Ransomware on the Move: LockBit, Black Basta, BianLian, 8Base


February 20, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit has emerged as one of the most prolific and formidable actors in the realm of cybercrime. The LockBit ransomware operation has been responsible for a series of high-profile attacks, demonstrating their capability to breach organizations across diverse industries and geographical locations.

One of the notable victims of the LockBit ransomware group was the Service Employees International Union (SEIU), a prominent union representing nearly 100,000 state employees in California. The attackers exfiltrated a significant amount of sensitive data, including employee Social Security numbers, salary information, and financial documents.  

This breach not only posed a severe threat to the affected individuals' privacy but also underscored the potential impact of ransomware attacks on large-scale organizations entrusted with sensitive data.

Similarly, the Town of Seymour in Connecticut fell victim to a ransomware attack orchestrated by the LockBit group. This small yet significant municipality, known for its safety and community services, faced the daunting task of confronting cybercriminals who targeted its infrastructure.  

With a ransom deadline looming, the town authorities grappled with the implications of potential data exposure and the disruption of essential services.

The maritime industry also felt the impact of LockBit's operations, with Northsea Yacht Support experiencing a breach that exposed the vulnerability of companies involved in luxury yacht production.  

The theft of intellectual property and sensitive business data highlighted the indiscriminate nature of ransomware attacks, affecting businesses regardless of their size or industry sector.

Furthermore, the healthcare sector bore the brunt of LockBit's onslaught, as evidenced by the attack on CDT Medicus, a leading medical services provider in southwestern Poland. The compromise of patient records and confidential documents underscored the grave consequences of ransomware attacks on institutions entrusted with safeguarding sensitive medical information.

LockBit's reach extended beyond geographical boundaries, as demonstrated by the attack on Al Firas, a contracting company based in Abu Dhabi. The exfiltration of terabytes of data from this organization underscored the global scale of ransomware operations and the far-reaching implications for businesses operating in diverse regions.

Living Water International, a nonprofit organization dedicated to providing clean water to communities in need, also found itself targeted by LockBit. While details of the attack were scarce, the incident highlighted the indiscriminate nature of ransomware attacks, which spare neither profit-driven enterprises nor humanitarian organizations.

In Spain, Verdimed, a producer and marketer of fresh vegetables, fell victim to LockBit's extortion tactics. The exposure of sensitive business data raised concerns about the potential impact on the company's operations and reputation within the agricultural industry.

LockBit's activities also affected organizations in the outdoor equipment sector, as evidenced by the attack on Lyon Equipment Limited, a leading distributor of climbing, mountaineering, and outdoor gear. The disruption caused by the ransomware attack underscored the vulnerability of businesses reliant on digital infrastructure for their operations.

Moreover, LockBit's reach extended to government institutions, with the National Police Social Security Institute (ISSPOL) in Ecuador facing a ransomware attack that threatened to disrupt essential services. The timely response of ISSPOL's technology and cybersecurity team prevented further escalation, but the incident served as a stark reminder of the vulnerability of critical infrastructure to cyber threats.

Similarly, Jacksonville Beach in Florida experienced a ransomware attack that crippled city services and forced the temporary closure of City Hall. The incident highlighted the disruptive potential of ransomware attacks on local government operations and underscored the need for robust cybersecurity measures to mitigate such threats.

LockBit's indiscriminate targeting also extended to healthcare facilities, as evidenced by the attack on the Caribbean Radiation Oncology Center. The compromise of patient data and medical records underscored the potential risks posed by ransomware attacks to the healthcare sector's integrity and patient care.

Furthermore, LockBit targeted Fulton County Government in Georgia, exposing sensitive information and disrupting essential services. The incident underscored the vulnerability of government agencies to cyber threats and the need for comprehensive cybersecurity strategies to safeguard public infrastructure.

LockBit's modus operandi is characterized by its sophisticated techniques and relentless pursuit of financial gain. As a Ransomware-as-a-Service (RaaS) operation, LockBit leverages advanced encryption algorithms and evasion tactics to infiltrate target networks and extort ransom payments.  

The group's willingness to exfiltrate and expose sensitive data further amplifies the stakes for affected organizations, who must contend with the dual threats of data loss and operational disruption.

LockBit's evolution as a ransomware operator underscores the dynamic nature of cyber threats and the constant arms race between cybercriminals and cybersecurity professionals. Despite efforts to disrupt their operations and dismantle their infrastructure, LockBit continues to adapt and innovate, posing a persistent challenge to organizations worldwide.

Black Basta

In contrast to LockBit's widespread and indiscriminate approach, other ransomware groups exhibit distinct tactics and targeting strategies. The Black Basta ransomware group, for example, targeted Hyundai Motor Europe and BTL, exploiting vulnerabilities in corporate networks to steal sensitive data and extort ransom payments.  

Black Basta is a RaaS that emerged in early 2022 and is assessed by some researchers to be an offshoot of the disbanded Conti and REvil attack groups. The group routinely exfiltrates sensitive data from victims for additional extortion leverage.  

Black Basta engages in highly targeted attacks and is assessed to only work with a limited group of highly vetted affiliate attackers. Black Basta quickly became one of the most prolific attack groups in 2023 and was observed leveraging unique TTPs for ingress, lateral movement, data exfiltration data, and deployment of ransomware payloads.


Similarly, the BianLian data extortion group targeted Capozzi Adler, PC, and TechNet Kronoberg AB, leveraging credential harvesting and data exfiltration techniques to extract ransom payments from their victims.

BianLian is not a traditional RaaS. They first emerged in June 2022 as a typical RaaS provider with Golang-based ransomware until a decrypter was released. In early 2023, they appear to have abandoned the ransomware payload portion of attacks in favor of less complicated data exfiltration and extortion attacks.  

This shows how successful the double extortion strategy is for ransomware groups, and we will likely see more groups join the likes of BianLian.


The 8Base ransomware group, on the other hand, targeted Institutional Casework Inc. and ATB SA Ingénieurs-Conseils, focusing on business services and engineering sectors. Like LockBit, 8Base employs advanced evasion techniques and data exfiltration tactics to maximize the impact of their attacks and compel victims to pay the ransom.

The 8Base ransomware gang first emerged in March of 2022 and has quickly become one of the most active groups today, having displayed a "massive spike in activity" in the second half of 2023.  

About half of the 8Base targets are in the business services, manufacturing, and construction sectors. The sophistication of the operation suggests they are an offshoot of experienced RaaS operators - most likely Ransomhouse, a data extortion group that first emerged in December of 2021 and was quite active in late 2022 and early 2023.

The activities of groups like LockBit, Black Basta, BianLian, and 8Base underscore the need for robust cybersecurity measures and proactive risk mitigation strategies. By understanding the tactics, techniques, and procedures employed by ransomware groups, organizations can better prepare themselves to detect, respond to, and recover from cyber threats, safeguarding their data, operations, and reputation in an increasingly digital world.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.