Halcyon Threat Insights 017: June 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team - join us for the next Threat Insights webinar (or watch on-demand here): https://t.co/uzCLlD94PZ

Here are the key insights from the Halcyon Rise Team (Research, Intelligence, Services, Engineering) based on intelligence collected from our customer base throughout May 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

Hospitals, Manufacturing, and the Finance sectors were the most targeted industry verticals in May 2025:

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

Hacktool.mimikatz/hack (VT Score 65): A powerful post-exploitation tool widely used by both penetration testers and threat actors to extract sensitive credentials from Windows systems. Originally developed for legitimate security research and red teaming, Mimikatz is now a staple in adversary toolkits due to its ability to interact directly with Windows authentication components and retrieve plaintext passwords, password hashes, PINs, and Kerberos tickets from memory. Once executed on a compromised system, Mimikatz can perform credential dumping, pass-the-hash (PtH), pass-the-ticket (PtT), and Kerberos “golden” or “silver” ticket attacks, allowing threat actors to escalate privileges and move laterally across the network. The tool can also manipulate security tokens, bypass security controls, and harvest cached or stored credentials—even from privileged processes like LSASS. Because of its effectiveness and versatility, Mimikatz is often deployed in conjunction with other tools and frameworks such as Cobalt Strike, Metasploit, and various custom loaders that help evade detection. Its presence in an environment is a high-confidence indicator of post-compromise activity, particularly in advanced persistent threat (APT) campaigns and ransomware operations.

Hacktool.remoteexec/remcom (VT Score 64): A lightweight, command-line-based remote execution utility that allows users to run processes on remote Windows systems. Originally developed as an open-source alternative to PsExec, RemCom is often leveraged in both legitimate administrative contexts and malicious operations due to its ability to execute commands remotely without requiring manual intervention on the target machine. When used by attackers, RemCom becomes part of a larger post-compromise toolset designed to facilitate lateral movement within a compromised network. After gaining initial access, adversaries may deploy RemCom to execute scripts, deploy malware, extract data, or run reconnaissance tools across other systems—often with elevated privileges. The tool uses a custom service that is installed temporarily on the target system to launch the desired command and then removes itself, reducing its footprint and complicating forensic detection. RemCom is classified as a hacking tool not because it is inherently malicious, but because of its frequent misuse in cyberattacks, especially by threat actors looking to evade detection while maintaining remote control across environments. Endpoint Detection and Response (EDR) solutions often miss detection of this tool even when observed in suspicious contexts, such as unauthorized lateral movement or execution from non-standard directories in conjunction with other known malicious binaries.

Hacktool.gsecdump/hack (VT Score 61): A credential dumping utility commonly used in post-exploitation phases of cyberattacks to extract sensitive authentication data from Windows systems. Developed as a tool for security researchers and penetration testers, Gsecdump is capable of retrieving password hashes, cached domain credentials, Security Account Manager (SAM) data, and Kerberos tickets directly from memory or registry hives. Functionally similar to Mimikatz, it interacts with the Local Security Authority Subsystem Service (LSASS) and other security-related components to harvest credentials that can be reused in pass-the-hash (PtH), pass-the-ticket (PtT), or other credential replay attacks. Its ability to operate from the command line and run stealthily without requiring user interaction makes it particularly attractive to threat actors during lateral movement and privilege escalation. When used maliciously, Gsecdump enables attackers to gain broader access across an enterprise network by impersonating users or administrators, escalating privileges, and pivoting to higher-value systems. Because of its direct interaction with system-level security processes, endpoint security tools often miss detecting Gsecdump as a hacking tool. Detection in an environment is a strong indicator of post-compromise activity and should be treated as evidence of an active or recently active attacker attempting to harvest credentials for further exploitation or persistent access.

Hacktool.sharphound/msil )VT Score 58): A Microsoft Intermediate Language (MSIL) compiled version of SharpHound, the data collection component of the popular post-exploitation framework BloodHound. Written in C#, it is used to enumerate Active Directory (AD) environments, mapping relationships between users, groups, computers, and permissions to identify potential attack paths and privilege escalation opportunities. Originally developed for red team operations and penetration testing, SharpHound is also frequently leveraged by threat actors in real-world intrusions. After gaining initial access, adversaries use the tool to harvest detailed information about domain trust relationships, group memberships, session data, ACLs, and more—all of which can be used to visualize lateral movement and escalation paths in BloodHound’s graph-based interface. The MSIL variant indicates the tool is compiled into .NET bytecode, often making it easier to obfuscate, embed, or sideload during attacks while maintaining compatibility with .NET-enabled environments. This version is commonly executed using PowerShell, Cobalt Strike, or other custom loaders to evade traditional endpoint detection mechanisms. Because of its ability to expose and map privilege escalation paths, it is often missed by security software when used in an unauthorized context. Its presence strongly suggests adversary reconnaissance within an AD environment and should be treated as a high-risk indicator of post-compromise activity.

