Ransomware on the Move: Cl0p, FunkSec, Akira, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Cl0p, FunkSec, Akira, and RansomHub...

In this week's Ransomware on the Move, we examine the most significant ransomware activities and cybersecurity incidents from the last week of 2024:

• Cl0p: A sophisticated threat actor exploiting file transfer software vulnerabilities, compromising over 65 organizations in their recent campaign

• FunkSec: A politically motivated group that emerged in early December 2024, targeting multiple sectors across countries using double extortion tactics

• Akira: A notorious Ransomware-as-a-Service platform causing widespread concern with sophisticated data exfiltration techniques

• RansomHub: An active group targeting large enterprises and critical infrastructure, using advanced pressure tactics and data extortion strategies

We examine multiple high-profile attacks, analyzing how organizations respond: from denials of breach to full acknowledgments of them. These cases reveal ransomware groups' evolving strategies and highlight the challenges organizations face in balancing cybersecurity with stakeholder communications. Our Weekly Mini section examines Cl0p's recent 66-attack campaign that exploited Cleo's platform vulnerabilities.

Weekly Highlight: Cl0p

Cl0p ransomware, active since 2019, has established itself as a major threat actor specializing in exploiting vulnerabilities in managed file transfer (MFT) software. Their recent focus on Cleo's Harmony, VLTrader, and LexiCom software demonstrates their expertise in using zero-day vulnerabilities for large-scale extortion.  

Through these vulnerabilities, Cl0p has claimed more than 65 victims in their current campaign. Cleo has patched these vulnerabilities and is urging users to update their software and strengthen their cybersecurity measures. More details are included in our weekly mini:

• A major supply chain management company faces two separate ransomware incidents. In December, the Cl0p ransomware group claimed it breached the company by exploiting a zero-day vulnerability in Cleo's file-sharing software. Though Cl0p attempted to extort the company, they reportedly did not respond to these demands. The company maintains this incident is unrelated to a November attack by the Termite ransomware group. The earlier breach disrupted operations at several major retail chains, with Termite claiming to have stolen 680 GB of sensitive data. Addressing the Cl0p incident, a company spokesperson confirmed their use of Cleo software and its subsequent patching. While assessing potential impacts, they promise to keep customers updated.

• A manufacturing company has been listed in a breach announcement by the Cl0p ransomware group, which claims to have accessed data through Cleo software vulnerabilities. The group stated they are contacting affected companies to establish "special secret chat" communications. This incident highlights the persistent threat of ransomware groups targeting supply chain weaknesses, as Cl0p exploits software platforms to breach multiple organizations at once. The extent of compromised data remains unclear, and no public statement has been issued.

• More Attacks from Cl0p

Weekly Highlight: FunkSec

FunkSec, a cybercrime group that emerged in late 2024, operates through a Tor-based data leak site and uses double extortion tactics that combine file encryption with data theft. The group has claimed responsibility for 11 breaches across media, IT, retail, and educational institutions in the United States, France, India, and Tunisia, with their total documented attacks exceeding 40 in December alone.  

Their strategy merges sophisticated ransomware attacks with data brokering. They keep ransom demands low through their public Bitcoin wallet while selling stolen data to third parties at discounted rates. This distinctive approach has drawn considerable attention in cybercrime forums.

• A major international airline - FunkSec has reportedly offered for sale administrative access to the airline's digital infrastructure, including webmail, administrative portals, and lines portals. The breach was discovered on December 26, 2024. While the size of the data leak remains unspecified, FunkSec is offering five access points to their website for $5,000 in Bitcoin, with negotiable pricing.

• A European sporting goods retailer has been targeted by the FunkSec ransomware group. The attack, discovered on December 30, 2024, resulted in FunkSec claiming to have stolen significant data, including the entire database, website data, and personal information of 7,000 customers' emails and invoices. The group has set a $5,000 ransom with a January 1, 2025, deadline, promising data confidentiality if paid. If payment isn't made within four days, FunkSec threatens to release the data publicly or sell it to interested parties for $500.

• More Attacks from FunkSec

‍From the Big Leagues: Akira

Akira has become one of the most active threat actors this week with multiple sophisticated attacks. Operating as a Ransomware-as-a-Service (RaaS) platform, Akira targets organizations with valuable business assets, including financial documents, intellectual property, and sensitive personal information:

• A law firm specializing in personal injury and medical malpractice has fallen victim to an Akira ransomware attack. The attackers claim to have stolen over 15 GB of sensitive documents, including passports, driver licenses, internal financial records, and client and employee contact information. This breach creates serious privacy and security risks that could lead to identity theft and other criminal activities. The firm has not commented on the incident.

