Ransomware on the Move: SafePay, Lynx, Fog, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group guide, Power Rankings: Ransomware Malicious Quartile - here's the ransomware gangs on the move last week: SafePay, Lynx, Fog, and RansomHub.

From January 13-19, 2025, multiple significant ransomware attacks struck organizations across sectors—from educational institutions to manufacturing companies. These attacks resulted in substantial data breaches, exposing sensitive corporate documents, personal records, and financial data.  

Four major ransomware groups orchestrated sophisticated attacks targeting critical sectors worldwide. Here's a comprehensive analysis of their operations and impact:

• SafePay demonstrated strategic targeting of educational and food industry sectors, successfully breaching multiple school systems and food industry organizations. The attacks resulted in substantial data theft.

• Lynx ransomware group expanded their reach into critical infrastructure, specifically targeting utilities and professional services. Their successful infiltration of multiple companies in the hospitality and legal sectors highlights their growing capabilities in breaching diverse security systems.

• Fog ransomware executed precision strikes against high-value targets in education and government contracting. Their most significant breach resulted in the theft of over 90GB of sensitive data from a major university, while another attack exposed critical government-related information.

• RansomHub demonstrated global reach with coordinated attacks across three continents, focusing on manufacturing and security infrastructure. Their systematic targeting of security systems providers raises particular concern for potential supply chain vulnerabilities.

These coordinated attacks reveal an alarming trend: ransomware groups are becoming increasingly sophisticated in their targeting strategies, combining advanced encryption techniques with multi-faceted extortion tactics to maximize impact on critical infrastructure and sensitive sectors. Our Weekly Mini section provides detailed analysis of their evolving ransom demands and payment strategies.

Weekly Highlight: SafePay

SafePay, a ransomware threat that emerged in November 2024, operates on LockBit's framework and has quickly become a formidable group. They combine file encryption with data theft, pressuring victims through threats of public exposure. Following LockBit's strategy, SafePay targets critical infrastructure and business operations.  

This week, they struck organizations across the United States, Mexico, Singapore, and Spain, stealing personal information, financial documents, and operational records:

• A California school district was targeted by the SafePay ransomware group. The attackers claim to have stolen 40GB of data from the district's network in a breach discovered on January 18, 2025. While SafePay has not revealed the specific nature of the stolen data, the volume suggests a substantial breach of sensitive information. The district has not made any public statements about the incident's impact on operations and stakeholders.

• A California-based seafood wholesaler connecting markets, distributors, fishermen, and farms, fell victim to a SafePay ransomware attack. The company discovered a breach of approximately 30GB of sensitive data. While they haven't disclosed the nature of the compromised data, this incident highlights the growing threat to vital supply chain businesses. The company has not issued any public statements about the attack.

• More attacks from Safepay

Weekly Highlight: Lynx

Lynx ransomware emerged on July, 2024, and quickly demonstrated its capabilities by executing over 22 attacks across manufacturing and construction sectors by October. Operating as Ransomware-as-a-Service (RaaS), Lynx uses both single and double extortion techniques, encrypting files while stealing sensitive data to pressure victims. Evidence suggests Lynx may be a rebranded version of INC ransomware, as their source codes share striking similarities.  

This week, Lynx targeted various sectors including water and sewer authorities, engineering firms, construction companies, hospitality services, and retail businesses:

• A hospitality company specializing in property development, renovation, management, and financial operations suffered a Lynx ransomware attack. The attackers provided screenshots proving their breach of the company's systems. The company has not disclosed information about the scope of compromised data or Lynx's demands.

• A law firm specializing in Social Security Disability and Supplemental Security Income (SSI) cases fell victim to the Lynx ransomware group. The attackers claim to have stolen sensitive data, including contracts, financial records, and client information, threatening to publish it within 6–7 days.

• More attacks from Lynx

From The Big Leagues: Fog

Fog ransomware, discovered in 2021, is a variant of the STOP/DJVU ransomware family. The group uses double extortion tactics and tools like Cobalt Strike and Mimikatz for network infiltration. Since April 2024, Fog has accounted for 20% of certain incident response teams' ransomware cases, with median ransom demands exceeding $200,000.  

Their current campaign targets educational institutions, government contractors, and agricultural/food sectors, focusing on operational disruption and reputational damage by accessing employee data, financial records, and operational documents:

• A small enterprise providing research, development, testing, engineering, life sciences, program management, and analytical services for the Department of Defense and other government agencies suffered a Fog ransomware attack. The breach led to unauthorized access and leakage of 15.1GB of sensitive data. The incident highlights the ongoing threat to organizations with critical government contracts.

• A major U.S. university fell victim to the Fog ransomware group, which claims to have stolen 91GB of sensitive data, including employee contact details, financial records, and state senators' contact information. The breach was discovered on January 14, 2025. While the university, which reports $1.5 billion in revenue, hasn't confirmed specific details, it acknowledged detecting suspicious network activity. The institution has isolated affected systems and launched an investigation with enhanced security measures. The university hasn't disclosed potential causes, affected systems, or ransom negotiations. Fog, known for targeting major U.S. educational institutions, hasn't revealed their motives or demands.

• More attacks from Fog

From The Big Leagues: RansomHub

RansomHub actively targets both large enterprises and critical infrastructure, using legal intimidation and data extortion tactics to evolve ransomware operations. While focusing on high-value targets, they've proven capable of successfully attacking organizations of all sizes.  