Hacktool.rubeus/msil (VT Score 56): A Microsoft Intermediate Language (MSIL) compiled version of Rubeus, a powerful post-exploitation tool designed for abusing Kerberos authentication in Windows Active Directory (AD) environments. Written in C#, Rubeus allows both red teamers and malicious actors to interact with Kerberos in flexible and often stealthy ways, enabling a range of attacks including credential extraction, ticket manipulation, and service abuse. Rubeus can perform key functions such as “pass-the-ticket,” “overpass-the-hash,” Kerberoasting, ticket renewal, and the creation of forged golden or silver tickets. It can also request Ticket Granting Tickets (TGTs) and Service Tickets (TGS), extract credentials from memory, and abuse misconfigurations to escalate privileges within AD domains. The MSIL designation indicates that the tool is compiled to run within the .NET framework, allowing it to be easily loaded and executed using .NET-compatible loaders, PowerShell, or other tools—often bypassing traditional antivirus and endpoint defenses. When detected in an enterprise environment, HackTool.Rubeus/MSIL is a strong signal of post-compromise activity. Its presence typically indicates that an attacker is attempting to exploit Kerberos for lateral movement or domain escalation. Due to its powerful capabilities and association with advanced persistent threats (APTs) and ransomware actors, detection should trigger immediate investigation and response.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan.cosmu/xpiro (VT Score 65): A stealthy, modular trojan associated with long-running malware campaigns that primarily target Windows systems. Often categorized under the broader Xpiro or Cosmu malware family, this trojan is known for its polymorphic behavior, meaning it can frequently alter its code structure to evade signature-based detection by antivirus tools. It typically arrives on systems through malicious email attachments, exploit kits, drive-by downloads, or bundled with pirated software. Once executed, Trojan.Cosmu/Xpiro injects itself into legitimate Windows processes to maintain persistence and conceal its activity. It establishes command-and-control (C2) communication to exfiltrate stolen information, receive additional payloads, and execute remote commands issued by the attacker. The trojan may be used to download and deploy spyware, credential stealers, ransomware, or other malware depending on the attacker’s objectives. The modular architecture allows Cosmu/Xpiro variants to adapt to different attack scenarios, often functioning as a downloader in early stages of a multi-phase intrusion. It can also create scheduled tasks or modify registry settings to ensure it remains active after system reboots. Detection of Trojan.Cosmu/Xpiro on a network should be treated as a high-severity event, indicating potential compromise and the likelihood of additional malicious components already present or soon to be delivered.

Trojan.brsecmone/tofsee (VT Score 62): A modular trojan associated with the Tofsee malware family, a long-standing and adaptable threat known for its involvement in spam botnets, credential theft, proxy abuse, and cryptocurrency mining. Initially observed as far back as 2013, Tofsee evolved over time into a sophisticated backdoor and malware delivery platform, with the Brsecmone variant indicating a customized or recompiled instance tailored for specific campaigns. Once installed on a compromised Windows system, Tofsee establishes persistent communication with a remote command-and-control (C2) server, allowing attackers to issue commands, download additional payloads, and update the malware as needed. The trojan is frequently spread through malicious email attachments, cracked software downloads, or as a secondary payload delivered via other malware droppers or exploit kits. Tofsee’s core functionality includes sending massive volumes of spam (often related to phishing or scams), harvesting credentials from browsers and email clients, hijacking system resources for cryptocurrency mining, and turning infected hosts into proxies for anonymizing attacker traffic. It is difficult to detect due to its use of obfuscation, encryption, and polymorphic code. Its presence on a network indicates a compromised system being used as part of a broader criminal infrastructure and should be remediated immediately to prevent further abuse.

Trojan.delshad/loki (VTm Score 62): A variant of the Loki malware family, a well-known infostealer and remote access trojan (RAT) designed to extract sensitive data from compromised Windows systems. This variant represents a customized or recompiled build used in targeted campaigns, often featuring updates to obfuscation techniques, payload delivery, or command-and-control (C2) infrastructure. Once deployed, it collects a wide range of information, including stored browser credentials, saved passwords, cryptocurrency wallets, and system details. It often includes keylogging capabilities, clipboard monitoring, and the ability to capture screenshots or exfiltrate documents. Stolen data is typically transmitted to a remote server controlled by the attacker. This trojan often uses obfuscated code, packers, and anti-analysis techniques to evade detection by antivirus and endpoint security tools. This variant may also include mechanisms for persistence and privilege escalation, allowing it to maintain long-term access to the infected host. Detection signals an active data theft campaign and warrants immediate investigation, containment, and credential hygiene to prevent further compromise or unauthorized access.

