Ransomware on the Move: LockBit, DoNex, Stormous, BianLian, Cactus


March 19, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The LockBit ransomware gang, previously thought to be neutralized after a law enforcement crackdown, has resurfaced with devastating attacks on various organizations globally.  

Last month, they claimed responsibility for infiltrating South Africa’s government workers' pension fund, administered by the Government Pensions Administration Agency (GPAA), causing severe operational disruptions and hampering pension payments for about 1.7 million government employees and pensioners.

In addition to targeting governmental institutions, LockBit struck the Laser Eye Clinic (LEC London), a prominent international eye clinic specializing in advanced eye treatments. While details of the attack remain undisclosed, the breach poses a significant threat to patient confidentiality and operational integrity.

The Teupe Group, a leading industrial machinery manufacturer serving Germany, Switzerland, and Austria, fell victim to LockBit's onslaught. The breach resulted in the exfiltration of a massive 1 TB of sensitive data, including crucial projects, client information, financial records, and personally identifiable documents. With a ransom deadline looming, Teupe faces immense pressure to mitigate further damage and secure their data.

Similarly, RMH Franchise, a multi-brand restaurant company operating across 14 states, found itself compromised by LockBit ransomware. The attack resulted in the theft of 1.5 TB of confidential data, ranging from insurance records to customer information, jeopardizing the company's operational stability and customer trust.

LockBit, a notorious Ransomware-as-a-Service (RaaS) operation, has a long history of sophisticated cyberattacks dating back to 2019. Known for its rapid encryption speed and evasion techniques, LockBit has demanded exorbitant ransoms, with some exceeding $50 million. The gang's targets span various industries, including healthcare, where they have frequently struck.

Despite previous law enforcement interventions, LockBit remains a formidable threat, continuously evolving its tactics and exploiting vulnerabilities like the Citrix Bleed vulnerability (CVE 2023-4966). With a well-organized affiliate program offering high payouts of up to 75% of ransom proceeds, LockBit poses a significant challenge to cybersecurity worldwide.

As organizations grapple with the aftermath of these attacks, cybersecurity experts emphasize the importance of robust defense mechanisms and proactive measures to thwart ransomware threats like LockBit, which continue to wreak havoc on a global scale.


The Regional Mission for Employment in Liege (MIREL) in Belgium, along with several other European entities, has fallen victim to the nefarious DoNex ransomware group.  

MIREL, a vital agency dedicated to facilitating employment opportunities by bridging the gap between job seekers and businesses, faced a severe breach with an alleged exfiltration of 19 GB of sensitive data, including crucial documents like forms, work certificates, and application letters.

Adding to the list of casualties, Chocotopia, a cherished Czech-Belgian chocolate manufacturer renowned for its exquisite offerings across Europe, was reportedly compromised.  

The attack saw the theft of 33 GB of diverse data, including personal documents, invoices, and images, posing a significant threat to the company's operational integrity and customer trust.

Furthermore, Van der Helm, a long-standing family business specializing in logistics solutions since 1936, was also targeted by DoNex ransomware. The attack resulted in the exfiltration of 39 GB of vital data, encompassing invoices, agreements, financial records, and more, jeopardizing the company's longstanding reputation and disrupting its operations.

DoNex ransomware group, known for its sophisticated tactics, has emerged as a potent threat to organizations in the United States and Europe. Employing a double-extortion strategy, the group encrypts files and exfiltrates sensitive data, holding it hostage to coerce victims into paying ransom.  

Victims have reported encountering ransom notes named Readme.VictimID.txt, instructing them to contact the group through Tox messenger, a secure peer-to-peer messaging service, to facilitate ransom payments.

As organizations grapple with the aftermath of these attacks, cybersecurity experts emphasize the urgency of robust defense measures and heightened vigilance to mitigate the growing menace of ransomware threats like DoNex.


The Stormous ransomware gang has unleashed havoc on Belgian beer giant Duvel, causing production disruptions across four of its breweries.  

While one facility has resumed operations, the cyber-attack has left Duvel grappling with the aftermath as investigations into the incident continue. Known for its specialty beers, Duvel is an independent family of craft breweries with a global presence spanning 11 locations.

Additionally, Loghman Pharmaceuticals in Iran reportedly fell victim to Stormous ransomware, though details remain scant. The company specializes in drug discovery, development, and manufacturing, raising concerns about the potential impact on pharmaceutical supply chains.

Stormous, which operates without a Ransomware-as-a-Service (RaaS) platform, gained notoriety in 2021-2022 for high-profile breaches, including claims of exfiltrating data from Epic Games and the Ukrainian Ministry of Foreign Affairs.  

However, skepticism surrounds Stormous' activities, with some labeling them as a scam operation. Despite their purported focus on Western companies and political rhetoric, Stormous' true motives and methods remain shrouded.


The BianLian ransomware group has struck Lindsay Municipal Hospital in Oklahoma, adding to its list of targets across the United States. The hospital, known for its acute care facility and emergency services, has not yet provided a comment on the cyberattack.  

Lindsay Municipal Hospital serves the Lindsay community and its surrounding areas, offering essential medical services such as radiology and emergency care.

In addition to the hospital, Palmer Construction, a Pennsylvania-based commercial construction company, fell victim to the BianLian ransomware group. The attack resulted in the exfiltration of a substantial 475 GB of data, including sensitive personal and financial information.

Unlike traditional Ransomware-as-a-Service (RaaS) groups, BianLian has evolved its tactics, focusing on data exfiltration and extortion attacks rather than deploying ransomware payloads.  

Leveraging open-source tools and command-line scripts, BianLian targets various sectors, including financial institutions, healthcare, and manufacturing, by exploiting compromised Remote Desktop Protocol (RDP) credentials.


The Cactus ransomware group has struck Plymouth Tube Company, a global specialty manufacturer, resulting in the exfiltration of a staggering 1.83 TB of critical data.  

The breach encompasses sensitive information, including financial records, HR documents, customer data, and executive correspondence. A ransom demand of $1,500,000 has been issued, plunging Plymouth Tube into a precarious situation.  

Similarly, multinational automation machinery manufacturer Ammega fell victim to the Cactus ransomware group, with 1 TB of stolen data now available for sale on the dark web. With over 10,000 employees and a revenue of $1.2 billion, Ammega faces significant repercussions from the cyberattack.

Cactus ransomware, which emerged in March 2023, has quickly gained notoriety for its sophisticated tactics, evading security measures and exploiting vulnerabilities in VPN appliances.  The group employs encrypted messaging platforms for negotiations and utilizes Living-off-the-Land techniques to infiltrate networks.  

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.