Ransomware on the Move: Play, LockBit, BlackBasta, Akira, Medusa


March 12, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The Play ransomware group has recently conducted a series of attacks targeting various companies, including Kool Air, Winona Pattern & Mold, and Powill Manufacturing and Engineering.  

These attacks have resulted in the exfiltration of sensitive data, including private and personal information, client documents, financial details, and more. The ransom deadline for these attacks was set for 7 March.

Kool Air, founded in 2001, specializes in providing farm services such as crop harvesting. Winona Pattern & Mold, on the other hand, is a full-service facility focused on highly engineered tooling for industries like cast metals and aerospace.  

Powill Manufacturing and Engineering, a veteran-owned company established in 1959, specializes in manufacturing military, commercial, and aerospace components, utilizing advanced CNC equipment and CAD/CAM technology.

The Play ransomware group, also known as PlayCrypt, emerged in the summer of 2022 and has since escalated its attacks, becoming one of the most prolific threat actors in the Ransomware-as-a-Service (RaaS) space.  

Play shares similarities with other ransomware strains like Hive and Nokoyawa. The group often exploits vulnerabilities in unpatched Fortinet SSL VPNs to gain access to its targets.

The FBI, in collaboration with CISA, issued a joint advisory stating that the Play gang had compromised over 300 organizations since its emergence. Play employs various tactics to bypass security solutions, including leveraging Process Hacker, GMER, IOBit, and PowerTool, as well as PowerShell or command scripts to disable Windows Defender.

Notable high-profile attacks attributed to Play include those on the City of Oakland, Argentina's Judiciary, German hotel chain H-Hotels, and government agencies like Fedpol and the Federal Office for Customs and Border Security (FOCBS). Play utilizes tools like Cobalt Strike for lateral movement within compromised networks and SystemBC RAT for persistence.

The group is known for double extortion tactics, wherein they exfiltrate victim data and threaten to publish it on their "leaks" website if ransom demands are not met. Play has also developed custom data exfiltration tools like Grixba information stealer and AlphaVSS management tool to efficiently exfiltrate sensitive data from targeted networks.

Additionally, Play has been observed targeting managed service providers (MSPs) worldwide in an attempt to leverage their remote monitoring and management (RMM) tools to infiltrate customer networks. The group primarily focuses its attacks in Latin America, particularly in Brazil, but has also targeted organizations outside this region.


LockBit, a notorious ransomware group, has recently targeted several organizations, including GaP Solutions, Monmouth Elementary School, and Valorem Reply.  

GaP Solutions, an Australian retail software vendor with a thirty-year history, fell victim to LockBit, which posted a threat to publish any exfiltrated data within 20 days. The extent of the data breach and the ransom demand were not disclosed, prompting GaP Solutions to initiate an investigation.

Similarly, Monmouth Elementary School faced disruption due to a LockBit ransomware attack, prompting the involvement of local, state, and federal law enforcement agencies. The school community rallied to address the incident, emphasizing resilience and adaptability.  

Valorem Reply, a digital transformation firm part of the Reply group, was also targeted by LockBit due to its perceived high value. LockBit threatened to publish stolen data if no contact was made by a specified deadline.

LockBit, a Ransomware-as-a-Service (RaaS) operation active since 2019, is known for its sophisticated evasion tactics and rapid encryption capabilities.  

Despite authorities disrupting its infrastructure in February, LockBit quickly resumed operations, expressing intent to escalate attacks on the public sector. The group employs various extortion methods, including demanding payment for both encrypted data and exfiltrated sensitive information.

One of LockBit's distinguishing features is its use of publicly available file-sharing services and a custom tool called Stealbit for data exfiltration. The group gained notoriety for exposing a significant amount of Boeing data in late 2023 and has demanded exorbitant ransoms, with figures exceeding $50 million. Notably, LockBit targeted Taiwan Semiconductor Manufacturing Company (TSMC) with a $70 million ransom demand.

LockBit's evolution is evident through the release of LockBit 3.0 in 2022, which introduced advanced anti-analysis features and expanded platform compatibility to include macOS. The ransomware employs a custom Salsa20 encryption algorithm and exploits vulnerabilities like Citrix Bleed (CVE 2023-4966) and Remote Desktop Protocol (RDP) for infections and lateral movement within networks.

The group primarily targets large enterprises across various industries, with a preference for organizations capable of meeting high ransom demands, particularly in the healthcare sector. LockBit operates a sophisticated affiliate program, offering generous payouts to attackers. Its reputation within the affiliate community underscores the maturity and profitability of its platform.


BlackBasta, a ransomware group that emerged in early 2022, has targeted several prominent organizations, including toy retailer Franz Carl Weber and law firm Scullion Law.  

In the case of Franz Carl Weber, BlackBasta claimed to have stolen over 700 GB of sensitive data, primarily consisting of personal information belonging to employees. The group listed Franz Carl Weber as its latest victim on the dark web, threatening to release the data unless a ransom is paid.  