This week, RansomHub struck companies across Italy, Brazil, and Nigeria, targeting businesses in security systems, precast concrete, logistics, and manufacturing. The compromised data includes personal information, financial documents, and operational records:

• A Taiwanese professional lighting control systems manufacturer was targeted by RansomHub. The attackers claim to have obtained 46GB of company data and threaten to release it publicly within 11–12 days. They've shared allegedly exfiltrated files as proof of the breach.

• An Italian integrated security systems firm known for designing and installing intrusion detection, access control, video surveillance, fire prevention, and supervision systems fell victim to RansomHub. The attackers claim to have exfiltrated 142GB of sensitive data. The breach was discovered on January 16, 2025, with threat actors announcing plans to release the data within 14–15 days.

• More attacks from RansomHub

Impact, Response, and Statements

Recent ransomware incidents reveal distinct patterns in how organizations respond to and manage cyberattacks. Analysis of these cases provides valuable insights into effective crisis management strategies and highlights common challenges faced by victims.  

Organizations affected have demonstrated the importance of swift incident response, immediately isolated affected systems and collaborating with law enforcement to mitigate breach impacts. T

he emphasis on transparency and communication is evident in recent cases, where priority was given to notifying affected individuals and regulatory bodies while providing risk mitigation guidance:

A municipal council in the UK experienced a cybersecurity breach that triggered an immediate investigation. The Northeast Regional Organized Crime Unit (NEROCU) is leading the probe, working alongside local and national authorities.  

Thanks to pre-existing security measures and a rapid response, service disruption was minimal, though some personal data was compromised. The council is directly contacting affected individuals. Both customer bank details and the council's website remain secure, ensuring safe transactions and communications can continue.

Following Data Protection Act 2018 and GDPR requirements, the council swiftly notified the Information Commissioner's Office and other regulatory bodies. The Strategic Director for Corporate Services and Governance reaffirmed the council's commitment to protecting public data and maintaining critical services.

Leadership urged residents to remain vigilant against phishing attempts and emphasized the importance of strong, unique passwords. Medusa has demanded $600,000 to delete the stolen data. The council maintains transparency by providing regular updates throughout the investigation.

A law firm in New Zealand's Matamata region discovered a significant cybersecurity breach of their on-premises server after returning from holiday break. The firm immediately secured their systems and engaged an external forensic specialist to assess the breach's extent, while reporting the incident to the Office of the Privacy Commissioner and New Zealand Police.

Investigation revealed that files were stolen and posted on a dark web data leak site. While various client information was compromised, the firm's cloud-hosted client management systems remained secure. The firm has worked to notify clients with active transactions to prevent disruptions, though contacting all potentially affected clients has proven challenging.

The SafePay ransomware group claimed responsibility on January 14, stating they had stolen 15GB of data containing legal correspondence and identification documents. Their darknet leak site announcement was brief, including only the data size and links to stolen files.

A Warsaw-based technology firm specializing in cryptographic devices and electronic signatures fell victim to the RansomHub ransomware group. The attackers claim to have stolen 65GB of data and threaten to release it within 11–12 days. The company acknowledged the attack and outlined immediate mitigation efforts. While working with specialized services to restore infrastructure, they warned of possible operational disruptions.

The company confirmed unauthorized access to client personal data and continues investigating the breach's full scope while actively notifying clients about risks and protective measures. As a GDPR data controller, they reported that the January 12, 2025, ransomware attack compromised personal data protection. The breach may have exposed customer, contractor, and employee data, including email addresses, phone numbers, PESEL numbers, names, birth details, citizenship, ID information, usernames, passwords, and remote verification images.

The company confirmed that qualified certificates remain secure, stored with owners external company infrastructure. While cloud-based signature certificates' cryptographic keys were unaffected, all passwords have been reset with mandatory two-factor authentication.  

The company quickly implemented preventive measures and notified relevant authorities, including Police, CERT Polska, and the President of the Personal Data Protection Office. They continue working to minimize the attack's impact and restore system functionality while providing security guidance through their website.

Weekly Mini: What Price Do Cybercriminals Put on Stolen Data?⁠

Ransom patterns observed in ransomware attacks often follow a predictable structure, with cybercriminal groups employing threats and demands to coerce victims into compliance. Typically, attackers infiltrate an organization's systems, exfiltrate sensitive data, and then encrypt the files to deny the victim access.  

Ransom demands are subsequently issued, often accompanied by threats to leak the stolen data on public platforms if the demands are not met. These tactics are designed to maximize pressure on the affected entities, leveraging both the operational disruption caused by encryption and the reputational damage associated with public exposure of sensitive information.

Looking at this week's ransomware attacks, several groups explicitly state their ransom demands, providing specific payment amounts and deadlines to the victims. For instance, the Funksec ransomware group demanded $1 million from the Construction Development Center in Mongolia, with an alternative offer to sell the data for $50,000.  

Similarly, the Medusa group reportedly demanded $600,000 from Gateshead Council to delete the compromised data, showcasing the high monetary stakes involved in these attacks. These ransom amounts often vary based on the perceived value of the stolen data and the financial capacity of the targeted organization.

In many cases, the timeline for ransom payment is strictly enforced, with attackers threatening to publish the stolen data if the deadline is not met. This approach increases the urgency for victims to respond and comply. Some groups, like Lynx and RansomHub, even provide screenshots of the exfiltrated data as proof of the breach, further escalating the pressure.

Organizations face difficult decisions when confronted with these demands. While some choose to negotiate or pay, others refuse and rely on backups or cybersecurity experts for recovery. However, payment offers no guarantee of data deletion or system restoration, as attackers' promises remain unreliable. Their pricing strategies are ultimately designed to maximize pressure while offering seemingly flexible options to increase the likelihood of payment.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.