Ransomware on the Move: LockBit, BlackCat/ALPHV, Play, BlackBasta


November 14, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit, a Ransomware-as-a-Service (RaaS) entity operational since 2019, has been on a relentless spree these past few weeks after a bit of a lull. The group recently announced its attacks on various high-profile victims, including the Alianza Francesa - Santiago School, Binda, BR LOGISTICS USA, Electricity Generating Public Company, HBLFA Raumberg-Gumpenstein, MicroTrain Technologies, Strojírenský zkušební ústav, STUDIO483 Architects, and the Swedish branch of Translink Corporate Finance group.

The Alianza Francesa - Santiago School, an international and diverse institution with over60 years of history, faces a ransom deadline of November 22, 2023. Binda, a renowned watch and jewelry company with a legacy dating back to 1906, must pay by November 16, 2023. BR LOGISTICS USA INC, a global shipping company, has until November 18, 2023, to meet LockBit's ransom demands.

The Electricity Generating Public Company in Thailand, HBLFA Raumberg-Gumpenstein in Austria, MicroTrain Technologies in Chicago, Strojírenský zkušební ústav in the CzechRepublic, STUDIO483 Architects, and the Swedish branch of Translink Corporate Finance group are all under LockBit's siege with varying ransom deadlines.

LockBit, known for its sophisticated tactics, has demanded exorbitant ransoms, exceeding $50million. Notably, the group targeted Taiwan Semiconductor Manufacturing Company(TSMC) with a $70 million ransom demand in July. The attackers leverage publicly available file-sharing services and a custom tool named Stealbit for data exfiltration.

LockBit's innovation is evident in the release of LockBit 3.0 in June 2022, featuring the first macOS ransomware variant in April 2023. The latest versions pose a threat to both Windows and Linux systems, incorporating advanced anti-analysis features.

The group continues to exploit vulnerabilities such as remote desktop protocol (RDP) and spreads through Group Policy Objects and PsExec using the Server Message Block(SMB) protocol. LockBit primarily targets larger enterprises but has shown a preference for healthcare organizations, operating a well-regarded affiliate program with high payouts.


BlackCat/ALPHV, another prominent RaaS player, has left its mark on several organizations, showcasing its prowess in encryption and cyber-espionage. The group recently added AF Supply, Corsica Ferries, and Japan Aviation Electronics Industry to its victim list.

AF Supply, a family-owned business operating since 1922, faces exposure of exfiltrated data unless it complies with the ransom demand within 48 hours. Corsica Ferries, a leading ferry company in the Western Mediterranean, experienced data leak age due to non-compliance with the ransom group's demands. Japan Aviation Electronics Industry, a Japanese corporation specializing in electrical connectors, confirmed a cyberattack on November 6, 2023.

BlackCat/ALPHV employs an AES algorithm for encryption, demonstrating high customization and flexibility in its code. The group's ransom demands typically range from$400,000 to $3 million, but they have exceeded $5 million in some cases.

BlackCat/ALPHV released an API for its leak site, enhancing visibility for their attacks and pressuring victims to pay. The group utilizes Rust, a secure programming language, and actively deletes Volume Shadow Copies to prevent rollback attempts.

BlackCat/ALPHV's wide variability in targeting spans healthcare, pharmaceuticals, finance, manufacturing, legal, and professional services. Notably, the group engages in double extortion, exfiltrating victim data before encryption, and maintains a generous RaaS program offering affiliates up to 90% of ransom proceeds.


Play, a RaaS entity that emerged in the summer of 2022, has been making headlines with attacks on prominent organizations like Bry-Air and Ricardo. Bry-Air, a global environmental control solution provider established in 1964, and Ricardo, a strategic, environmental, and engineering consultancy, both fell victim to Play's cyber onslaught.

Play's modus operandi involves compromising unpatched Fortinet SSL VPN vulnerabilities for initial access. The group has targeted diverse entities, including the City of Oakland, Argentina's Judiciary, and Germany's H-Hotels. Play stands out for its utilization of various tools such as Process Hacker, GMER, IOBit, PowerTool, PowerShell, and command scripts to disable security solutions like Windows Defender.

