Ransomware on the Move: LockBit, BlackCat/ALPHV, BlackBasta, Cuba


November 21, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit has maintained its position as the most active threat actor, launching multiple ransomware attacks on diverse targets. Last week, the group targeted American Engineers, a reputable civil engineering firm with a history spanning over three decades.

The attackers gained access to confidential construction project contracts and over 50,000 documents, including personal information. Floortex, a leading supplier of office and home surface protection mats, also fell victim to LockBit's onslaught.

Vital Health Foods, a prominent South African vitamin and health supplement manufacturer, faced a looming ransom deadline of 13 days from LockBit. Leos Jeans, Custom Fabricating & Repair in the USA, Gold's Gym Arabia in Saudi Arabia, and Hotel Ampere Paris were also added to the list of LockBit's victims. The University of the Aegean in Greece received a ransom ultimatum of 13 days from the notorious group.

LockBit, a Ransomware-as-a-Service (RaaS) entity operational since2019, boasts advanced security tool evasion capabilities and exceptionally fast encryption speeds. Known for innovative tactics, LockBit demands ransoms exceeding $50 million, and its exploits have extended to major players like Taiwan Semiconductor Manufacturing Company (TSMC).

The group introduced a macOS ransomware variant in April 2023,demonstrating its adaptability. LockBit utilizes custom tools like Stealbit for data exfiltration and is known for targeting larger enterprises, particularly in the healthcare sector.


BlackCat/ALPHV has been a significant player in the ransomware landscape, adding Execuzen Ltd, 4set Talent & Technology, and Mariposa Landscapes Inc. to its list of victims.

Execuzen, a global executive search firm, faced the compromise of personal data and corporate information. 4set Talent & Technology, specializing in technology consulting, and Mariposa Landscapes Inc., a landscape company, also experienced data breaches orchestrated by BlackCat/ALPHV.

The group's RaaS platform, noted for employing an AES algorithm, is highly customizable, and its attacks exhibit advanced self-propagation and evasion capabilities. BlackCat/ALPHV has been active since late 2021, with an increased attack volume in Q1 2023. The group demands ransoms ranging from$400,000 to over $5 million.

BlackCat/ALPHV was the first to adopt the secure programming language Rust and released a new ransomware version called Sphynx in August2023. It targets diverse industries, including healthcare, pharmaceuticals, finance, and manufacturing.


Black Basta has recently targeted AyA Kitchens and Baths and Montcalm Montagens Industriais, both facing an 8-day ransom deadline. AyA designs modern kitchens and baths, while Montcalm provides engineering and construction solutions across various industrial segments in Brazil. Bos Logistics in the Netherlands received a ransom ultimatum of six days from BlackBasta.

Emerging in early 2022, Black Basta is considered an offshoot of the disbanded Conti and REvil groups. The ransom demands imposed by Black Basta can reach up to $2 million. The group demonstrates versatility by evolving its RaaS platform, targeting both Windows and Linux systems.

Black Basta excels in exploiting vulnerabilities in VMware ESXi, displaying proficiency in infecting enterprise servers. The group's attacks primarily focus on manufacturing, transportation, construction, telecommunications, automotive, and healthcare sectors.


Cuba, a RaaS entity in operation since 2019, targeted Diagnos Techs and the Port Adelaide Power AFL team. Diagnos Techs, a pioneer in saliva-based testing, faced compromised financial and correspondence data. The Port Adelaide Power AFL team, a football club in Australia, witnessed data collection by Cuba on November 7.

While not the most sophisticated ransomware, Cuba has steadily increased its activity, doubling its attack volume in early 2023. The group relies on phishing, vulnerabilities, and compromised RDP credentials for ingress, employing ChaCha20 encryption and a double extortion scheme.

Cuba targets a diverse range of sectors, including financial services, government, healthcare, critical infrastructure, and IT.


Akira, a recently emerged threat group, targeted Battle Motors and Maxum Petroleum. Battle Motors, a leader in vocational trucks, faced a compromise of operational data, while Maxum Petroleum, a major lubricant blending company, experienced data exfiltration.

Operating since March 2023, Akira has potential links to the Conti gang. The group's unique features include a chat feature for victims to negotiate directly with attackers. Akira employs a RaaS platform in C++,targeting both Windows and Linux systems.

The group leverages credentials for VPNs and has been observed exploiting a zero-day in Cisco’s Adaptive Security Appliance. Akira's attacks span various industries, with a focus on technology, manufacturing, and oil and gas.


NoEscape, a spinoff of the disbanded Avaddon gang, has quickly become a prolific threat group targeting Carespring Health Care Management. The group claims access to 364 GB of company data from Carespring Health Care Management, which operates skilled nursing facilities and offers various healthcare services.

Emerging in May 2023, NoEscape operates as a Ransomware-as-a-Service and supports both Windows and Linux systems, including VMware ESXi. The group provides affiliates with 24/7 technical support and an automated RaaS platform update feature.

NoEscape stands out for its swift rise in attack volume, with ransom demands potentially exceeding $3 million and offering affiliates a generous profit-sharing arrangement.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.