375GB data breach, emphasizing the far-reaching consequences of ransomware attacks.

Hunters International, identified as a Ransomware-as-a-Service (RaaS) group, surfaced in 2023, drawing comparisons to the notorious Hive ransomware strain. Despite denying ties to Hive, the group's tactics involve exfiltrating data and extorting victims for ransom.  

Notably, a US plastic surgery clinic saw 248,000 files compromised, showcasing the severity of the threat.  Hunters International's modus operandi involves encrypting files, leaving instructions for negotiation, and tailoring ransom demands based on the target's perceived value.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.