Ransomware on the Move: FunkSec, SpaceBears, Akira, RansomHub

NOTE: Every month get the latest ransomware news and analysis from the Halcyon team - join us for the next Threat Insights webinar live Feb 11, 2025, 10:00AM PST / 1:00PM ET (or watch on-demand here): https://bit.ly/4guzyZw

Halcyon publishes a quarterly RaaS and data extortion group guide, Power Rankings: Ransomware Malicious Quartile - here's the ransomware gangs on the move last week: FunkSec, SpaceBears, Akira, and RansomHub.

The ransomware landscape continues to evolve rapidly, with threat actors using increasingly sophisticated tactics to target organizations worldwide. During January 20-26, 2025, several prominent ransomware groups (FunkSec, SpaceBears, Akira, and RansomHub) made headlines for their attacks on critical infrastructure, businesses, and nonprofits.  

This article examines these four active groups' activities, providing insights into their methods, targets, and the broader implications of their actions. We also look at the critical issue of ransom deadlines and the severe consequences organizations face when they fail to meet attackers' demands.  

This week we explore:

• FunkSec: Targeted multiple military and educational institutions this week, with a focus on South Asian and North African regions.

• SpaceBears: Attacked electrical distribution and non-profit sectors, threatening to leak sensitive operational data.

• Akira: Compromised technology and communications companies, with threats to expose internal financial documents and employee data.

• RansomHub: Launched significant attacks against manufacturing and logistics companies, stealing over 600GB of data from the highlighted victims.

This week’s mini section takes a closer look at what happens when organizations fail to meet ransom deadlines. Using the Clop ransomware group's recent campaign as an example, we examine the escalating pressures victims face, including public data leaks, damaged reputations, and the ongoing struggle to negotiate with threat actors even after deadlines have passed.

‍Weekly Highlight: FunkSec

‍FunkSec emerged in late 2024 as a ransomware group, quickly claiming over 85 victims in December alone. Operating as a Ransomware-as-a-Service (RaaS) outfit, it uses AI-driven malware development and a Rust-based ransomware variant called FunkSec V1 (FunkLocker).  The group stands out for demanding low ransom payments, for as little as $50, and engaging in hacktivist activity and political messaging.

However, despite its rapid rise, some disclosures appear recycled, casting doubt on its actual capabilities. FunkSec targets organizations primarily in the U.S., India, Italy, Brazil, Israel, Spain, and Mongolia, with evidence pointing to Algerian connections.    

These ties and hacktivist messages are evident in their recent attacks:

• An Eastern South Asian Navy has been targeted by the FunkSec ransomware group. This naval branch of the Armed Forces is tasked with safeguarding the country's maritime territory, ensuring the security of seaports, and protecting the exclusive economic zones from external threats. Additionally, they play a pivotal role in disaster management within the country. The ransomware attack has raised significant concerns about the potential exposure of sensitive information, which could compromise operational security and national defense capabilities. The incident underscores the growing threat of cyberattacks on military institutions and the need for enhanced cybersecurity measures to protect critical infrastructure.

• A university center in Algeria was targeted in a cyberattack, with FunkSec issuing a statement inviting the country's cyber defense personnel to engage with them regarding the exploitation and vulnerabilities they discovered. The attackers assert that they have gained full control over the website and have extracted data. They have called for individuals working within the country's official cyber defense to reach out to them via secure communication channels such as Session or Tox. The group claims their intention is to protect Algerian and Russian websites moving forward. They have also indicated that they do not seek financial compensation for their actions, suggesting instead that any bounty be directed to Palestine. The statement explicitly requests that only those affiliated with official defense contact them.

• More attacks from FunkSec

Weekly Highlight: SpaceBears

‍SpaceBears, a ransomware group that emerged in April 2024, functions primarily as a data broker rather than encrypting files. With its corporate-themed branding and connections to the Phobos ransomware-as-a-service group, SpaceBears has targeted over 50 organizations as of January 2025.

The group targets medium to small-sized businesses using double extortion tactics and simple strategies, such as pressuring victims through their insurance providers and customers. Rather than deploying sophisticated malware, SpaceBears focuses on data leaks and third-party infrastructure breaches:

• A major electrical distributor in the United States has been targeted by the Space Bears ransomware group. The cybercriminals assert that they have accessed and exfiltrated sensitive data, which encompasses financial documents, accounting reports, and personal information pertaining to both employees and clients. The company, recognized as one of the top 150 electrical distributors nationwide, offers comprehensive warehousing, supply chain, and delivery services for wire and cable products across diverse markets including public utilities, electrical contractors, wind farm developers, commercial and industrial HVAC industries, traffic and transportation sectors, Original Equipment Manufacturers (OEMs), and the security/low voltage industries.

• A non-profit organization in New South Wales has fallen victim to a ransomware attack orchestrated by the Space Bears group. The cybercriminals have publicly claimed responsibility for breaching the organization's database and have issued a threat to release the compromised data within a timeframe of 10 days. The hackers assert that the stolen data encompasses a wide array of file types, including .jpg, .mp4, .mov, .xls, .doc, .mdf, .msg, and .pdf, which they describe as containing "valuable information."

• More attacks from SpaceBears

From The Big Leagues: Akira

‍Akira is a ransomware-as-a-service (RaaS) group that emerged in March 2023. The group compromised over 300 organizations in 2024, mainly in North America, the UK, and Australia. Using double extortion tactics, they steal data before encrypting files and recently exploited CVE-2024-40766 in SonicWall SonicOS.  

