Ransomware on the Move: Akira, Funksec, BianLian, RansomHub

Halcyon publishes a quarterly RaaS and data extortion group reference guide, Power Rankings: Ransomware Malicious Quartile. Here's the ransomware gangs on the move last week: Funksec, Akira, Funksec, BianLian, and RansomHub…

The week of December 9–15, 2024, brought significant ransomware activity, with both emerging and established threat groups targeting critical industries around the globe.  

Akira, Funksec, BianLian, and RansomHub have demonstrated advanced tactics and an ability to exploit vulnerabilities across key sectors, leaving organizations grappling with operational and security challenges:

• Akira has conducted a broad campaign of 21 reported incidents, primarily affecting U.S.-based organizations across various sectors

• Funksec, a new threat actor this month, has deployed double extortion tactics in 20 documented attacks spanning multiple global sectors

• BianLian has launched a coordinated campaign targeting major healthcare providers and insurance companies across the United States

• RansomHub has employed sophisticated pressure tactics, combining legal threats with strategic data extortion against research institutions and energy organizations

Statements from impacted entities offer a closer look at the complexities victims face in addressing these attacks. This week’s mini explores RansomHub’s escalating extortion practices and the heightened risks they bring to the ransomware landscape.

Weekly Highlights: Funksec

Funksec is an emerging cybercriminal group first observed in December 2024 that operates through a Tor based data leak site. They have claimed responsibility for over 10 breaches across media, IT, retail, and education sectors in countries including the US, France, and India.  

The group uses double extortion tactics, combining data theft with encryption, and hosts breach announcements alongside a free DDoS tool on their platform. Operating as both a ransomware group and data broker, they sell stolen data to interested buyers for $1,000 to $5,000.  

Their activities have recently intensified, with at least 20 new attacks added to their database. These include 6 attacks in India and multiple incidents across Asia, Africa, South America, and North America.

• GSTPAM (The Goods and Services Tax Practitioners Association of Maharashtra) in Mumbai, India was targeted by the Funksec ransomware group on December. The organization, which provides support and resources to tax practitioners, had its database compromised during the attack. While the full scope of the data breach remains unknown, the attackers have published four screenshots showing exfiltrated files containing personally identifiable information (PII). This incident highlights the persistent security challenges facing organizations that handle sensitive data in the financial sector.

• The Ako Business Development Center in Pathsala, Assam, India experienced a sophisticated ransomware attack that encrypted critical data and prompted a ransom demand in cryptocurrency. The breach was discovered when employees couldn't access essential files, leading to an immediate IT security investigation. The attackers left a ransom note threatening to release sensitive data if their demands weren't met. In response, the organization brought in cybersecurity experts for containment and recovery efforts. While law enforcement has been notified and is investigating, the organization hasn't disclosed whether they'll pay the ransom.

• More Attacks from Funksec

Weekly Highlights: Bianlian

BianLian has demonstrated a sophisticated attack pattern targeting healthcare and insurance organizations, with multiple coordinated attacks launched on December 16, 2024. Their typical method involves exploiting network vulnerabilities for initial access, followed by lateral movement to locate and exfiltrate sensitive data.  

While the exact scale of these breaches often remains undisclosed, affected organizations have implemented immediate containment measures. This synchronized timing of attacks suggests a well-planned operational strategy, particularly focusing on organizations that handle valuable personal and financial information.

• Physicians' Primary Care of Southwest Florida, a healthcare provider in the United States, has been targeted by the BianLian ransomware group, which claims to have exfiltrated 1.8 terabytes of sensitive data including medical records, contracts, identification documents, email archives, and financial information. The organization discovered unauthorized network access around September 17, though BianLian claims they were informed earlier and failed to secure their network for two weeks. The group has provided samples of the allegedly stolen data, including patient records and X-ray scans. In response, the organization issued a formal notification on November 14, 2024, offering complimentary credit monitoring and identity theft protection services to individuals whose private documents were compromised, though the exact number of affected individuals remains unclear. While Physicians' Primary Care of Southwest Florida has not confirmed BianLian's claims or disclosed any ransom demands, they have taken several protective measures. These include engaging external professionals for investigation, implementing 24/7 monitoring software, notifying law enforcement, and conducting a thorough document review to identify affected individuals. Despite finding no evidence of personal information misuse, the organization is proceeding with precautionary notifications and advising potentially affected individuals to closely monitor their financial and credit statements.

