Ransomware on the Move: FunkSec, Akira, Cl0p, Qilin

Halcyon publishes a quarterly RaaS and data extortion group guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: FunkSec, Akira, Cl0p, and Qilin...

Global ransomware activity showed a notable decrease in the first week of 2025 (January 1–6), though cyber threats remain sophisticated and concerning in their potential to disrupt organizations worldwide. This analysis examines recent attacks and their implications across industries, sectors, and regions, revealing key findings about today's cybersecurity landscape:

• FunkSec: Combined ransomware attacks with data brokering, offering stolen data to third parties at discounted rates.

• Akira: Targeted high-profile organizations, exposing sensitive data and using torrent magnet URLs for data distribution.

• Cl0p: Exploited managed file transfer vulnerabilities in enterprise software like Cleo's Harmony and VLTrader, claiming over 65 victims in December and breaching major organizations this week.

• Qilin: Employed aggressive public shaming tactics and detailed criticism of victims' IT security measures.

While ransomware incidents declined compared to late 2024, attackers maintained sophisticated tactics to disrupt organizations across industries and continents. The reduced number of attacks belies their increasing scale and complexity, highlighting ongoing cybersecurity challenges. This week's article provides our first look at ransomware trends in 2025.

Weekly Highlight: Funksec

FunkSec, emerging in late 2024, operates through a Tor-based data leak site using double extortion tactics that combine file encryption with data theft. The group claimed responsibility for over 40 attacks in December 2024.  

Their strategy combines ransomware attacks with data brokering, maintaining low ransom demands through their public Bitcoin wallet while selling stolen data to third parties at discounted rates. This approach has garnered significant attention in cybercrime forums.  

Recent developments include a malware update with advanced techniques and enhanced obfuscation, a topic for next week's discussion:

• An Indian government entity responsible for child protection laws and welfare initiatives has been targeted by the Funksec Ransomware group. The attackers claim to have exfiltrated 2 GB of sensitive data. The department's silence raises concerns about potential exposure of sensitive welfare-related information.

• A company in the iron and steel scrap sector fell victim to a Funksec ransomware attack. While the breach has been confirmed, the extent of the data leak remains unknown. The organization, known for its industry innovations, is currently evaluating the attack's full impact. They have not released details about the compromised data or the attackers' demands.

• More attacks from Funksec

Weekly Highlight: Cl0p

Cl0p ransomware, active since 2019, has established itself as a major threat actor specializing in managed file transfer (MFT) software vulnerabilities. Their recent focus on Cleo's Harmony, VLTrader, and LexiCom software shows their expertise in exploiting zero-day vulnerabilities for large-scale extortion.  

Through these vulnerabilities, Cl0p claimed over 65 victims in their December campaign:

• A leading U.S. software development company has been targeted by the Cl0p ransomware group. The cybercriminals claim to have exfiltrated data from the organization. The company, which specializes in mobile and wireless software solutions, discovered the breach on January 6, 2025. They haven't disclosed the nature or extent of the compromised data, though the incident highlights the ongoing threat ransomware groups pose to technology firms.

• A major U.S. logistics firm has reportedly been targeted by the Cl0p ransomware group. The attackers claim to have breached the company's database, though the extent of the compromise remains unknown. The incident, discovered on January 4, 2025, poses potential operational disruptions and data security challenges. The Cl0p group has not revealed specifics about the compromised data.

• More attacks from Cl0p

From the Big Leagues: Qilin

Qilin, initially operating under the name Agenda before rebranding, is a RaaS operation that emerged in 2022. Written in Golang and Rust, Qilin can target both Windows and Linux systems. The group's attack volume increased significantly in the first half of 2024, claiming over 150 victims by the third quarter.  

Qilin emphasizes public shaming and criticism of victims' IT infrastructure, aiming to tarnish reputations while demanding ransom payments:

• A certified public accounting firm in West Virginia has fallen victim to a Qilin ransomware attack. The cybercriminals claim to have exfiltrated 73 GB of sensitive data. According to the attackers, the firm refused to negotiate, prioritizing client confidentiality. The group criticized the firm's IT infrastructure and management, citing negligence in the breach. To prove their claims, Qilin released eight screenshots of compromised files. The breach was discovered on January 5, 2025.