In November 2024, Akira listed over 30 new victims in a single day, indicating new affiliate partnerships. They target manufacturing, financial services, and education sectors with Windows and Linux ransomware variants:

• A Canadian software company specializing in remote work solutions, visual computing, and communications has fallen victim to a ransomware attack. The breach, which targeted the company's Canadian operations, threatens to expose sensitive corporate data. Among the compromised information are internal financial documents, including audits, payment details, and reports, as well as employee taxpayer numbers and contact emails. The attack has raised significant concerns about the potential exposure of critical data, impacting both the company's operations and its workforce. The company has yet to release a detailed statement regarding the incident.

• A technology solutions provider has reportedly been targeted in a ransomware attack. The attackers have threatened to release over 8 GB of sensitive corporate documents. These documents allegedly include license agreements, non-disclosure agreements, internal financial data such as audits, payment details, and reports, as well as insurance documents and customer contact information. The company has yet to issue a statement regarding the breach or the potential impact on its operations and clients.

• More attacks from Akira

From The Big Leagues: RansomHub

‍RansomHub is a ransomware-as-a-service (RaaS) group that emerged in February 2024. The group quickly established itself as one of the most active cybercrime operations, rising to the top position in the ransomware landscape.  Since July 2024, RansomHub has dominated the scene with nearly 500 victims listed on its public data leak site.

The group specializes in targeting large enterprises by exploiting cloud backups, misconfigured Amazon S3 instances, and vulnerabilities like Zerologon. Given its rapid ascent and ongoing dominance, RansomHub is likely to remain a significant threat well into 2025:

• A major North American plumbing fixtures manufacturer has reportedly been targeted by the RansomHub ransomware group. The group claims to have infiltrated the company's network servers, exfiltrating approximately 400 GB of sensitive data. This breach is part of a broader attack that also involves another subsidiary of the same Japan-based parent company. RansomHub has announced its intention to publish the stolen data within a week unless a ransom is paid by the deadline of January 28, 2025.

• A major Nordic shipping and logistics firm has been targeted by the RansomHub ransomware group. The attackers assert that they have exfiltrated 230 GB of sensitive data from the organization. The company provides comprehensive services including stevedoring, warehousing, agency operations, customs clearance, commercial chartering, liner services, cruise operations, and freight forwarding. RansomHub has threatened to auction the stolen data following the expiration of a countdown, indicating a potential breach of confidentiality and operational disruption. The leaked data reportedly includes a variety of documents, such as PDFs. These files vary in size, suggesting a diverse array of potentially sensitive information.

• More attacks from RansomHub

Impact, Response and Statements

The week of January 20-26, 2025, saw multiple significant ransomware incidents that showcase the current state of cyber threats and organizational responses. These attacks demonstrate the increasing sophistication of threat actors, who are now routinely exfiltrating massive amounts of sensitive corporate data.  

The targeted organizations have shown a trend toward greater transparency in their incident response, providing detailed disclosures about compromised data and maintaining active communication with affected stakeholders:

• An Australian manufacturing company fell victim to the LYNX ransomware group this week. The attackers claim to have stolen 350 gigabytes of sensitive data, including user information, business documents, employee records, and financial data. The breach became public when LYNX listed the company on their darknet leak site. The company has since confirmed the cyber incident and acknowledged the potential data exposure while evaluating the breach's full impact.

• A California-based business bank has been targeted by the RansomHub ransomware group, which claims to have exfiltrated 2.7 TB of sensitive data. This data reportedly includes confidential information on both employees and customers, encompassing payments, reports, and other critical documents. The breach, detected on December 2, 2024, led to an investigation that confirmed unauthorized access to its IT network. By December 28, 2024, a comprehensive review had identified the individuals affected by the breach. The bank's notification to those impacted detailed the compromised information, which includes names, Social Security numbers, dates of birth, addresses, telephone numbers, driver's license or state-issued ID numbers, passport numbers, and financial account details. In a statement, the bank acknowledged the security incident, noting that the breach occurred despite their information security measures. RansomHub, who published this claim this week, has issued a ransom deadline of January 31, 2025, threatening to release all stolen documents if their demands are not met. The group has also warned of disseminating detailed instructions to potential litigants and sharing critical data with legal representatives.

Weekly Mini: Time’s up! What Happens When the Ransom Deadline Expires?

The Clop ransomware group's recent campaign targeting Cleo's managed file transfer products demonstrates the severe consequences that unfold when ransom deadlines expire. The group has been exploiting two critical vulnerabilities in Cleo's software since December 2024, with Cleo releasing patches and urging clients to install them. The attack timeline reveals Clop's systematic approach.

After announcing their responsibility for the Cleo attacks in December 2024, they gave 66 affected companies just 48 hours to comply with ransom demands. By mid-January 2025, Clop began executing their threats, first by unveiling victim names and then publishing stolen data from three organizations. When ransom deadlines expire, victims face multiple severe consequences:

• Data gets published on both ClearWeb and Tor platforms, with larger companies targeted through search engine-indexed URLs

• Torrents are used for faster data distribution, making containment nearly impossible

• Pressure escalates as more sensitive information is released with increasing frequency

• Organizations are forced to publicly disclose their compromise, leading to a surge in known victims

Despite missed deadlines, some organizations continue negotiations to prevent further leaks or recover encrypted files. The group's tactics include direct company contact through secure chat links, threatening full company name disclosure within 48 hours, and focusing on current extortion by deleting data from previous attacks. As of January 24, 2025, Clop has already claimed to have leaked data from at least 50 victims of their December campaign.

The impact is evident in social media discussions, where affected individuals are seeking information.  As one Reddit user posted, "I am still curious if our data is out there and hoping someone can walk me through how to get to where the data would be." This pattern of increasing public pressure through data leaks and leveraging the threat of further exposure continues to be an effective extortion strategy.  

‍Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.