• A major regional newspaper recently experienced a cyberattack affecting several internal systems. The publication's Technology team quickly activated security protocols after detecting suspicious network activity. Their prompt response contained the intrusion and restored operations swiftly. Though the newspaper maintained its content publication, the attack disrupted some printed sections. All digital platforms remained operational throughout the incident. The newspaper has filed a criminal complaint to investigate the breach.

• More Attacks from Akira

‍From the Big Leagues: RansomHub

RansomHub has proven to be a highly active threat actor during this period, conducting targeted attacks across diverse sectors. Their operations predominantly focus on large enterprises and critical infrastructure, though they maintain capabilities to target organizations of any size.  

Their latest campaign demonstrates an evolution in tactics, incorporating sophisticated pressure mechanisms such as legal intimidation and data extortion strategies:

• A major Asian construction firm has been targeted by the RansomHub ransomware group. The attack, disclosed on January 2, 2025, resulted in the theft of approximately 2 terabytes of sensitive data. The stolen information includes personal data of over 1,500 employees as well as corporate emails, financial records, project details, contracts, tenders, and architectural drawings. The organization is working to mitigate the attack's impact and strengthen its systems.

• A security systems provider is also facing a RansomHub attack. The group claims to have stolen 45 GB of sensitive data and threatens to release it within 35 days. The compromised information includes presentations, VIP client details, affiliate agreements with major companies, client communications, personal documents, reports, and internal records. The breach poses significant risks to the company's operations and client privacy.

• More Attacks from RansomHub

Impact, Response, and Statements

This week's cybersecurity incidents highlight a complex landscape of corporate responses to ransomware threats, as major organizations face varying levels of exposure. Organizations demonstrate distinct patterns in managing and communicating security breaches, from outright denials to transparent acknowledgments.  

The incidents showcase sophisticated attack strategies that combine data theft threats with specific ransom deadlines, particularly targeting organizations during sensitive business transitions:

• A European IT services company has rejected Space Bears ransomware group's claims of a data breach. The group, active for about a year with over 30 claimed victims, listed the company on its darknet extortion site on December 28. They alleged a company data breach and threatened to publish the information by January 8. The company's investigation found no evidence of system compromise, ransomware, proprietary data breach, or source code theft. The company also confirmed it had received no ransom demands. Instead, they explained that Space Bears had accessed external infrastructure containing company name references but unconnected to operations. The company emphasized its security capabilities, citing its global team of cybersecurity experts and security operations centers.

• A major insurance provider faces ransomware claims from the RansomHub group, which alleges breaching the company's Latin-American division and stealing 1 TB of data. The attackers have set a January 12, 2025, ransom deadline and leaked documents allegedly from a pension fund administrator. The leaked materials include crisis meeting minutes, company IP address lists, and executive files. The insurance provider has denied any breach of its Latin-American division, stating that the incident affects only a financial services subsidiary. A spokesperson stated that the subsidiary operates independently from the main systems, which remain uncompromised. Though the leaked data allegedly involves multiple countries, the company maintains that the breach is isolated and has not impacted its core operations.

• An aviation company has become a target of the Hunters International ransomware group, which claims to have stolen 1.9 TB of company data. The airline confirmed that, thanks to swift incident response, all operationally critical services remain secure and unaffected. They are working with authorities, regulatory bodies, and external cybersecurity experts to investigate the breach, ensure legal compliance, and address the situation comprehensively. As the investigation continues and the full scope of affected data remains under assessment, the airline has pledged to notify any impacted parties. They emphasized their commitment to cybersecurity and operational integrity, stressing the need for heightened vigilance during high-risk periods like the holiday season. The company recommends implementing strong passwords, multi-factor authentication, and secure device management to protect against potential threats.

‍Weekly Mini: How Cl0p Executed a 66-Attack Campaign

In late December 2024, Cl0p exploited two critical vulnerabilities in Cleo's platforms (CVE-2024-50623 and CVE-2024-55956), allowing unauthorized file uploads, data theft, and remote code execution. Though Cleo quickly deployed patches, the threat actors had already compromised at least 10 organizations. Cl0p deployed a custom Java-based malware called "Malichus" to maintain persistent access and escalate their attacks.

The campaign eventually affected more than 60 organizations, showcasing Cl0p's sophisticated tactics and double extortion approach. The group employed a dual-pressure strategy by encrypting data while threatening to release sensitive information through torrent networks. This method reflects Cl0p's expertise in exploiting supply chain vulnerabilities for maximum impact, highlighting the serious risks to organizations using vulnerable enterprise software.

Organizations using Cleo products should take immediate action: install all security patches, limit external-facing access points, and increase monitoring for signs of compromise, specifically unauthorized file operations and Malichus backdoor signatures. This widespread attack campaign reveals the growing capabilities of Cl0p and similar ransomware groups.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.