Ransomware on the Move: FunkSec, Fog, BlackBasta, Play

Editor’s Note: Halcyon has transitioned the “Last Week in Ransomware” series to “Ransomware on the Move” - we hope you continue to find value in the intelligence presented.

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: FunkSec, Fog, BlackBasta, and Play…

As 2024 comes to an end, ransomware groups are ramping up their activities during the holiday season, targeting organizations across multiple sectors. Our weekly review uncovers a troubling pattern of attacks against critical infrastructure, especially during periods of reduced staffing.  

Between December 16-22, both established and emerging threat actors showed significant developments, providing crucial insights for security teams and decision-makers:

• FunkSec demonstrated focus on East Asian institutions with unusually low ransom demands

• Fog ransomware showed concentrated activity in the US with 13 new attacks, 7 targeting US-based organizations

• Black Basta maintained its aggressive stance, targeting manufacturing and electronics sectors with significant data theft

• Play ransomware group expanded operations to include major retail chains, demonstrating sophisticated attack patterns

• This week we analyze the surge in ransomware campaigns exploiting holiday-period vulnerabilities

Weekly Highlights: FunkSec  

FunkSec emerged as a leading threat actor in December 2024, with over 39 documented attacks. Their global reach includes 12 attacks in India, 5 in the United States, 4 in Brazil, and 2 in Mongolia this week.  

The group has established itself as a significant ransomware threat, characterized by unusually low ransom demands and a practice of selling data to third parties at reduced prices through their published Bitcoin wallet.  

Operating as both a ransomware group and potential data broker, FunkSec has gained notoriety in cybercrime forums for their extortion approach.

• A Major Power Grid Operator in East Asia has been targeted by FunkSec ransomware group. The cybercriminals claim to have stolen 1.3 GB of sensitive data from the organization, which coordinates regional electricity supply. A ransom of $10,000 has been demanded, with a threat to sell the data to other parties for $5,000 through an open FTP server if not paid.

• A Government Research Center in the same region has suffered a data breach by FunkSec targeting its official website. The group is offering administrative access to the site and sensitive data for $1,000. They have provided screenshots as proof of the breach. The institution focuses on research and development programs while fostering partnerships with educational institutions and industry partners.

• More Attacks from Funksec

Weekly Highlights: Fog  

Fog, a variant of the STOP/DJVU ransomware family first observed in 2021, launched 13 attacks this week, with 7 incidents concentrated in the US. The group employs sophisticated attack methods and double extortion tactics, leveraging compromised VPN credentials and RDP configurations.  

They use tools like Cobalt Strike and Mimikatz for lateral movement. Since April 2024, Fog has accounted for 20% of certain incident response teams' ransomware cases, with median ransom demands exceeding $200,000.

• A Public School District in the eastern United States suffered a ransomware attack by Fog group. The district experienced a data breach that compromised sensitive information, including administrative documents and personnel records. The educational institution, which focuses on developing students into skilled communicators and independent thinkers, now faces serious concerns over this exposure.

• A Technology Components Supplier fell victim to a Fog ransomware attack in late December. The company, which serves channel partners and OEMs, reported a breach of business data. The compromised information allegedly includes internal documents and business records.

• More Attacks from Fog

From The Big Leagues: Black Basta  

Black Basta operates under a closed affiliate model, targeting healthcare, finance, and manufacturing sectors. With over 500 documented attacks across North America, Europe, and Australia, it maintains dominance in 2024 per our last Halcyon's rankings. Black Basta's technical ties to Conti and BlackMatter suggest shared resources or rebranding.

• A European Electronics Manufacturer, a subsidiary of a major technology corporation, has fallen victim to BlackBasta ransomware group. The attackers claim to have stolen 1.5 terabytes of sensitive data. The company experienced a major IT disruption last month, initially acknowledged as an "IT incident" before being revised to "maintenance work."

• An Industrial Equipment Manufacturer in North America suffered a ransomware attack by BlackBasta. The breach compromised sensitive data, including business records and technical documentation. The company specializes in critical infrastructure components.

• More Attacks from BlackBasta

From The Big Leagues: Play

Play Ransomware, emerging in June 2022, has established itself as a highly sophisticated cybercrime group known for its closed operational structure, innovative tactics, and intermittent encryption technique. The group has conducted hundreds of attacks on high-value sectors, using a Linux-based variant to target VMware ESXi virtual machines and enterprise infrastructure.  

In 2024, Play notably collaborated with APT 45, a North Korean state-sponsored group, incorporating advanced techniques for credential harvesting and privilege escalation, marking an unprecedented alliance between ransomware operators and state actors.

• A Major Food Service Corporation in North America has been targeted by Play ransomware group. The cybercriminals claim to have accessed corporate databases containing business-critical information. The group has announced plans for public data release.

• More Attacks from Play

Impact, Response, and Statements

Our recent analysis reveals several noteworthy attacks where organizations have issued official statements. These cases provide valuable insights into cybercriminal operations and organizational responses. We've observed a strategic focus on high-value targets across critical sectors.  

Organizations have developed consistent response strategies, typically involving swift system isolation, forensic investigation, stakeholder communication, and business continuity measures:

• A Water Treatment Company recently experienced a ransomware attack by ThreeAM group. The incident involved unauthorized access to several servers and potential data compromise. The company isolated affected systems and maintained core operations. They have engaged external forensics support and enhanced security measures, warning stakeholders about potential fraud attempts.

• A Major Financial Institution in Southeast Asia faced a cybersecurity incident by APT73 Ransomware group. While attackers claimed to have accessed sensitive data, the organization maintains that systems and customer data remain secure. Senior technology executives have confirmed normal operations.

• A National Research Institution experienced a network security incident by MoneyMessage group affecting administrative systems. The organization implemented established security protocols and maintained critical infrastructure security. While investigating, they have implemented additional network security measures and verified that sensitive operations remain uncompromised.

Weekly Mini:  Why Attackers Love the Holidays‍

Holiday periods represent a critical vulnerability window for organizational cybersecurity. Security analysts have documented consistent increases in ransomware activity during these intervals, particularly between December 25 and January 1. This escalation in malicious activity correlates with reduced staffing levels and increased digital transactions across sectors.

According to government cybersecurity agencies, threat actors systematically target holiday weekends to optimize their infiltration success rates. Organizations operating with minimal personnel and reduced IT support become particularly vulnerable to network exploitation and ransomware deployment. The retail, e-commerce, and financial services sectors experience heightened exposure due to elevated transaction volumes.

The reduction in regular security monitoring during holiday periods creates substantial opportunities for threat actors. Financial institutions face exposure when essential personnel are absent for extended periods. However, organizations can implement risk mitigation strategies through automated security solutions that maintain continuous ransomware detection and response capabilities, independent of human security team availability.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.