The group leverages a variety of techniques, including PowerTool for antivirus disabling, SystemBC RAT for persistence, and tools like Cobalt Strike for post-compromise lateral movement. Play is known for its double extortion schemes, exfiltrating sensitive data for additional leverage.


The BlackBasta ransomware group recently claimed responsibility for a major attack on the Toronto Public Library, compromising its web domain and certain online services. The attack was acknowledged by the library on November 8, 2023,stating that they were actively addressing a ransomware incident.

Toronto Public Library, the largest public library system in Canada, fell victim to BlackBasta's targeted attack. The library assured that, as of the current investigation, there is no evidence of compromise to personal information of staff or customers.

BlackBasta, believed to be an offshoot of the disbanded Conti and REvil attack groups, engages in highly targeted attacks, working with a limited group of highly vetted affiliate attackers. The group has rapidly become prolific in 2023,leveraging unique TTPs for ingress, lateral movement, data exfiltration, and ransomware deployment.


Stanford University, a prestigious private research institution, is grappling with a cybersecurity incident within its Department of Public Safety. The Akira ransomware gang claimed responsibility for the attack on October 27, 2023,asserting that they stole 430 gigabytes of data.

Akira, which first emerged in March 2023, operates as a RaaS entity with suspected links to the notorious Conti gang. The group's extortion platform includes a chat feature for direct negotiation with victims.

Notably, Akira informs victims who pay a ransom of the specific infection vectors used in the attack. Akira's decrypter, released earlier, has proven ineffective against newer variants. The group operates in both Windows and Linux environments, typically exploiting VPN credentials for initial access.

Akira has been observed exploiting a zero-day vulnerability in Cisco’s Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software. The group has targeted organizations across various sectors, showcasing an evolving and aggressive approach.


Cactus, a RaaS entity operational since at least March 2023, announced its cyberattack on GEOCOM Uruguay. The group provided proof of the hack but has not disclosed further details about the attack.

GEOCOM Uruguay, offering consulting, advice, software, hardware, and computer solutions, finds itself in the crosshairs of Cactus. Cactus, known for leveraging vulnerabilities within VPN appliances for initial breaches, engages in targeted attacks with a focus on Windows, Linux, and VMware ESXi systems.

The group has an automated RaaS platform update feature and provides 24/7 technical support to its affiliates. While ransom demands are not specified, Cactus is considered one of the more prolific groups in 2023.


Medusa, a RaaS platform that emerged in the summer of 2021, recently claimed responsibility for a cyberattack on the Canadian Psychological Association (CPA). The groups hared details of the data breach, including a countdown for data publication, and imposed ultimatums for varying ransom amounts.

The CPA, the primary organization representing psychologists throughout Canada, faces adaunting choice between paying $10,000 for a delay in data publication or a staggering $200,000 for complete data deletion. Medusa, known for its intermittent attack volumes, demonstrates an ability to restart infected machines in safe mode to avoid detection.

The group has been active in attacks targeting healthcare and pharmaceutical companies, along with public sector organizations. Medusa's ransom demands typically range in the millions of dollars, and the group engages in double extortion, exfiltrating data prior to encryption.


NoEscape, assessed to be a spinoff of the disbanded Avaddon gang, announced its responsibility for attacking Schwob AG in Switzerland. The group provided a deadline of five days for the victim to reach out and pay the ransom, claiming to have seized 238GB of data.

Schwob AG, a textile and linen manufacturing company established in 1872, finds itself under the threat of NoEscape. NoEscape operates as a RaaS platform, rapidly rising as one of the more prolific groups in 2023.

The group offers attractive profit-sharing arrangements with affiliates, with ransoms over $3 million netting a 90/10 split. NoEscape targets both Windows and Linux systems, utilizing encryption options for faster decryption upon ransom payment.

The group is known for exploiting vulnerabilities in VPN appliances for initial access and maintains a TOR-based leaks site for public exposure of victim data.

As organizations grapple with the fallout from these attacks, the need for robust cybersecurity measures and international collaboration to counter these threats becomes increasingly urgent. The evolving tactics of these ransomware groups underscore the importance of staying vigilant and adopting proactive cybersecurity strategies to safeguard against future attacks.


Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware –talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.