Ransomware on the Move: Funksec, 8Base, Black Basta, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Funksec, 8Base, Black Basta, and RansomHub…

Last week, ransomware activity featured notable campaigns from groups like 8Base, Black Basta, and RansomHub, alongside the emergence of newcomer Funksec. These actors targeted healthcare, manufacturing, technology, and government sectors, employing data exfiltration and advanced double extortion tactics to pressure victims:

• FunkSec: An emerging ransomware group employing double extortion tactics, FunkSec claimed responsibility for over 10 breaches across multiple sectors globally. Their attacks often involve data theft, encryption, and dark web negotiations.

• 8Base: Active since 2022, 8Base targeted small to medium sized businesses (SMBs) and critical sectors, using phishing and vulnerabilities to steal and encrypt data. Recent attacks involved significant data breaches, notably at the Port of Rijeka and Iseki Agricultural Machinery Co., Ltd.

• Black Basta: A dominant ransomware group with over 500 documented attacks, Black Basta targets healthcare, finance, and manufacturing sectors. Recent campaigns involved large scale data exfiltration, impacting organizations like Snatt Logistica Spa and Medica Corporation.

• RansomHub: A Ransomware as a Service (RaaS) group, RansomHub focuses on high value organizations, leveraging stolen data for ransom. Notable victims include Frigopesca and LaSalle Investment Management.

In our weekly mini, we keep up with emerging groups. Recent ransomware groups SafePay, Termite, Kairos, and Interlock have shown aggressive activity, targeting healthcare, government, and manufacturing sectors. Their operations reveal increasing sophistication and expanding influence.

Weekly Highlights: Funksec

Funksec, a notable newcomer this week, is an emerging ransomware group. Their claims across different attacks consistently feature variations of the phrase "Gmail emails, phone numbers, and secret keys."  

While victims have not yet verified FunkSec's claims, one notable case shows only the company name remaining on their victim list, with all other details removed. Details about ransom amounts, compromised file types, volumes, and encryption status remain unknown. The group posted "deal finish to pay" on the dark web, suggesting completed negotiations.

FunkSec emerged in December 2024, operating a Tor based data leak site (DLS). They claim over 10 breaches across media, IT, retail, and education sectors in the United States, France, India, and beyond. The group uses double extortion tactics, combining data theft with encryption. Their DLS features breach announcements, an in house DDoS tool, and placeholders for future ransomware capabilities.

Their reputation grows through cybercrime forum attributions. FunkSec operates as both a ransomware group and possible data broker, showing a diversified extortion approach.

• Smart IT Partner, a technology solutions provider, suffered a ransomware attack by Funksec. The attackers stole a 5GB database and released it publicly. The leak contains phone numbers, ID details, secret keys, hashed secrets, birthdates, and Gmail addresses. Smart IT Partner provides software, infrastructure management, and cybersecurity solutions for client operations and digital transformation.

From The Big Leagues: 8Base

The 8Base ransomware group emerged in March 2022, targeting small and medium sized businesses (SMBs). The group uses tools like SmokeLoader and Phobos variants, conducting attacks through phishing emails and security vulnerabilities to steal and encrypt critical data. Their activities and tactics have made them a notable concern.

During this period, 8Base reportedly showed their strategic focus by claiming to steal sensitive business data including invoices, accounting records, employee files, and confidentiality agreements to maximize their ransom leverage. They claim their attacks targeted multiple sectors, from critical infrastructure to manufacturing, software development, waste management, and business services.

• The Port of Rijeka, a major Croatian dry cargo hub operated by Luka Rijeka d.d., suffered a cyberattack by 8Base. The attackers stole extensive sensitive data, including invoice receipts, accounting records, personal information, certificates, employment contracts, and confidential documents. A senior official confirmed the attack occurred during the previous weekend. No ransom was paid, and the port restored systems using backups and resumed operations.

• Iseki Agricultural Machinery Co., Ltd., Japan's third largest agricultural machinery manufacturer was targeted by 8Base. The attackers stole sensitive data including invoices, accounting documents, personal information, certificates, and contracts. On November 27, 2024, subsidiary Iseki Hokkaido Co., Ltd. confirmed ransomware encrypted data on several servers. The company is restoring systems, has notified authorities, and engaged cybersecurity experts. They enhanced security measures, isolated their network, and will provide updates as the investigation continues.

• More Attacks from 8Base

From The Big Leagues: Black Basta

Black Basta operates under a closed affiliate model, targeting healthcare, finance, and manufacturing sectors. With over 500 documented attacks across North America, Europe, and Australia, it maintains dominance in 2024 per our last Halcyon's rankings. Black Basta's technical ties to Conti and BlackMatter suggest shared resources or rebranding.

This recent large scale data exfiltration campaign averages over 900 GB per attack, targeting financial records, personal data, NDAs, and R&D materials. By focusing on key service and infrastructure sectors, Black Basta maximizes ransom leverage through data rich organizations.

• Snatt Logistica Spa was targeted, with Black Basta claiming 1.5 terabytes of stolen data including financial records, personal information, and confidential documents. Ransom deadline: December 12, 2024. Operating as Snatt in Italy and Omlog internationally, they provide logistics for luxury, fashion, and lifestyle industries. This breach could severely impact operations and client security.

• Medica Corporation, a diagnostic blood testing analyzer manufacturer, suffered a breach compromising 1.5 terabytes of corporate, financial, and accounting data, including employee records and R&D materials. The company hasn't disclosed ransom demands or the attacker's identity.

