Halcyon Threat Insights 016: May 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team (Research, Intelligence, Services, Engineering) - join us for the next Threat Insights webinar (or watch on-demand here): https://bit.ly/4jIpkY4

Here are the key insights from the Halcyon Rise Team (Research, Intelligence, Services, Engineering) based on intelligence collected from our customer base throughout April 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

Hospitals, Manufacturing and Finance sectors were the most targeted industry verticals in April 2025: ‍

‍

‍Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

Miner.bitminer/xmrig (VT Score 62): Detection assessed as an unauthorized or malicious use of the XMRig cryptocurrency mining software. XMRig is an open-source CPU/GPU miner primarily used to mine Monero (XMR), a privacy-focused cryptocurrency known for its anonymity and resistance to blockchain analysis. While XMRig itself is a legitimate tool, cybercriminals frequently embed it within malware campaigns to hijack the processing power of infected systems and generate cryptocurrency for the attacker without the victim's knowledge—an activity known as cryptojacking. When detected as Miner.BitMiner/XMRig, it typically signals that XMRig is running covertly, likely installed through social engineering, infected software packages, or exploited vulnerabilities. These miners often operate silently in the background, consuming CPU or GPU resources, slowing system performance, increasing power usage, and in some cases, damaging hardware over time due to sustained high loads. Organizations should investigate such detections immediately, as they often indicate deeper system compromise, potentially by initial access brokers who mine crypto while further infiltrating the targeted network, then sell that access to ransomware operators, data extortionists and other threat actors.

Hacktool.juicypotato/jpotato (VT Score 61): A powerful privilege escalation utility that exploits a vulnerability in the Windows COM service (Component Object Model) to elevate privileges from a low-privileged user to SYSTEM-level access, effectively giving an attacker full control over the compromised system. Originally designed as a proof-of-concept for red teamers and penetration testers, it is widely used in post-exploitation scenarios by both legitimate security professionals and malicious actors. The tool leverages a known flaw in how Windows handles token impersonation in certain misconfigured environments. If successful, it allows the attacker to spawn processes with SYSTEM-level permissions—bypassing User Account Control (UAC) and many endpoint protection solutions. Detection in a production environment is a significant red flag. While the tool itself is not inherently malicious, its presence often signals that a threat actor is attempting to escalate privileges after gaining initial access—either through phishing, credential theft, or exploiting a vulnerability. Organizations should treat this detection as a high-priority incident, immediately investigate how the tool was introduced, assess for lateral movement, and review privilege boundaries across the environment to prevent further compromise.

Trojan.passview/nirsoft (VT Score 58): NirSoft is Password Recovery Tool designed to recover saved passwords from web browsers, email clients, and wireless network configurations. While these tools are legitimate utilities developed by Nir Sofer and widely used by system administrators and forensic investigators, they are often flagged as potentially malicious because they can also be abused by threat actors as part of malware toolkits. In a cybercriminal context, these tools are commonly embedded within malware campaigns or used during post-exploitation to extract credentials from compromised machines. When detected as Trojan.PassView/Nirsoft, it generally means a security product has found password recovery software being used in a suspicious or unauthorized manner, especially outside of a legitimate IT or forensic context. Because of their dual-use nature, they fall into a "grayware" category: not inherently malicious, but often exploited for harmful purposes.

Trojan.msil/dnoper (VT Score 51): A malicious program written in Microsoft Intermediate Language (MSIL), commonly used in .NET applications, and identified as part of a malware family known as Dnoper. This trojan is typically used to deliver additional payloads, perform information stealing, or establish remote control over infected Windows systems. The use of MSIL makes it easy for attackers to obfuscate the code and bypass traditional signature-based detection tools. Once executed, it may perform actions such as harvesting stored credentials, collecting system information, injecting code into legitimate processes, or connecting to a command-and-control (C2) server to receive additional instructions or malware components. The modular nature of this trojan makes it versatile—capable of being updated or reconfigured by attackers for specific campaigns. In some cases, it has been observed acting as a loader for ransomware or other banking trojans. Detection should be taken seriously, as it indicates that an attacker has likely established a foothold in the environment. Immediate isolation, full system scans, and forensic analysis are recommended to determine the extent of compromise and remove any secondary payloads.

