Ransomware on the Move: 8Base, Cactus, INC Ransom, Qilin

Halcyon publishes a quarterly RaaS and data extortion group guide, Power Rankings: Ransomware Malicious Quartile - here's the ransomware gangs on the move last week: 8Base, Cactus, INC Ransom, and Qilin...

Ransomware attacks continue to dominate the cybersecurity landscape, targeting organizations across various sectors with increasing sophistication. This week, we saw significant activity from several prominent ransomware groups, each employing unique tactics to breach systems and extort victims.  

In this report, we highlight the latest developments from 8Base, Cactus, Qilin, and INC Ransom, summarizing their recent attacks and impact:

• 8Base: Targeting small and medium-sized businesses across diverse industries, 8Base has ramped up its operations, compromising sensitive corporate and municipal data.

• Cactus: Known for its advanced techniques, Cactus has continued to expand its global reach, exposing critical data from high-profile organizations.

• Qilin: A Ransomware-as-a-Service (RaaS) group using advanced encryption methods, Qilin has targeted manufacturing and industrial sectors with devastating breaches.

• INC Ransom: Focused on healthcare and public sectors, INC Ransom employs double-extortion tactics to disrupt critical operations and steal sensitive information.

In our Weekly Mini, we explore an intriguing investigation into Babuk2, a suspicious group that cybersecurity experts have questioned. This analysis reveals how cybercriminals impersonate established ransomware groups and what such deception means for the broader threat landscape.

Weekly Highlight: 8Base

8Base, a ransomware group active since March 2022, experienced significant growth in operations during 2023. As of February 2025, it remains one of the most active ransomware groups, focusing on small and medium-sized organizations. The group's attacks target diverse industries, including business services, manufacturing, construction, finance, IT, and healthcare.

This week, their activity underscores their capability to infiltrate organizations across sectors, particularly targeting medium-sized businesses:

• A U.S.-based provider of secure locker storage solutions has been hit by the 8Base ransomware group. The attackers have claimed responsibility for the breach and say they have stolen significant amounts of sensitive corporate data. They threaten to release this information to contractors, competitors, fraudsters, journalists, and data breach authorities. The stolen data reportedly includes critical documents like invoices, receipts, accounting records, and personal information of employees and customers. The compromised files also contain certificates, employment contracts, confidential business agreements, and other sensitive records. Though 8Base has not publicly stated their ransom demands, they say they will proceed with releasing all data due to the victim's lack of cooperation.

• A European municipality, which oversees several villages and provides municipal services like population management, landscaping, transportation, ecology, and education, suffered a major ransomware attack in early February 2025. The attackers breached the municipality's systems and stole large amounts of sensitive data. The stolen information includes invoices, receipts, accounting documents, personal data, certificates, employment contracts, confidentiality agreements, and personal files. In their statement, the attackers threatened to release this information to contractors, competitors, fraudsters, journalists, and data breach authorities.

• More attacks from 8Base

Weekly Highlight: Cactus

Cactus ransomware, which emerged in March 2023, has become a major cybersecurity threat with over 100 organizations compromised globally. The malware employs sophisticated techniques like double extortion and self-encryption, primarily targeting VPN appliances and Qlik Sense servers through vulnerabilities and phishing attacks.  

After breaching systems, the group conducts network scanning, deploys remote access tools, and disables security measures. As of January 2025, Cactus remains highly active and continues to expand its target base:

• A U.S.-based retailer of off-price apparel and medical uniforms has suffered a significant data breach claimed by the Cactus ransomware group. The company faces serious consequences from this cyberattack. The hackers have exposed extensive sensitive data, including customer and employee personal information, database backups with credit card details, internal communications, employee files, corporate documents, and financial records. The attackers have verified the breach by releasing images of sensitive materials.

• A major retail apparel and fashion company with executive headquarters in California and showrooms in multiple U.S. cities has fallen victim to a Cactus ransomware attack. The company suffered a significant data breach in which attackers stole sensitive materials, including personal information (PII), customer database backups, employee hard drives, financial records, design documents, and corporate communications. Cactus has already published some of these stolen files, including sensitive and personal data, on dark web platforms. The company has not yet issued a comprehensive statement about the attack's impact or their response plans.

• More attacks from Cactus

‍From The Big Leagues: Qilin

Qilin, a Ransomware-as-a-Service (RaaS) operation active since July 2022, uses double extortion tactics to both encrypt and threaten data leaks. Written in Golang and Rust, their malware targets both Windows and Linux systems.  

Their latest variant, Qilin.B, launched in October 2024 with improved encryption and evasion capabilities, including the ability to terminate security processes and clear system logs.  

This week, the group has adopted a strategy of releasing evidence screenshots to pressure victims into paying ransoms:

• A prominent Swedish manufacturer of advanced polymer compounds has fallen victim to the Qilin Ransomware group. According to the attackers, the breach occurred due to major IT security vulnerabilities at the company's Americas division. The attackers have stolen sensitive data from numerous departments including Finance, Human Resources, Accounting, Engineering, Logistics, Production, Purchasing, Quality, Safety, and Recipe Control. The group has provided screenshots of the stolen files as proof of the breach.