• More Attacks From BianLian

From The Big Leagues: RansomHub

RansomHub has proven to be a highly active threat actor during this period, conducting targeted attacks across diverse sectors. Their operations predominantly focus on large enterprises and critical infrastructure, though they maintain capabilities to target organizations of any size.  

Their latest campaign demonstrates an evolution in tactics, incorporating sophisticated pressure mechanisms such as legal intimidation and data extortion strategies, which will be analyzed in detail in our weekly mini.

• The Instituto Nacional de Investigación de Tecnología Agraria y Alimentaria (INIA-CSIC), Spain's premier agricultural research institution, has been severely impacted by a ransomware attack orchestrated by the RansomHub group. The attack, which began on November 12, 2024, has left over 600 employees without access to internal systems, internet connectivity, or vital scientific data. RansomHub claims to have exfiltrated 112 GB of sensitive data and has set a ransom deadline for December 17, 2024, threatening to publish the data within 7–8 days if their demands are not met. The ransomware encrypted critical data on affected devices, though swift intervention reportedly curtailed its further spread. This incident has significantly disrupted the center's crucial research activities, including projects on genetic editing and the conservation of endangered species, and has brought essential operations such as procurement and data sharing to a standstill.

• RECOPE, the Costa Rican Petroleum Refinery, faced a RansomHub ransomware attack with claims of 240 GB of stolen sensitive data. After discovering the breach, RECOPE implemented its contingency protocol, switching to manual fuel sales operations during system assessment. Head of Communications Bárbara Marín Benavides confirmed an IT-wide alert, leading employees to work manually to maintain customer service and supply chains. The company kept stakeholders informed, with president Karla Montero making a public address while experts evaluated the attack's scope. RECOPE maintained continuous contact with Costa Rica's Computer Security Incident Response Center at Micitt, adhering to established protocols throughout the incident.

• More Attacks from RansomHub

From The Big Leagues: Akira

Akira has led the charts this week, tying with Funksec at 21 incidents, with the United States as their primary target. During their recent campaign from December 10-14, 2024, they targeted diverse sectors including financial services, manufacturing, professional services, and retail.  

Most targeted organizations have maintained silence about the attacks and potential negotiations, while they face significant risks from possible exposure of sensitive personal and financial data.

• Matagrano Inc., a prominent beer distributor serving San Francisco, San Mateo, and Santa Clara County, has been targeted in a significant ransomware attack. The perpetrators have reportedly gained access to over 100 GB of sensitive internal corporate documents. These documents are said to include non-disclosure agreements, employee and customer contact information, driver licenses, medical certificates, family information, and human resources records. The attackers have threatened to release this data. has not yet issued a public statement regarding the breach.

• More Attacks from Akira

Impact, Response, and Statements

This week, multiple organizations across diverse sectors, including healthcare, education, telecommunications, and government, confirmed network breaches involving significant data exfiltration.  

These attacks highlight the use of sophisticated tactics, such as system disruptions that forced manual operations, strategic timing during vulnerable periods like holidays, and escalating pressure through data leaks and ransom demands.  