• A prominent UK-based food intolerance and allergy testing company has been targeted by the Qilin Ransomware group. The attackers claim to have exfiltrated data, though the volume remains undisclosed. The breach, identified on January 4, 2025, raises concerns about exposed sensitive health-related data. The company hasn't released a detailed statement, leaving the breach's specifics and implications unclear.

• More attacks from Qilin

From the Big Leagues: Akira

Akira has emerged as one of the most active threat actors this week through multiple sophisticated attacks. Operating as a Ransomware-as-a-Service (RaaS) platform, Akira targets high-profile corporate organizations with valuable business assets including financial documents, intellectual property, and sensitive personal information.  

The group frequently breaches significant amounts of sensitive data and uses torrent magnet URLs to distribute stolen information, increasing exposure risks:

• A Florida-based construction firm has fallen victim to an Akira ransomware attack. The breach, discovered on January 6, 2025, potentially exposed over 35 GB of sensitive corporate data. The compromised information includes critical financial documents (audits, payment details, and reports) and personal contact information of employees and customers. The firm, which specializes in commercial, industrial, and institutional construction projects, now faces significant data security challenges.

• A specialty food ingredients developer and manufacturer has also fallen victim to an Akira ransomware attack. The attackers claim to have accessed over 45GB of sensitive corporate documents, including non-disclosure agreements, social security numbers, financial records, and employee contact information. While the exact size of the data leak remains unconfirmed, the organization, which partners with leading brands and flavor houses for custom formulations, faces substantial data security challenges from this breach.

• More attacks from Akira

Impact, Response, and Statements

During this relatively quiet week, which saw fewer attacks than recent months, only one notable victim released a public statement. Most affected organizations remain silent about potential breaches, likely due to ongoing investigations and legal considerations. This widespread reluctance to disclose incidents continues to hinder transparency in cybersecurity incident reporting.

A Japanese technology company was targeted by a ransomware group. The attackers claimed to have exfiltrated 761.8 GB of data (comprising 476,342 files) from the company's servers. The cybercriminals set a January 10, 2025, deadline, threatening to publish the stolen data if ransom demands weren't met. The victim confirmed the security breach on December 27, 2024, acknowledging both encrypted servers and potential data leakage. The company swiftly implemented emergency containment measures and enlisted external experts for investigation and recovery. They notified the Personal Information Protection Commission and are cooperating with law enforcement. The ransomware group has criticized the company for not responding to their messages, warning that this silence could harm their business reputation. To prove the breach, they released seven screenshots of sensitive files.

Weekly Mini: What's the State of Ransomware at the Start of 2025?

The first week of 2025 showed a notable decrease in global ransomware activities compared to the holiday period in 2024, with fewer than 50 organizations being targeted across five continents. The attacks still demonstrated sophisticated tactics used by threat actors to breach security systems and exfiltrate sensitive data, despite the lower volume of incidents.

The geographic scope was extensive, spanning North America, Europe, Asia, Africa, and South America. Affected sectors included healthcare facilities, government institutions, financial services providers, technology companies, IoT manufacturers, and media organizations. The breaches compromised sensitive data, including medical records, government operations information, financial documents, and corporate intelligence.

The attackers employed advanced techniques such as torrent magnet URLs for data distribution, screenshot evidence for proof of exfiltration, public criticism of IT infrastructure, and strict payment deadlines with specific cryptocurrency demands. These methods were designed to maximize pressure on victims and ensure compliance.

The scale of data exposure this week was also particularly significant, with the largest breach of 1.6 terabytes of sensitive corporate files occurring in France. According to claims, data theft volumes totaled approximately 946 GB across various incidents. Many victims experienced both data theft and operational disruptions as critical systems were encrypted and business activities severely impacted.

High ransom demands characterized several attacks this week. A major Canadian city borough reportedly fell victim to Rhysida ransomware. The attackers breached the borough's government networks and stole sensitive data, threatening to release it within a week. They demanded 10 Bitcoin (approximately $1 million) by January 11, 2025.  

The Rhysida group posted evidence on their dark web leak site, including samples of stolen French-language documents such as emails, administrative contracts, and Canadian passports. Though the total volume of stolen data remains unknown, the group activated a countdown clock on their auction page to show when the data would be sold to the highest bidder if the ransom went unpaid. The borough has not yet verified this attack.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.