Hacktool.portscan/nettool (VT Score 43): A network scanning utility commonly used for port discovery and reconnaissance activities. These tools, such as NetScan, Advanced IP Scanner, or custom-built Python/PowerShell scripts, are not inherently malicious but are often classified as “hacktools” when used outside authorized administrative or testing contexts. Port scanning tools are designed to probe IP ranges and identify open ports and active services on target machines. This information can be used by system administrators for legitimate network diagnostics and inventory, but when deployed by attackers, it serves as a first step in identifying vulnerable systems, exposed services, or misconfigured endpoints to exploit. Threat actors frequently use port scanners during the reconnaissance phase of an attack, especially after gaining initial access to a network. These tools help map the internal environment and determine paths for lateral movement or privilege escalation. Detection should trigger further investigation, especially if found on endpoints or in environments where scanning activity is not authorized. While not necessarily a sign of compromise on its own, its presence may indicate malicious intent, unauthorized access, or preparation for a broader attack.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan.cosmu/zombie (VT Score 63): A class of remote access trojans (RATs) associated with the Cosmu malware family. Also known as “Zombie” in some security products, this malware allows an attacker to gain unauthorized control over an infected system, typically enabling full remote access and execution capabilities. Once installed, Cosmu/Zombie can log keystrokes, capture screenshots, steal credentials, download or execute additional payloads, and manipulate system files—all without the victim's knowledge. After execution, it often disguises itself as a legitimate process to avoid detection, and it may attempt to disable security tools or tamper with system settings. The “Zombie” label reflects the trojan’s ability to turn the infected machine into a bot—capable of being remotely controlled as part of a larger botnet used for spam campaigns, DDoS attacks, or further malware distribution. This type of trojan poses serious risks due to its stealth, persistence, and wide range of control functions. Detection should be treated as a high-priority incident requiring immediate containment, thorough investigation, and a full system reimage if needed.

Trojan.fbv2/equation (VT Score 62): A stealthy and potentially modular malware strain tied to the broader FBV2 malware family. The “Equation” designation may refer to the specific obfuscation technique, campaign code name, or payload structure used in this variant. While the exact origins and operators behind FBV2 remain unclear, it exhibits characteristics commonly associated with advanced persistent threats (APTs), including stealth, persistence, and targeted deployment. It typically enables remote access and control over an infected system, allowing attackers to steal data, capture credentials, move laterally, and deploy additional payloads. The malware may use encrypted communication channels, custom encryption algorithms, or obfuscation layers that resemble techniques seen in highly advanced malware campaigns, hence the possible reference to “Equation,” evoking comparisons to state-sponsored actors like the Equation Group. Detection oshould be treated as a high-risk security incident, warranting immediate investigation to assess possible espionage, data loss, or deeper compromise within the affected environment.

Trojan.zusy/vundo (VT Score 59): A malware variant that blends elements of both the Zusy and Vundo trojan families—two well-known strains of malware associated with credential theft, spyware capabilities, and the delivery of secondary payloads. This hybrid variant is designed to stealthily compromise systems, collect sensitive information, and open backdoors for further exploitation. The Zusy component (also known as TinyBanker or Terdot) is typically focused on stealing banking credentials, browser session data, and login information by injecting malicious code into web browsers. The Vundo component—historically distributed via malicious ads and fake antivirus alerts—often acts as a downloader, capable of retrieving additional malware and enabling persistence through registry modifications and DLL injections. Its modular design makes it adaptable, allowing attackers to deploy ransomware, spyware, or other payloads post-infection. Detection signals a significant compromise, particularly due to its data theft potential and the likelihood of secondary infections. Affected systems should be immediately isolated and subjected to a thorough forensic investigation to determine the full extent of the breach.

