Ransomware on the Move: Play, NoEscape, ALPHV, DonutLeaks


October 31, 2023

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:


The Play ransomware gang is known for its attacks on various organizations and was particularly active last week. One of its victims was Polar Tech Industries, a company specializing in temperature-sensitive packaging and thermal protection products.  

These products are essential for safely transporting and storing perishable goods and pharmaceuticals. Play posted Polar Tech Industries on its data leak site, threatening to reveal stolen data unless a ransom was paid.

Another Play victims last week was Venture Plastics, a plastic injection molding company serving a wide range of industries. Play posted Venture Plastics to its data leak site, issuing a similar threat.

Play also attacked The Fountain Group, a recruitment company in Florida – and Tru-Val Electric, an electrical contractor in New Jersey - threatening to expose stolen data from these organizations.

Play then attacked Milk Source, a major dairy farming company in the US that focuses on sustainable and environmentally friendly farming practices, and it, too, was threatened by the release of stolen data.

Lastly, Play has also attacked Radise International, an infratech organization headquartered in the USA. Play demanded a ransom from this organization, with a threat to publish the data if not paid.

Play, also known as PlayCrypt, employs various tactics to compromise its victims. They are known for using vulnerabilities in Fortinet SSL VPN to gain access and employ various tools, such as Process Hacker, GMER, and PowerTool, to bypass security solutions.  

Play has even targeted high-profile entities like the City of Oakland, Argentina's Judiciary, and the German hotel chain H-Hotels. They have a reputation for using tools like Cobalt Strike for lateral movement, while also developing custom data exfiltration tools.


The NoEscape ransomware gang targeted organizations like Mister Minit Europe, a well-known retail chain focused on key cutting, shoe repair, and other maintenance and repair services. The threat was that 48GB of stolen data would be published if a ransom wasn't paid.

Motorcycles of Charlotte and Greensboro, two motorcycle dealerships in North Carolina, USA, were also attacked by NoEscape. The group threatened to publish 4GB of stolen data if a ransom wasn't paid.

NoEscape, which emerged as a Ransomware-as-a-Service (RaaS), is known for rapidly escalating its attack volume and offering 24/7 technical support to its affiliates. It's believed to have some of the most attractive profit-sharing arrangements with affiliates.


The Law Offices of Julian Lewis Sanders & Associates, a law firm in Atlanta, Georgia, was targeted by the BlackCat/ALPHV ransomware gang. The attackers posted the law firm's data on their leak site.

Additionally, Portage Township Schools, a public school district in Portage, Indiana, had 400GB of organizational data stolen and held for ransom by BlackCat/ALPHV.

BlackCat/ALPHV is known for its highly advanced RaaS platform, fast encryption, and multiple means of extortion. It has targeted various industries, including healthcare, pharmaceuticals, and manufacturing.


United Automotive Electronics, an automotive parts supplier in the USA, was attacked by the LockBit ransomware gang. The group demanded a ransom, threatening to publish the stolen data if not paid.

McCarter Grespan, a law firm in Kitchener, Canada, also became a victim of LockBit. While no further details were provided, it highlights the widespread reach of ransomware attacks.

LockBit is known for its ability to evade security tools and its practice of demanding high ransoms, sometimes exceeding $50 million. It was particularly active in 2022 and continued its dominance in 2023.


SAFPRO, a personal protective equipment (PPE) supplier based in Gloucester, England, was targeted by the Medusa ransomware gang, with stolen data exposed on their leak site.

Native Counselling Services of Alberta (NCSA), an organization providing support services to Indigenous communities in Alberta, Canada, was also attacked by Medusa, resulting in the exposure of stolen data.

Medusa emerged as a RaaS in the summer of 2021. They typically demand high ransoms, with a focus on healthcare, pharmaceuticals, and public sector organizations.


New Concept Technology, a manufacturing solutions provider in the USA, was attacked by the Cuba ransomware gang. The attackers exposed all the stolen data.

Cuba, which emerged in 2019, has been increasing its activity throughout 2022 and 2023. They are known for exploiting vulnerabilities, phishing, and abusing RDP credentials to access their targets.


Southland Integrated Services, a healthcare and social services provider in Orange County, California, had 40GB of data stolen by the Akira ransomware gang.

The Royal College of Physicians and Surgeons of Glasgow, a medical organization based in Scotland, was also targeted by Akira. This group emerged in March 2023 and may have links to the Conti gang.

What's unique about Akira is its chat feature, allowing victims to negotiate directly with the attackers. They also inform victims who've paid a ransom about the infection vectors used in the attack.


Sidock, a firm specializing in engineering and civil planning, was targeted by the DonutLeaks ransomware gang. This group first emerged when an employee of one of the victims revealed a breach.

DonutLeaks is unique in that it operates a shaming blog and a data storage site on the Tor network, where stolen data is made available for public access.


Simpson Strong-Tie, a company offering structural solutions for the construction industry, became a victim of the BlackBasta ransomware gang. The attackers claimed to have stolen sensitive information from the company.

BlackBasta emerged in early 2022 and is believed to be an offshoot of the Conti and REvil groups. They focus on exfiltrating sensitive data from their victims and have been particularly active in 2023.


SURTECO North America, a division of the global SURTECO Group specializing in surface technologies, was attacked by the 8Base ransomware gang. The stolen data was exposed on the group's leak site.

8Base, emerging in 2022, has shown a massive spike in activity in 2023. They tend to focus on the business services, manufacturing, and construction sectors.

In the world of cybersecurity, these ransomware groups pose a significant threat to organizations across various industries. Their attacks have the potential to disrupt operations, compromise sensitive data, and lead to significant financial losses. Organizations must remain vigilant and invest in robust cybersecurity measures to protect themselves from these evolving threats.

Halcyon.ai is the industry’s first dedicated, adaptive security platform that combines multiple advanced proprietary prevention engines along with AI models focused specifically on stopping ransomware – talk to a Halcyon expert today to find out more. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.