The compromised information includes documents from accounting, employee personal data, and files from the HR department. The parent company of Franz Carl Weber, the German drugstore chain Müller, confirmed the attack and assured that appropriate measures are being taken to address the situation.

Similarly, BlackBasta targeted Scullion Law, adding it to their dark web portal, although no further details about the attack were disclosed. Scullion Law is known for its expertise in various legal areas such as Road Traffic Law, Criminal Law, Property Law, Family Law, and more.

BlackBasta is considered to be highly prolific, with some researchers linking it to disbanded attack groups like Conti and REvil. The group engages in highly targeted attacks and routinely exfiltrates sensitive data from victims for additional leverage in extortion.  

It is believed to only work with a limited group of highly vetted affiliate attackers. BlackBasta has quickly become one of the most prolific attack groups, with reported ransom demands reaching as high as $2 million.

The group's ransomware payloads can infect systems running both Windows and Linux, and it is particularly adept at exploiting vulnerabilities in VMware ESXi on enterprise servers. BlackBasta ransomware is written in C++, encrypts data with ChaCha20, and then encrypts the encryption key with RSA-4096 for rapid encryption of targeted networks.  

It often leverages malware strains like Qakbot and exploits such as PrintNightmare during the infection process.

BlackBasta targets various industries, including manufacturing, transportation, construction, telecommunications, automotive, and healthcare providers. It employs a double extortion scheme, threatening to release exfiltrated data on an active leaks website if ransom demands are not met.


Akira, a ransomware group that emerged in March 2023, has conducted attacks on several organizations, including CoreData and Infosoft. CoreData, a company specializing in AI-CORE robotic process automation, fell victim to Akira's attack, with evidence posted on the public platform.  

The ransom value has not been disclosed, with negotiations expected to occur later. Similarly, Infosoft, a New Zealand-owned software development company, reportedly had operational files and personal information compromised by Akira.

Although Akira may have links to the Conti gang, its exact affiliation is challenging to confirm due to leaked Conti code in 2022. Unlike typical ransomware procedures, Akira includes a chat feature for victims to negotiate directly with attackers.  

Additionally, Akira informs paid victims of the infection vectors used, a departure from standard practices among ransomware operators.

Akira operates a Ransomware-as-a-Service (RaaS) platform capable of targeting both Windows and Linux systems. It exploits VPN credentials for initial access and deletes Windows Shadow Volume Copies using PowerShell. Akira encrypts a wide range of file types, excluding critical Windows system files, and abuses legitimate tools like PCHunter64 for evasion.

In 2023, a Linux variant of Akira was detected, expanding its reach to Linux systems. The group also exploited a zero-day vulnerability in Cisco's Adaptive Security Appliance (ASA) and Firepower Threat Defense (FTD) software for brute-force attacks. Akira targets organizations across various sectors, including education, finance, and manufacturing, employing data exfiltration for double extortion.

Ransom demands from Akira range from $200,000 to over $4 million, and the group has been observed exploiting VMware ESXi vulnerabilities for lateral movement within networks. Despite the release of a decryptor, its effectiveness has been limited, indicating the group's evolving tactics and techniques to evade detection and recovery efforts.


The notorious Medusa ransomware group has targeted Stoney Creek Furniture, a prominent retailer, and Stockholm's Sophiahemmet hospital, indicating the group's widespread and indiscriminate attacks across various sectors.  

Stoney Creek Furniture was threatened by the hacker collective via the dark web, with a ransom demand of $20,000 within four days. Founded about 50 years ago, Stoney Creek Furniture has grown into one of Canada's largest furniture showrooms, known for its extensive range and exceptional customer service.

Sophiahemmet hospital's data, stolen in a cyberattack, was listed for sale on the dark web by Medusa, with a hefty asking price of one million US dollars for data deletion. Sophiahemmet University, associated with the hospital, offers a range of higher education programs, including nursing degrees and advanced specialist nursing programs.

Medusa, a Ransomware-as-a-Service (RaaS) platform, emerged in the summer of 2021 and has since become increasingly active. The group employs sophisticated tactics to evade detection, including restarting infected machines in safe mode and deleting local backups and VSS Shadow Copies to prevent recovery. Medusa typically demands ransom amounts in the millions of dollars, tailored to the target organization's financial capabilities.

The group compromises victim networks through various means, such as malicious email attachments, torrent websites, or malicious ad libraries. Medusa targets multiple industry verticals, with a particular focus on healthcare, pharmaceuticals, and the public sector. It employs a double extortion scheme, exfiltrating data prior to encryption, and offering only up to 60% of the ransom to its affiliate attackers.

Medusa's modus operandi includes terminating over 280 Windows services and processes without command line arguments, demonstrating its sophisticated and aggressive approach to system compromise. While a Linux version may exist, its prevalence remains unclear.

Halcyon.ai is the leading anti-ransomware company that closes endpoint protection gaps and defeats ransomware through built-in bypass and evasion protection, key material capture, automated decryption, and data exfiltration prevention – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.