• A Japanese manufacturer of precision parts and high-quality components has been targeted by the Qilin Ransomware group. The attackers claim to have stolen 502.5 GB of data, containing 332,535 files. The compromised information includes emails, reports, maintenance records, restricted drawings, production data, cost analyses, labor records, pricing documents, packing details, quality control files, employee information, database backups, and customer data from major automotive clients. The attack occurred on January 19, 2025. While investigators have identified the likely attack vector, they continue to assess the full extent of the data breach. Despite this incident, the company maintained continuous production by quickly shutting down affected servers and isolating their networks, minimizing the attack's impact.

• More attacks from Qilin

From The Big Leagues: INC Ransom

INC Ransom, active since mid-2023, is a sophisticated ransomware operation targeting healthcare, manufacturing, and professional services using double-extortion tactics. The group expanded its capabilities by releasing a Linux ransomware variant in late 2023.  

While reports emerged in mid-2024 that another ransomware group had obtained INC Ransom's source code, these claims remain unconfirmed. This week, INC Ransom continued its focus on healthcare and public sectors, strategically targeting municipal entities and healthcare providers that manage critical and sensitive data:

• A prominent independent day school in Florida fell victim to a ransomware attack. The school serves approximately 1,950 students from Pre-K through 12th grade with a rigorous college preparatory curriculum. The cyberattack disrupted school operations by compromising digital infrastructure and potentially exposing sensitive data. Though the school has not disclosed the specifics of the ransom demand or the extent of the data breach, officials confirmed they are working with cybersecurity experts to investigate and restore affected systems.

• A tribal medical clinic disclosed a cybersecurity breach targeting its servers during the Christmas period. Clinic officials immediately suspended affected systems, notified authorities, and brought in third-party cybersecurity experts to handle the breach. The clinic is now evaluating the situation and restoring network functionality, including implementing software updates. Currently, there is no evidence of compromised patient or employee data. Officials have confirmed that other tribal systems remain unaffected. While full system restoration will take time and require temporary adjustments to some patient services, the clinic is committed to keeping patients informed through various communication channels.

• More attacks from INC Ransom

Impact, Response and Statements

This week's ransomware activity demonstrates cybercriminals' increasing boldness. Multiple organizations suffered major data breaches, with attackers claiming to have stolen vast amounts of sensitive information. These incidents notably targeted institutions storing personal data of employees, customers, and students.  

Despite the severity of these attacks, organizations followed a well-established response protocol: immediately shutting down compromised systems, engaging security experts, collaborating with law enforcement, and implementing measures to protect affected individuals.

INC Ransom has claimed responsibility for breaching a state lottery organization, allegedly stealing 750 GB of SQL database containing private client data. The organization confirmed it is investigating an "internal cybersecurity incident." They have hired an external cybersecurity team and are working with law enforcement. Employees have been instructed to monitor their accounts and report suspicious activity. As a precaution, credit monitoring and identity theft protection services are being offered to employees. The organization has confirmed that its games and operational technology systems remain unaffected. As proof of the breach, the hackers have posted screenshots of the allegedly stolen data on their dark web site.

Rhysida Ransomware group has targeted a Canadian school division, stealing sensitive data and releasing screenshots of compromised files containing personally identifiable information (PII). Investigators confirmed the breach affected student records from 2014 onward, including names, birth dates, addresses, health information, and other personal details, though international students' financial data remained secure.

The attack potentially compromised the staff payroll database dating back to 2009, containing employee personal and financial information. In response, the school division engaged cybersecurity experts, implemented system shutdowns, notified authorities, and condemned the targeting of an educational institution while expressing regret for the incident.

Weekly Mini: Why Do Cybersecurity Experts Consider Babuk2 a Fake Group?

Recent analysis by cybersecurity experts has revealed compelling evidence that Babuk2 is not a legitimate ransomware group. Instead, it appears to be an impersonator attempting to capitalize on the reputation of the original Babuk operation, which shut down in 2021.  

The group's activities show clear signs of deception, particularly in their handling of stolen data. Here are the key findings that support this conclusion:

• Recycled Data from Other Groups: Babuk2 duplicates previously leaked data from ransomware groups like RansomHub, FunkSec, and LockBit. The group copies both the datasets and the exact phrasing from other threat actors' announcements. This pattern clearly indicates that Babuk2 is not conducting its own attacks.

• Lack of Connection to the Original Babuk Group: Researchers have found no evidence linking Babuk2 to the original Babuk ransomware operation. The current iteration appears to be using the old group's name and branding to exploit its reputation, but there is no continuity in terms of operations, tactics, or infrastructure.

• Impersonation Tactics: Babuk2's darknet leak site deliberately copies the design and logos of the original Babuk group to appear legitimate. However, researchers have discovered that a new administrator runs the site with no verifiable connection to the original group.

• No Unique Victims: All of Babuk2's claimed victims have already been listed by other ransomware groups. The absence of any new or exclusive breaches further discredits their claims of being an active ransomware operation.

• Growing Trend of Data Recycling: Babuk2's behavior is consistent with a growing trend among cybercriminals to recycle previously leaked data in an attempt to extort victims again or generate attention. This tactic, while deceptive, does not reflect the operational sophistication of a legitimate ransomware group.

Cybersecurity experts consider Babuk2 a fraudulent operation that merely exploits the original Babuk ransomware group's reputation. By recycling stolen data and showing no original activity, they reveal themselves as opportunistic imitators rather than a genuine threat.  

The Babuk2 case illustrates an important lesson: emerging ransomware groups aren't always new threats, sometimes they're just imposters trying to profit from established names while lacking real operational capabilities.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.