Ransomware on the Move: LockBit, NoEscape, BlackCat/ALPHV, BianLian, 8Base


November 7, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


LockBit, a notorious Ransomware-as-a-Service (RaaS) group, has been causing havoc in the cybersecurity landscape. Since its emergence in 2019, LockBit has continually evolved, displaying remarkable expertise in evading security tools and executing rapid encryption. The group has proven to be a menace, targeting a wide range of industries and demanding exorbitant ransoms.

In its latest string of attacks, LockBit breached several high-profile organizations, including Boeing, the Arab Center for Engineering Studies, Abu Dhabi National Building Materials Co. (BILDCO), ECA Business Energy, Frontline Equipment Maintenance, Queretaro Intercontinental Airport (AIQ), Steel of Carolina Division 5, Mottama Holdings in Myanmar, and Vita Research in Italy. These attacks have left a trail of compromised data, including sensitive documents, financial records, and other confidential information.

LockBit is known for its multifaceted approach to extortion. Besides encrypting files, the group may also demand ransoms for sensitive information exfiltrated during the attack. LockBit's attack vectors include the exploitation of remote desk top protocol (RDP) and the use of Group Policy Objects and PsExec via the Server Message Block (SMB) protocol. In a significant move, LockBit expanded its reach by introducing a macOS ransomware variant in April 2023, making it across-platform threat to both Windows and Linux systems. LockBit's rapid growth and evolution continue to pose a substantial risk to organizations worldwide.


NoEscape, another RaaS group, emerged in May 2023, and it has quickly gained notoriety for its prolific attacks. Operating with variants targeting Windows, Linux, and VMware ESXi systems, NoEscape provides affiliates with 24/7 technical support, communication tools, and automated RaaS platform updates. Its rapid ascent isfueled by its attractive profit-sharing model, offering affiliates generous cuts of the ransom proceeds, sometimes as high as 90%.

NoEscape's targets included McKeag & Co Solicitors, St Raphael's Hospice, and Vinovalie, with the latter suffering a significant data breach. The group's preferred modus operandi involves data exfiltration for double extortion, of ten netting high ransom demands. Its attacks typically focus on Professional Services, Manufacturing, Information Technology, and Healthcare sectors.


BlackCat/ALPHV is a ransomware group that has gained notoriety for its highly advanced operations. The group's attacks are known for their customization and adaptability, employing multiple encryption routines, advanced self-propagation, and the ability to impact systems running Windows, VMwareESXi, and various Linux distributions. Its ransom demands can range from hundreds of thousands to over $5 million.

In its recent attacks, BlackCat/ALPHV targeted the Town of Iowa and Advarra, compromising various data and systems. The group's commitment to innovation is evident in its release of an API for its leak site, increasing pressure on victims to pay ransoms. BlackCat/ALPHV also stands out as one of the first ransomware developers to employ Rust, a secure programming language, in its operations.


BianLian ransomware group reported in their darkweb portal that they hit Auswide Services, a leading Southern Australian provider of business broadband, hosting solutions, and website development and maintenance.

The leaked data include Personal information, accounting and financial data, contract information, files from the CFO’s computer, operational and business files, as well as email and message archives, belonging to Auswide Services and other Australian companies.

BianLian is nota traditional RaaS group but has quickly risen to prominence with its unique approach to double extortion. Initially emerging as a typical RaaS provider, BianLian has shifted away from deploying ransomware payloads, favoring data exfiltration and extortion attacks. The group leverages open-source tools and command-line scripts for credential harvesting and data exfiltration.

BianLian's attack volume has grown significantly, and its targets span various industries. While specific ransom amounts are unclear, the group's primary focus is on data extortion and monetizing stolen information.


8Baseransomware group reported in their darkweb portal that they hit Traxall France. Traxall France offer solutions for car fleet management. 8Base has rapidly ascended in the ranks of active ransomware operators. It has displayed a "massive spike in activity" in the first half of 2023, primarily targeting business services, manufacturing, and construction sectors. Although its origins are uncertain, 8Base's operations suggest a connection to experienced RaaS operators.

The group engages in data exfiltration for double extortion and employs advanced security evasion techniques. While specific ransom amounts remain unclear, 8Base has become one of the most active groups in recent months.


The ransomware gang Medusa took control of the Jockey Club data in Argentina. According to BCA, the criminal group is seeking a ransom of $300,000 in exchange for the information. The Jockey Club is a club in Buenos Aires, Argentina.

Medusa, a RaaS that made its debut in the summer of 2021, continues to be a persistent threat. The group has evolved into one of the more active RaaS platforms, with a focus on the healthcare and pharmaceutical sectors. It demands ransoms in the millions of dollars and employs various tactics to avoid detection and recovery.

Medusa's attack methods include restarting infected machines in safe mode, deleting local backups, disabling startup recovery options, and thwarting encryption rollback by deleting Volume Shadow Copies. While its attack volumes have seen fluctuations, Medusa remains a formidable threat.


After a period of inactivity, the CI0p ransomware group has added S&G Manufacturing Group to their victim list. S&G combines metal fabrication with woodwork and professional craftsmen to provide commercial-grade products to many industries.

CI0p, a RaaS platform first observed in 2019, has been increasingly leveraging automation to exploit known vulnerabilities and infiltrate targets. This includes the use of a SQL injection zero-day vulnerability (CVE-2023-34362) to install web shells. The group has been highly active in the first quarter of 2023, focusing on organizations with vulnerable GoAnywhere installations.

CI0p demands varying ransoms, which can range from $3 million to as high as $20 million, depending on the target. The group has developed both Windows and Linux versions of its ransomware, expanding its capabilities and recruitment efforts.


Stanford University is investigating a cybersecurity incident within its Department of Public Safety after a ransomware gang claimed it attacked the school on October27th, 2023. On that morning, the Akira ransomware gang claimed it attacked Stanford University and stole 430 gigabytes of data.

Akira, which emerged in March 2023, has been making waves in the ransomware landscape. With suspected links to the Conti gang, Akira's ransomware platform includes a chat feature for direct negotiation with victims. This group has a penchant for informing victims about the attack vectors leveraged, an unconventional tactic in the ransomware world.

Akira maintains a moderate attack volume, focusing on both Windows and Linux systems and employing data exfiltration and encryption techniques. Ransom demands can range from $200,000 to over $4 million, making it a notable player in the field.


BlackBasta ransomware group announced in their darkweb portal that they have attacked GSP Loteamentos. GSP Loteamentos is a Brazilian-based construction company, founded35 years ago, that specializes in building neighborhoods with high quality buildings and serene surroundings.

BlackBasta, a RaaS group that emerged in early 2022, has quickly become one of the most prolific attack groups in 2023. With suspected ties to the disbanded Conti and REvil groups, BlackBasta specializes in highly targeted attacks and exfiltrate sensitive data for additional leverage in extortion. The group has been observed employing unique tactics for ingress, lateral movement, data exfiltration, and ransomware deployment.

Ransom demands from BlackBasta can be substantial, sometimes exceeding $2 million. The group's cross-platform ransomware can impact both Windows and Linux systems, and it is particularly adept at exploiting vulnerabilities in VMware ESXi. BlackBasta targets a wide range of sectors, including construction and related services, manufacturing, telecommunications, healthcare, and automotive industries.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.