Statements from affected organizations, primarily delivered through press releases, website announcements, and social media updates, outline responses such as engaging cybersecurity experts, activating contingency protocols, and collaborating with law enforcement, while maintaining transparency about the incidents:

• Telecom Namibia, the state-owned telecommunications provider, has been targeted by Hunters International ransomware group, which claims to have exfiltrated 626.3 GB of data (492,633 files). After refusing to negotiate, the company confirmed a data leak containing personal identification details, addresses, and banking information, including data related to high-ranking government officials. Chief Executive Stanley Shanapinda acknowledged that while initial assessments suggested no sensitive information was compromised, further analysis proved otherwise. The company is working with security officials, pursuing legal action, and has advised customers to update passwords, while President Nangolo Mbumba has condemned the attack as a national security issue.

• Rutherford County Schools has been breached by the Rhysida hacking group, which provided evidence through leaked passports and sensitive documents. The group demanded 20 Bitcoin (approximately $1,960,000) with a December 18, 2024, deadline. The school district's network disruption began November 25, 2024, during Thanksgiving holiday, affecting systems used by 52,000 students, 7,000 employees, and bus operators. This is their second ransomware attack recently, following a Black Suit group incident on October 19. The district has acknowledged the disruption, restored most services through backups, and is working with national experts and law enforcement.

• The City of Marlow, a government entity based in Oklahoma, USA, has reportedly been targeted by the SafePay ransomware group. The attackers claim to have exfiltrated 80 GB of sensitive data from the city's systems. As of the latest reports, the city's official website remains inaccessible, indicating potential disruptions in their digital infrastructure. On December 2nd, an announcement on the City of Marlow's Facebook page informed residents that online payment services were temporarily unavailable, suggesting the attack's impact on municipal operations. The breach was discovered on December 13, 2024, and the full extent of the data leak remains unspecified.

Mini: How is RansomHub Escalating its Extortion Tactics?

RansomHub has intensified its operations through increasingly sophisticated extortion methods. The group targets both large organizations and critical infrastructure, while also pursuing smaller businesses.  

Their current strategy combines legal threats with data blackmail across industries, leveraging stolen sensitive data while threatening legal action. This approach marks them as a particularly dangerous cybercriminal operation.

RansomHub's aggressive tactics include:

• Legal and Financial Threats: Issuing legal ultimatums, outlining federal law consequences, and demanding ransoms starting at $1 million

• Data-Related Threats: Organizing auctions of 35TB of stolen data, releasing confidential negotiations, and imposing 7–8 day publication deadlines

• Reputational Threats: Targeting firm partners with negligence claims, threatening reputation damage, and emphasizing investor relation risks

• Operational Impact: Imposing strict payment deadlines and triggering system-wide shutdowns affecting hundreds of employees

A recent example demonstrates their approach:

TekniPlex, a major packaging and containers manufacturer, faces threats from RansomHub after a system breach. The attackers claim to possess 424 GB of sensitive data, threatening its release within 9–10 days. TekniPlex, known for its healthcare and consumer packaging innovations, supplies materials to numerous prominent brands.

RansomHub's data leak plan, now in its fourth stage, has been detailed on their dark web platform. They've released negotiation excerpts, including a real estate Letter of Intent covering property purchase and leaseback arrangements. The group emphasizes TekniPlex's potential liability for confidentiality breaches, noting possible penalties up to $500,000.

The attackers outline potential legal consequences under U.S. federal and state laws, including litigation risks under the Defend Trade Secrets Act and Uniform Trade Secrets Act. Possible penalties range from compensatory damages to injunctive relief. RansomHub stresses how these disclosures could alienate TekniPlex's investors and partners.

RansomHub's staged release schedule for TekniPlex includes:

• Initial information release about files

• File existence confirmation

• Dialog screenshots release

• Network details release including passwords and vulnerabilities

• Full data publication of 424 GB

‍

Halcyon.ai eliminates the business impact of ransomware. Modern enterprises rely on Halcyon to prevent ransomware attacks, eradicating cybercriminals’ ability to encrypt systems, steal data, and extort companies – talk to a Halcyon expert today to find out more and check out the Halcyon Attacks Lookout resource site. Halcyon also publishes a quarterly RaaS and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile.