Ransomware on the Move: SafePay, Termite, RansomHub, BlackBasta

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: SafePay, Termite, RansomHub, and BlackBasta…
 
The week of November 18–24 saw a sharp rise in ransomware activity, with 155 attacks recorded in Halcyon’s Attack Lookout (HAL) database, reflecting an almost 30% increase from previous weeks. Key sectors targeted included manufacturing, business services, construction, and healthcare:

• SafePay, an emerging group believed to be tied to LockBit, claimed 22 victims.

• RansomHub, a consistent actor in the ransomware space, drove much activity with 24 attacks.  

• Newcomer Termite made its debut with a high-profile attack on government critical infrastructure.

• BlackBasta ransomware sustained its relentless pace, averaging 800GB of data exfiltration per attack this week.

Prominent organizations like Rockport Mortgage, Cullman County Commission, and Interboro School District issued public statements following attacks, adhering to established incident response protocols by avoiding direct negotiations and prioritizing transparency.  

This week’s mini-feature looks into SafePay’s infrastructure and its role in extending LockBit’s legacy, and offering more details into its verified claims.

Weekly Highlight: SafePay Ransomware

SafePay, a ransomware group rooted in LockBit’s operational framework, emerged this week in November 2024 as a disruptive and formidable player in the ransomware ecosystem. Using double extortion tactics, SafePay encrypts files and exfiltrates sensitive data, pressuring victims with the threat of public exposure.

This week, SafePay contributed 20 new victims to our database, with 22 claims listed on their DWS. Many of these claims have been validated, showing the group’s rapid emergence as a serious threat. SafePay’s tactics, influenced by LockBit’s methods, effectively target critical infrastructure and disrupt business operations.

The group has targeted industries including real estate, media, manufacturing, hospitality, healthcare, government, education, construction, and business services, with confirmed incidents across the United Kingdom, United States, Australia, Italy, New Zealand, Canada, Argentina, Belgium, Barbados, Brazil, and Germany.

Recent Attacks:

• McAuslan Brewery, renowned for its St. Ambroise craft beer line, was targeted by SafePay ransomware on November 21, 2024. The attackers exfiltrated 50GB of sensitive data, disrupting operations and raising concerns about the exposure of confidential customer information. The specifics of the stolen data have not been disclosed. Neither ransom demands nor a statement from the brewery have been made public, leaving the full impact of the breach unclear.

• Miller Service Company, a Dallas-based real estate services firm, was targeted by SafePay on November 21, 2024. The breach involved 70GB of exfiltrated data, affecting internal operations and client relations. Details about the stolen data remain unknown.  While the company has not issued a formal response, efforts to assess the breach and mitigate further risks are likely underway.

• More attacks from Safepay

Weekly Highlight: Termite Ransomware

Termite ransomware burst onto the scene with a calculated and impactful debut targeting government critical infrastructure. Using a dual-extortion model, the group exfiltrates sensitive data before encrypting systems, leveraging threats of exposure or sale to apply pressure on victims.  

Believed to operate as a Ransomware-as-a-Service (RaaS) entity, Termite’s lack of a decryptor makes it a particularly disruptive newcomer, capable of inflicting long-lasting damage on its targets.

Recent Attacks:

• The Département de La Réunion, an overseas administrative region of France, became the first major victim of Termite ransomware in an attack on November 13, 2024. The breach disrupted critical services by compromising the organization’s database.  Authorities responded swiftly, severing external network connections and suspending key services to contain the damage. Internal operations were sustained using alternative communication methods to minimize disruptions to stakeholders. Recovery efforts are ongoing, with cybersecurity specialists working to restore systems and implement advanced protections against future threats.

From the Big Leagues: RansomHub

RansomHub, a Ransomware-as-a-Service (RaaS) platform, has steadily risen since its emergence in February 2024. Known for double extortion tactics, the group encrypts victims’ systems and exfiltrates sensitive data to heighten ransom pressure.  

By October 2024, RansomHub claimed the title once tightly held by LockBit as the leading global ransomware threat. This week, the group added 24 new claims to its dark web leak site, spanning industries globally.

Recent Attacks:

• Depew Gillen Rathbun & McInteer LC, a Kansas-based law firm, reported a breach involving over 1,500GB of sensitive data. Stolen files included case records, accounting details, client information, and payroll entries. RansomHub released a sample of the compromised data on its hidden website. The firm has not disclosed the full impact of the breach, leaving questions about potential fallout unanswered.

• Hartmannbund, a German doctors’ association representing approximately 70,000 healthcare professionals, was also targeted by RansomHub. The attackers claimed to have stolen 12GB of data and set a deadline of November 26, 2024, threatening to release the files if demands were not met. The Hartmannbund has not confirmed the breach, leaving the nature of the compromised data unclear.

• More attacks from RansomHub

From the Big Leagues: Black Basta

Black Basta, a Ransomware-as-a-Service (RaaS) group active since 2022, continues to cement its reputation as a dominant player in the ransomware ecosystem. Utilizing double extortion tactics, the group encrypts files and steals sensitive data, targeting sectors such as healthcare, finance, manufacturing, and energy.
 
