Ransomware on the Move: LockBit, Cactus, BianLian, Rhysida


January 9, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit has been a relentless force in the cyber underworld since its inception in 2019. In the first half of 2023, it continued its reign as the most active attack group.  

LockBit's modus operandi involves fast encryption, sophisticated security tool evasion, and a penchant for demanding high ransoms, often surpassing $50 million.  

Notably, the group targeted Coastal Plains Integrated Health, Avesco Rent, BKF Fleuren, Coaxis, Consultores y Investigadores en Administración, and CSM Ciencia al Servicio del Movimiento in its recent spree.

One of the notable victims, Coastal Plains Integrated Health, provides crucial community services for individuals with intellectual and developmental disabilities. Another target, Avesco Rent, a partner in construction and infrastructure, suffered a significant data breach, with confidential and personal information falling into the wrong hands.

Coaxis, a managed network solutions provider, managed to preserve the confidentiality of its data during the LockBit attack. On the other hand, Consultores y Investigadores en Administración, a credit investigation and portfolio recovery services specialist, had its corporate information compromised.

The LockBit group's innovation extends beyond conventional attacks. In July 2023, they demanded a staggering $70 million ransom from Taiwan Semiconductor Manufacturing Company (TSMC), the world's leading computer chip maker.  

Notably, LockBit pioneered a macOS ransomware variant in April 2023, showcasing their adaptability and sophistication.


Cactus, a relative newcomer on the RaaS scene since March 2023, has quickly gained infamy for its escalating attack volumes. The group targeted prominent entities such as Bachoco Corporate, Bell, and Coop.  

Notably, Coop, a major retail and grocery provider in Sweden, faced threats of disclosing vast amounts of personal information concerning over 21 thousand directories.

Cactus ransomware emerged in March of 2023 and is noted for the ability to evade security tools and leverages exploits for known vulnerabilities in common VPN appliances to gain initial access to the networks of targeted organizations.  

Cactus operators also have been observed running a batch script that unhooks common security tools. ‍Cactus is a new arrival on the RaaS scene but has quicky amassed a disturbing number of victims in a relatively short time, and attack volumes have escalated in the second and third quarters of 2023.  

Cactus employs an encrypted messaging platform called TOX chat to conduct negotiations with victims. Ransom demands are assessed to be quite substantial, but an average has not been established.


BianLian, initially a conventional RaaS provider, transitioned its tactics from deploying ransomware to focusing on data exfiltration and extortion attacks. The group targeted Acero Engineering, Akumin, and Bay Orthopedic & Rehabilitation Supply.

Acero Engineering, a Calgary-based EPCM company, suffered a significant data breach, with the BianLian group exfiltrating 1.2 TB of diverse data. Akumin, a healthcare services company based in Florida, faced a breach compromising sensitive consumer information.

BianLian stands out for its use of open-source tools and command-line scripts for credential harvesting and data exfiltration. The group primarily targets financial institutions, healthcare, manufacturing, education, entertainment, and energy sectors.


Rhysida, a relatively new player in the ransomware landscape since May 2023, has set its sights on critical infrastructure. Abdali Hospital in Jordan and Aspiration Training fell victim to Rhysida's attacks.  

The group is unique in its approach, presenting itself as a "cybersecurity team" while exploiting vulnerabilities through methods like Cobalt Strike and phishing campaigns.

The Rhysida ransomware group emerged in May 2023 and introduced a victim support chat portal on the TOR network. They present themselves as a "cybersecurity team" and claim to be helping their victims by targeting their systems and exposing potential security issues.  

Rhysida deploys its ransomware through various methods, including Cobalt Strike or similar frameworks, as well as phishing campaigns. Analysis of Rhysida ransomware samples suggests that the group is still in the early stages of development.  

The ransomware lacks certain standard features in contemporary ransomware, such as VSS removal. However, the group follows the practices of modern multi-extortion groups by threatening to distribute the stolen data publicly.  

Upon execution, Rhysida displays a cmd.exe window and scans all files on local drives. Victims are instructed to contact the attackers using the TOR-based portal and their unique identifier provided in the ransom notes.


BlackBasta, a RaaS platform, claimed a cyberattack on American Alarm and Communications. The group, considered an offshoot of Conti and REvil, is known for its targeted attacks on various sectors, including manufacturing, transportation, construction, telecommunications, automotive, and healthcare providers.

Black Basta is a RaaS that emerged in early 2022 and is assessed by some researchers to be an offshoot of the disbanded Conti and REvil attack groups. The group routinely exfiltrates sensitive data from victims for additional extortion leverage.  

Black Basta engages in highly targeted attacks and is assessed to only work with a limited group of highly vetted affiliate attackers.

Black Basta has quickly become one of the most prolific attack groups in 2023 and was observed leveraging unique TTPs for ingress, lateral movement, data exfiltration data, and deployment of ransomware payloads.  

Ransom demands vary depending on the targeted organization with reports that they can be as high as $2 million dollars. Black Basta continues to evolve their RaaS platform, with ransomware payloads that can infect systems running both Windows and Linux systems.  

Black Basta is particularly adept at exploiting vulnerabilities in VMware ESXi running on enterprise servers.


Despite having been compromised by law enforcement actions recently, BlackCat/ALPHV targeted AURA Engineering, exfiltrating 232 GB of confidential information.  

The group boasts an advanced RaaS platform with highly customizable code, capable of encrypting files using AES algorithms and evading security tools.

Notably, BlackCat/ALPHV uses Rust, a secure programming language, and continually updates its platform, evident in the release of the Sphynx ransomware variant. The group targets a wide range of industries, including petrochemical, chemical, and storage terminal sectors.


The Play ransomware group claimed an attack on CVR Associates, compromising private and personal information. Play, also known as PlayCrypt, emerged in the summer of 2022 and is noted for exploiting unpatched Fortinet SSL VPN vulnerabilities for initial access.

Play has made headlines with high-profile attacks on entities like the City of Oakland and Argentina's Judiciary. The group utilizes various tools, including Cobalt Strike, SystemBC RAT, and PowerTool, showcasing a multifaceted approach to compromise and persistence.


Cl0p, an established RaaS platform since 2019, claimed an attack on Delphinus Engineering, exfiltrating diverse data types. The group exhibits advanced anti-analysis capabilities and automation in exploiting vulnerabilities, including a zero-day SQL injection vulnerability.

Cl0p has witnessed a surge in attacks, leveraging patchable exploits to compromise numerous victims. The group's ransom demands vary but average around $3 million, with an increasing focus on exfiltrating sensitive data to enhance ransom amounts.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.