• More Attacks from Black Basta

From The Big Leagues: RansomHub

RansomHub, emerging in February 2024, gained prominence through its aggressive affiliate model after ALPHV/BlackCat and LockBit's disruption. Within six months, they claimed 210 victims on their dark web leak site, targeting high value organizations.

RansomHub targets large organizations with vast data holdings, stealing intellectual property, operational data, and personal/financial information. They choose industries where breaches can cause severe disruption, reputational damage, and regulatory risks.

• Frigopesca, an Ecuadorian agriculture and seafood export company, faced a RansomHub attack with 4 terabytes of stolen data, including CEO/CFO information, source code, customer databases, and network storage data. RansomHub set a December 12, 2024, deadline, releasing data samples as proof. Frigopesca hasn't confirmed the breach extent.

• More Attacks from RansomHub

Impact, Response, and Statements

Major organizations released statements this week detailing their incident responses. While most reported mild operational disruptions, they also launched immediate investigations and forensic analyses. The ransomware attacks created a clear pattern affecting both operations and reputation.  

Organizations swiftly contained breaches by isolating compromised servers and platforms, then restored systems from preattack backups. Though temporary disruptions to internal networks were unavoidable, the greater impact came from data exfiltration, which exposed sensitive materials including financial records, payroll information, and confidential documents.

BT Conferencing confirmed a Black Basta ransomware attack that stole 500 GB of sensitive data including financial records, corporate documents, and personal information. Black Basta threatened to release the data without ransom payment by December 12, 2024.  

BT isolated and took offline the affected portion of their conferencing platform, while live conferencing services and other operations remained unaffected. As the investigation continues, attackers have already released sample data containing sensitive identification documents.

Vossko GmbH & Co. KG, a major German frozen food producer, fell victim to a Black Basta ransomware attack that stole 800 GB of data, including financial records, employee information, and project files.  

The November 14 breach encrypted internal systems and temporarily halted production. Vossko's IT team and external specialists have largely restored normal operations. While the investigation continues, attackers set a December 12, 2024 ransom deadline, with no reported payment discussions.

SRP Federal Credit Union suffered a Nitrogen ransomware attack that compromised 650 GB of sensitive customer data, including names, Social Security numbers, and account details.  

The breach, occurring between September 5 and November 4, 2024, was discovered on November 22. SRP confirmed that online banking and core processing systems remained unaffected, with no evidence of fraud or identity theft.  

The credit union offered affected customers free one year Experian IdentityWorks memberships for identity protection. While attackers published proof of the stolen data, SRP has implemented additional security measures.

ITO EN's Texas based North American subsidiary experienced a Play ransomware attack that compromised personal information, client documents, payroll records, and financial data. After the December 2 breach targeted specific file servers, the company quickly isolated them and restored data from backups.  

Core systems remained unaffected, and operations have normalized. While collaborating with cybersecurity experts on investigation and security improvements, ITO EN faces a December 10, 2024, ransom deadline.

Weekly Mini: Emerging Groups Reveal Future of Ransomware

In our weekly mini, emerging ransomware groups SafePay, Termite, Kairos, and Interlock have shown relentless activity, each launching attacks this week. Their aggressive operations signal a clear push to establish dominance in the threat landscape.  

From SafePay's 22 recent claims using LockBit style tactics to Termite's dual extortion attacks on critical infrastructure, these groups are rapidly evolving. Kairos's quick expansion since November and Interlock's targeted strikes against healthcare, government, and manufacturing sectors demonstrate their increasing capabilities.  

This pattern of calculated, persistent attacks points to a concerning trend as these groups expand their influence and reach.

SafePay

SafePay's recent activity on its dark web site revealed 22 claims, demonstrating LockBit's enduring influence. Analysis shows that SafePay's ransomware code and privilege escalation techniques mirror LockBit's methods. While these similarities connect SafePay to LockBit's infrastructure, they also highlight SafePay's emergence as an independent threat.

• KT Partners LLP, a boutique CPA firm operating in Toronto, Vaughan, Barrie, and Montreal, became SafePay's latest target. The attackers claim to have stolen 107 GB of sensitive data from the $5 million revenue firm, causing significant operational disruptions. KT Partners has yet to confirm the full scope of the breach.

Termite

Termite ransomware made a calculated and impactful debut by primarily targeting government critical infrastructure. The group employs a dual extortion model first stealing sensitive data, then encrypting systems while using threats of data exposure or sale to pressure victims. As a RaaS operation, Termite is especially disruptive due to its lack of a decryptor. Since October 2024, it uses a modified Babuk encryptor with dual extortion tactics.

• Blue Yonder, a global supply chain software provider and Panasonic subsidiary, suffered a Termite attack in November. The group stole 680GB of data, including database dumps, 16,000+ email entries, insurance documents, and 200,000+ business records. This disrupted major clients like Starbucks, forcing manual payroll across 10,000+ stores and causing shipping delays. Blue Yonder is investigating and strengthening security while restoring operations.

Kairos

Kairos emerged in November 2024, with origins from June/July 2024. They operate a data leak site using dual extortion tactics and have claimed 7 attacks, one confirmed. Their first major attack targeted healthcare, exposing patient data including SSNs, medical records, and financial information. Evidence suggests systematic expansion.

• T&M Cranes, a U.S. Mechanical and Industrial Engineering company, is Kairos's latest target, with 28 GB of stolen data proven through screenshots.

Interlock

Interlock targets major organizations using social engineering, remote access, and cloud data theft. The group primarily attacks healthcare, government, and manufacturing sectors while claiming their mission is to promote security accountability.

• RJ Michaels, a U.S. marketing firm, is INTERLOCK's latest target with 40 GB of stolen data. The 1980 founded company's compromised data includes employee information, contracts, and confidential materials.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.