Black Basta maintained a relentless pace, topping our Q3 Ransomware Malicious Quartile report. This week, the group claimed over 10 new victims on its dark web leak site. Data from our database revealed an average of 800GB exfiltrated per attack this week, reflecting the significant scale of their operations and focus on high-value targets.

Recent Attacks:

• Instinct Pet Food, a company specializing in natural pet food products, became a notable victim of Black Basta ransomware. The breach involved the exfiltration of approximately 1.5 terabytes of sensitive data. This data included financial records, payroll, personal user folders, and R&D information.  Known for its pet meals and freeze-dried kibble, Instinct Pet Food now faces significant risks, including potential intellectual property exposure and operational disruptions stemming from the compromise of critical internal files.

• KMC Global, a group of autonomous companies focused on equipment design and manufacturing, was hit by Black Basta ransomware. The attack compromised 1.4 terabytes of critical data, including accounting records, payroll information, financial documents, non-disclosure agreements, and other sensitive files. The breach at the company’s Kalamazoo, Michigan headquarters disrupted production processes and heightened concerns about the security of operational and engineering data.

• More attacks from BlackBasta

Impact, Response, and Statements

This week, three ransomware victims took decisive steps by publicly addressing their incidents and emphasizing the importance of coordinated responses over ransom payments. These statements show how organizations can fulfill their civic duty by adhering to security protocols and engaging with authorities rather than cybercriminals.  

Their actions point to a critical truth: paying ransoms only emboldens attackers, while alerting the proper channels can pave the way for recovery and accountability:

Rockport Mortgage

• Rockport Mortgage, targeted by BlackBasta, reported to the Attorney General of Maine that a data breach in October 2024 compromised personally identifiable information (PII) from both customer and employee records. The company initiated an investigation and began notifying impacted individuals on November 15, 2024. To support those affected, Rockport Mortgage is providing 24 months of complimentary credit monitoring services and has issued detailed notification letters explaining the extent of the breach.

Cullman County Commission

• The Cullman County Commission, located in Alabama, suffered disruptions across multiple offices due to a ransomware attack attributed to BlackSuit ransomware, including the Revenue, Probate, and District Attorney’s offices. The attack temporarily disabled phone lines and online services for property tax and tag renewals, causing significant operational challenges. On November 7, 2024, the commission confirmed its collaboration with the FBI to investigate the breach. Services were restored by November 8, though officials have not confirmed the validity of BlackSuit’s claims of data exfiltration or disclosed the full impact of the incident.

Interboro School District

• The Interboro School District in Pennsylvania faced a cyberattack by RansomHub in late October 2024, leading to widespread network outages. On October 28, a district-wide outage halted operations, and classes were canceled the following day due to disruptions affecting security systems, parent communications, and access to school records. While classes have resumed, network issues remain unresolved. Leaked files and screenshots shared by attackers have further complicated the district’s recovery efforts. The district implemented an incident response plan, engaged IT specialists, and is maintaining regular communication with parents and staff as they work to mitigate the attack's effects.

Weekly Mini: Is SafePay the New Home for LockBit’s Legacy?

SafePay’s 22 claims on its dark web site this week have reignited focus on LockBit’s enduring impact. The dispersion of LockBit’s affiliates and methods continues to influence the ransomware landscape, with SafePay emerging as a significant player.

Cybersecurity firm Huntress, as reported by SCworld, discovered that SafePay’s ransomware uses a LockBit binary from 2022 and employs privilege escalation techniques, including User Account Control bypass, previously observed in ALPHV/BlackCat campaigns.  

These findings link SafePay to LockBit’s framework while highlighting its development as a distinct and growing threat actor. Former LockBit affiliates have integrated into various operations.  

SafePay demonstrated its operational global reach with four confirmed attacks this week:

• Microlise, a British transport technology company, suffered a ransomware attack in October. SafePay exfiltrated 1.2 terabytes of corporate data, disrupting tracking systems and panic alarms for British prison vans. Although systems were largely restored, the breach exposed vulnerabilities. SafePay later claimed responsibility for the attack.

• IB Spieth, a German engineering consultancy, experienced a ransomware attack that required an immediate IT system shutdown to protect customer and supplier data. Operations resumed with emergency protocols, showcasing SafePay’s ability to disrupt small and medium-sized businesses. IB Spieth has since focused on enhancing its cybersecurity defenses.

• Triton Sourcing & Distribution, based in Auckland, New Zealand, reported a ransomware attack involving 10 gigabytes of stolen data, primarily from its Exo order system. The breach caused temporary disruptions but was resolved quickly. The stolen files, mostly .XML documents, posed minimal risk to external stakeholders.

• Snow Brand Australia, a dairy supplier, was targeted by SafePay this week. Attackers stole 24 gigabytes of data, including financial records, employee documents, and business agreements. Snow Brand acted swiftly, securing its systems, launching an investigation, and notifying authorities.

Qilin is believed to recruit these affiliates, employing tactics reminiscent of LockBit’s data breach strategies. RansomHub has offered resources for independent actors, while others move between smaller groups or collaborate across the ecosystem, adopting LockBit-inspired methods.

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.