Trojan.killav/clop (VT Score 58): A malware component associated with the Clop ransomware family, specifically designed to disable antivirus (AV) and endpoint protection tools prior to file encryption. The “KillAV” designation refers to this functionality—terminating security software processes to reduce resistance and avoid detection—while “Clop” identifies the broader ransomware operation known for high-impact attacks and aggressive double extortion tactics. The KillAV module plays a key role in the attack chain by automatically searching for and terminating processes related to antivirus software, backup tools, and security monitoring agents. This ensures the ransomware can execute without being blocked or logged, increasing the likelihood of a successful and complete system compromise. Its presence strongly indicates that the ransomware staging process is underway or already in progress. Organizations detecting this threat should treat it as an active breach and respond immediately with isolation, endpoint triage, and forensic investigation to prevent full ransomware deployment and assess for potential data theft.

Trojan.python/goch (VT Score 50): A malicious Python-based trojan associated with the “Goch” variant or campaign. This trojan is part of a growing trend where threat actors use Python scripting to create flexible, cross-platform malware capable of data theft, remote control, and system manipulation. While Python-based malware is often easier to analyze, it is also easier to modify and redeploy, making variants like Goch particularly dangerous in evolving attack chains. Once deployed, it may establish a connection to a command-and-control (C2) server, allowing the attacker to execute commands, steal credentials, upload/download files, take screenshots, or deploy additional payloads. Because Python is commonly installed in development and server environments, Goch can blend in with legitimate processes, especially if obfuscated or bundled with tools like PyInstaller or py2exe to create standalone executables. Detection should be treated as a serious threat, indicating active compromise or reconnaissance activity. Immediate containment, review of executed scripts, and full forensic analysis are essential to determine impact and prevent lateral movement or further exploitation.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Ransomware.medusa/imps (VT Score 62): A variant of the Medusa ransomware family, a sophisticated ransomware strain that first gained prominence in 2023 and has since become known for its double extortion tactics, encrypting victim data while simultaneously exfiltrating sensitive files and threatening to publish them unless a ransom is paid. Once executed, Medusa/IMPS encrypts files across local and networked drives, appending a unique extension (often tied to the campaign) and dropping ransom notes that include communication instructions and demands for payment in cryptocurrency. It is capable of terminating security software, backup solutions, and essential services to maximize damage and prevent recovery. Detection indicates a high-severity compromise and should be treated as a critical incident requiring immediate containment, threat hunting, and forensic investigation.

Trojan.bianlian/encoder (VT Score 61): A ransomware variant tied to the BianLian group, a financially motivated threat actor that originally operated as a banking trojan distributor before shifting to ransomware and extortion in 2022. Unlike some ransomware groups that rely on a Ransomware-as-a-Service (RaaS) model, BianLian appears to operate as a closed group, conducting targeted attacks and developing its own custom tooling. Once inside a network, BianLian performs reconnaissance, exfiltrates sensitive data, and then deploys its encoder to encrypt files and maximize leverage over the victim. In many cases, BianLian actors have shifted to pure extortion attacks, stealing data without deploying encryption, making detection of Trojan.BianLian/Encoder especially notable as it indicates the use of the group’s earlier or hybrid tactics.

Ransomware.lynx/incransom (VT Score 59): A ransomware variant tied to the emerging Lynx threat actor or affiliate group, with “Incransom” likely serving as an internal tag for a specific campaign or payload structure. Once deployed, it encrypts files across the victim’s environment using strong encryption algorithms. The ransomware is built for stealth and disruption, often disabling security tools, backups, and system recovery features before launching the encryption phase. Detection indicates a high-risk incident requiring immediate containment, endpoint isolation, forensic analysis, and communication with incident response teams to assess the scope of impact and potential data exposure.

Ransomware.rhysida/stealer (VT Score 59): A variant of the Rhysida ransomware family that includes data exfiltration (stealer) capabilities as part of its payload. The “Stealer” designation indicates that this variant of Rhysida not only encrypts files but also includes modules designed to harvest and exfiltrate credentials, documents, and other high-value data before encryption begins. This increases pressure on victims to pay, as exposure of stolen data can lead to reputational damage, regulatory penalties, and legal liability. Detection should be treated as a critical security event. It indicates that sensitive data may already be in the hands of threat actors, and immediate incident response, containment, and breach notification procedures should be initiated.

