Ransomware on the Move: Space Bears, LockBit, Cl0p, Rhysida
Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Space Bears, LockBit, Cl0p, and Rhysida...
Atos Investigating Reported Space Bears Attack
French tech giant Atos has denied allegations that its systems were compromised by the Space Bears ransomware group. In a December 28 statement, Atos reported no evidence of a breach or ransom demand and affirmed that its cybersecurity team is actively investigating the claims.
Known for its expertise in cloud computing and cybersecurity, Atos has previously dealt with cyber incidents, including the 2018 Olympic Destroyer attack and a 2023 vulnerability linked to Cl0p.
Space Bears, a ransomware group tied to the Phobos Ransomware-as-a-Service (RaaS) network, surfaced in April 2023 and has targeted at least 34 victims globally. Employing double extortion tactics, the group encrypts victims’ data while threatening to leak sensitive information unless ransom demands are met.
Their unique approach includes publicizing stolen data on both dark web and clearnet platforms, often accompanied by corporate-style imagery to enhance reputational damage.
The group’s sophisticated online presence, which includes a "wall of shame" to embarrass victims, reflects a highly organized and well-funded operation. Space Bears’ global campaigns have targeted industries across Germany, Norway, the United States, and South Africa. While
Atos maintains its systems are secure, Space Bears continues to draw attention for its aggressive, strategic, and polished cyber extortion methods.
New LockBit4 Ransomware Payload in 2025
LockBit, a prolific ransomware group, is preparing to launch its fourth iteration, LockBit 4.0, on February 3, 2025, signaling a resurgence after recent setbacks.
Known for its Ransomware-as-a-Service (RaaS) model, LockBit allows affiliates to deploy ransomware through a central control panel, sharing profits with its core operators. The group employs double-extortion tactics, encrypting files while exfiltrating sensitive data to demand separate ransoms for decryption and preventing leaks.
Despite being the most active ransomware group in early 2024, responsible for 37% of attacks in May, LockBit’s activity declined by October. U.S. authorities have intensified efforts against the group, arresting developer Rostislav Panev in Israel in August 2024.
Panev, linked to LockBit's encryption tools and the StealBit data theft software, reportedly earned $230,000 in cryptocurrency. Another key developer, Dmitry Yuryevich Khoroshev, remains a fugitive.
LockBit’s operational sophistication includes rapid encryption, advanced anti-analysis features, and adaptability for Windows, Linux, and macOS systems. Exploiting vulnerabilities like Citrix Bleed (CVE-2023-4966) and leveraging tools such as Group Policy Objects and PsExec, the group targets healthcare, financial services, and government agencies.
Notable victims include Taiwan Semiconductor Manufacturing Company, Royal Mail, and Boeing, with ransom demands reaching $70 million.
The group’s 3.0 variant introduced modular designs and macOS compatibility, while older versions remain active. Despite law enforcement actions like Operation Cronos, which disrupted its infrastructure in February 2024, LockBit resumed operations within days, highlighting its resilience. However, these actions reportedly weakened its affiliate base, potentially limiting its attack capacity.
LockBit’s profitability and tailored ransom strategies have yielded hundreds of millions of dollars. With its impending LockBit 4.0 release, the group’s persistence underscores the ongoing challenges in combating sophisticated ransomware threats in an evolving cybersecurity landscape.
Over 400K American Addiction Center Patients Exposed
American Addiction Centers, Inc. (AAC), a Brentwood, TN-based addiction rehabilitation organization, recently disclosed a cybersecurity breach affecting 410,747 current and former patients.
Notification letters to the Maine Attorney General revealed that attackers exfiltrated sensitive data, including names, addresses, phone numbers, birth dates, medical record numbers, Social Security numbers, and health insurance details.
No financial or treatment information was accessed. The breach also impacted patients from AAC-affiliated providers, such as AdCare (MA & RI) and Greenhouse (TX).
The breach occurred between September 23 and 24, 2024 and was detected on September 26. AAC contained the attack, engaged cybersecurity experts, and notified law enforcement. Affected individuals were informed on December 23 and offered one year of free credit monitoring. Despite pre-existing safeguards, AAC has pledged to strengthen its IT security measures.
The Rhysida ransomware group, known for targeting healthcare organizations, claimed responsibility. After failing to secure a ransom, Rhysida leaked 2.8 TB of stolen data. A ransomware-as-a-service (RaaS) operation active since May 2023, Rhysida rapidly gained notoriety by early 2024 for its double-extortion tactics, combining data encryption with threats of public leaks.
Rhysida exploits vulnerabilities like Zerologon (CVE-2020-1472) and VPN system flaws to infiltrate networks. Their methods include deleting Volume Shadow Copies (VSS), modifying Remote Desktop Protocol (RDP) settings, and using tools such as Cobalt Strike, PSExec, and PowerShell scripts. Their ransomware employs AES-CTR for encryption and a 4096-bit RSA key for managing encryption keys.
While Rhysida experienced a temporary disruption in February 2024 after researchers released a decryptor, the group quickly adapted with an updated encryptor and resumed attacks by Q3 2024.
Their operations now include a Linux variant targeting VMware ESXi servers. Notable victims include Prospect Medical Holdings, MarineMax, Lurie Children’s Hospital, and the Chilean military, with ransom demands ranging from $775,000 to $3.7 million.
Ransomware Attack Hits Pittsburgh Transit Authority
Pittsburgh Regional Transit (PRT) suffered a ransomware attack on December 19, temporarily disrupting public transportation services, particularly the city’s T rail system. Initially reported as an internet outage, the incident caused 20-minute delays and offline systems.
Rail services resumed by December 25, but some functions, including the Customer Service Center and processing of senior and child ConnectCards, remained affected.
PRT activated its Cyber Incident Response Team, engaged cybersecurity experts, and notified law enforcement. While the extent of compromised data and the identity of the attacker remain unknown, PRT emphasized its commitment to system security and transparency.
This attack highlights the vulnerability of public transit agencies, which are increasingly targeted due to their critical role and sensitive data. Previous ransomware attacks on transit systems in Kansas City (2023), New York City (2021), Metro Vancouver (2020), and Philadelphia (2020) similarly disrupted operations and exposed systemic weaknesses.
Ransomware poses a growing threat to critical infrastructure sectors, including public transit, because of their operational importance and pressure to restore services quickly.
Cybercriminals leverage ransomware-as-a-service (RaaS) platforms, automating sophisticated attacks and enabling less skilled actors to execute impactful campaigns. This democratization of ransomware has significantly increased the frequency and scale of attacks, creating persistent challenges for infrastructure operators.
Adding complexity, ransomware groups are increasingly targeting Linux systems, which underpin global web servers, cloud environments, and critical applications. Linux’s "always-on" nature and role in enterprise and government operations make it a prime target.
Exploiting weak configurations, exposed ports, and outdated software, attackers can infiltrate Linux-based networks, encrypt data, and disrupt services. For critical infrastructure operators like PRT, these attacks result in halted services, productivity losses, and financial damage, underscoring the urgent need for robust cybersecurity measures to mitigate risks and ensure operational resilience.
Extensive Cleo Exploit Campaign BY Cl0p
The Cl0p ransomware group plans to disclose over 60 organizations targeted in recent cyberattacks exploiting vulnerabilities in Cleo’s file transfer software, including Harmony, VLTrader, and LexiCom.
These vulnerabilities, CVE-2024-50623 and CVE-2024-55956, enable unauthenticated attackers to steal files and have been exploited since early December. At least one of these is a zero-day vulnerability.
Cl0p claimed responsibility for these attacks in mid-December, announcing on its Tor-based site that victims are being contacted with proof of data theft and offered a final chance to pay ransom before public exposure. While only Blue Yonder has been named so far, more organizations face disclosure by December 30.
However, new evidence suggests another group, Termite, may be responsible for some breaches, including Blue Yonder’s, which affected companies like Starbucks. The overlap between Cl0p and Termite raises questions about their potential connection. Cleo, serving over 4,000 customers, faces scrutiny as these attacks escalate.
Cl0p, a ransomware-as-a-service (RaaS) group operational since 2019, has become the most prolific ransomware group, responsible for 21% of all ransomware incidents in July 2023. Known for exploiting high-profile vulnerabilities, Cl0p employs sophisticated tactics, including data theft, ransomware encryption, and extortion.
Their advanced techniques, such as Linux ransomware and automated exploitation, make them highly adaptable. Recent campaigns exploiting Cleo vulnerabilities have targeted 66 organizations, demanding ransoms ranging from $3 million to $20 million.
Conversely, Termite, which emerged in November 2024, has targeted diverse organizations, including U.S.-based Nifast Corporation and French water company Culligan France. Termite’s methods are less documented, relying on threats of exposure for leverage in ransom negotiations.
Unlike Cl0p, Termite has yet to release stolen data and uses a data leak site with communication channels mimicking professional penetration testing services.
While Cl0p demonstrates advanced capabilities and a broad global reach targeting critical industries, Termite remains an emerging player with a less expansive but diverse victim profile.
Both groups highlight the evolving ransomware threat landscape, with Cl0p exemplifying a seasoned, technically sophisticated operation and Termite representing a nascent yet potentially disruptive force.
Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.
Related Posts
See Halcyon in action
Interested in getting a demo?
Fill out the form to meet with a Halcyon Anti-Ransomware Expert!