Trojan.ransomhub/splinter (VT Score 57): A ransomware payload associated with the RansomHub extortion group that is part of a specific campaign internally dubbed “Splinter.” The variant is designed to evade detection, spread laterally within compromised networks, and disable security tools before launching encryption. The payload often includes anti-analysis techniques and may use custom packers or obfuscation to avoid signature-based detection. Detection indicates a severe compromise. Immediate containment, forensic investigation, and incident response are critical to limit damage, assess data loss, and determine the full scope of the breach.

April Ransomware News

• EDR-Killers Increasingly Used to Bypass Security in Ransomware Operations: Ransomware groups are increasingly leveraging tools like EDRSilencer, EDRSandblast, EDRKillShifter, and Terminator to disable or tamper with endpoint detection and response (EDR) systems.  

• Verizon DBIR Shows Ransomware Involved in 44% of Data Breaches: In large enterprises, ransomware played a role in 39% of breaches, while small and medium-sized businesses (SMBs) experienced ransomware in 88% of breach cases.

• Open-Source Prince Ransomware Builder Used in Hospital Attack: The ransomware used in the attack was built using the "Prince Ransomware" builder, an open-source tool publicly available on GitHub. This builder allows attackers to easily craft custom ransomware using sophisticated encryption methods.

• Ransomware Attack on Financial Institutions Average $6.08 Million in Losses: Financial institutions are facing an intensifying wave of ransomware attacks, with 2024 seeing an average breach cost of $6.08 million per incident—a 10% increase over the prior year.

• Class Action Lawsuits Filed Following Ransomware Attack Impacting 1 Million Patients: The breach has led to multiple class action lawsuits against the healthcare provider. Plaintiffs allege that the provider failed to implement adequate cybersecurity measures and did not promptly inform affected individuals about the breach.

Threat Actor Spotlight: Fog Ransomware

Fog ransomware, first identified in May 2024, is a sophisticated and highly disruptive threat that primarily targets Windows systems. Believed to be a variant of the STOP/DJVU family, Fog has quickly distinguished itself with advanced tactics, aggressive propagation methods, and a focus on hard-to-recover infections. It initially gained access to victim networks using compromised VPN credentials—sometimes by exploiting vulnerabilities in VPN gateways such as SonicWall appliances—and leverages that foothold to move laterally using tools like PsExec and Remote Desktop Protocol (RDP).

Once inside a network, Fog operators disable Windows Defender, delete Volume Shadow Copies (VSS), and remove Veeam backups to neutralize traditional recovery options. They deploy Cobalt Strike and Mimikatz to escalate privileges—commonly through pass-the-hash techniques and by harvesting credentials from browsers and the NTDS.dit Active Directory database.

Encryption is carried out using strong algorithms, typically AES-256 for file contents and RSA-2048 for encrypting the AES key, locking files behind extensions like “.FOG” or “.FLOCKED.” Victims usually find ransom notes named "readme.txt" or "HELP_YOUR_FILES.HTML" with instructions for contacting the attackers.

Though Fog does not operate as a ransomware-as-a-service (RaaS), it runs as a tightly controlled, centralized operation. The core group conducts attacks from end to end, often using custom scripts and living-off-the-land techniques over more common exploit frameworks.

While it originally did not exfiltrate data, by July 2024 the group shifted toward double extortion tactics. Targeting sectors including education, business services, technology, manufacturing, finance, and government, Fog initially focused on U.S. higher education but has since expanded to a wider victim base globally.

The ransomware has also been linked to attacks on virtual environments, including the encryption of VMDK files, though this behavior isn’t universally observed. Ransom demands have ranged from $50,000 to several million dollars, depending on the size and profile of the organization. By early 2025, Fog had grown into a major ransomware threat, responsible for a significant share of global incidents.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.