Trojan.black/fugrafa (VT Score 57): A stealthy, multi-purpose trojan that operates as part of an advanced malware toolkit used for data theft, remote control, and persistent access within compromised Windows environments. Associated with the broader Black/Fugrafa malware lineage, this variant is known for its modular design, enabling attackers to tailor its capabilities based on campaign objectives—ranging from espionage and credential harvesting to system manipulation and lateral movement. Once executed, it injects itself into legitimate system processes to evade detection and establish a covert foothold. It communicates with a command-and-control (C2) server to exfiltrate stolen data and receive instructions or additional payloads. Core functionalities include keylogging, clipboard monitoring, screen capturing, and extraction of credentials from browsers, email clients, and operating system components. The trojan may use various methods to achieve persistence, such as modifying the Windows registry, creating scheduled tasks, or dropping malicious services. It is commonly delivered through phishing emails, weaponized documents, drive-by downloads, or as part of a larger post-exploitation framework. Due to its evasive techniques and broad attack surface, it poses a significant threat to data confidentiality and system integrity. Its detection should be treated as evidence of active compromise requiring immediate containment, thorough incident response, and remediation actions.

Trojan.azurebloodhound/bloodhound (VT Score 42): A sophisticated post-exploitation toolkit and Active Directory (AD) enumeration framework commonly leveraged by threat actors after initial access is established. The tool works by collecting and analyzing data about user accounts, group memberships, permissions, and role assignments to uncover attack paths an adversary could exploit. This includes identifying overprivileged accounts, exposed credentials, or misconfigured roles that allow attackers to move laterally, escalate privileges, or gain domain or cloud admin access. Threat actors commonly use BloodHound during the post-compromise phase to plan and automate privilege escalation strategies with precision. Once inside a network, attackers may deploy PowerShell-based ingestors or custom collectors to harvest relationship data, which is then visualized in BloodHound’s graph interface to identify the shortest path to high-value targets.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Trojan.babuk/gizm (VT Score 63): A variant of the Babuk ransomware family, known for its role in double extortion attacks that combine file encryption with data exfiltration. Originally emerging in early 2021, Babuk made headlines for targeting large enterprises and critical infrastructure before its source code was leaked—leading to the emergence of several rebranded or customized offshoots, including the Gizm variant. Once deployed, Babuk/Gizm scans the victim’s system for valuable data, encrypts files using strong algorithms (typically a combination of ChaCha20 and RSA), and appends a unique file extension to signal infection. This variant is typically delivered through compromised RDP credentials, phishing emails, or exploited vulnerabilities, often as part of a broader post-exploitation toolkit. Babuk/Gizm may disable security tools, delete Volume Shadow Copies, and remove backups to prevent recovery, significantly increasing pressure on the victim. It is a high-impact threat, and its presence indicates not only encryption of sensitive data but also potential data theft, making it a critical incident that requires immediate containment, investigation, and potential legal and regulatory response.

Trojan.sage/hpmilicry (VT Score 63): A variant within the Sage ransomware family, a strain known for aggressive encryption tactics and its use in financially motivated cyber extortion campaigns. Emerging in the mid-2010s and derived from the CryLocker ransomware lineage, Sage ransomware evolved with enhancements to its encryption routines, ransom note delivery, and obfuscation methods. The HPMilicry variant reflects a more recent or customized build, often incorporating unique extensions, distribution methods, or targeting logic. Once executed on a victim’s system, Sage/HPMilicry scans for files across local drives, removable media, and network shares, encrypting them with strong cryptographic algorithms—commonly AES or RSA—and appending a custom extension to indicate compromise. It drops a ransom note, typically in multiple directories. This trojan is commonly distributed through malicious spam emails, exploit kits, or as a secondary payload in more complex, multi-stage attacks involving credential theft or lateral movement. It may disable system recovery options like Volume Shadow Copies to prevent file restoration. Detection of Trojan.Sage/HPMilicry suggests active ransomware activity, posing a critical threat to data availability and confidentiality. Immediate containment and forensic investigation are required to limit impact and assess potential data loss.

Ransomware.incransom/imps (VT Score 63): A disruptive strain of ransomware associated with the Incransom malware family, with the Imps variant representing a specific iteration used in targeted attacks. Upon execution, it scans the system for commonly used file types—such as documents, images, databases, and archives—and encrypts them using a strong symmetric or hybrid encryption algorithm. Encrypted files are typically appended with a unique extension (such as *.imps), making them unusable without the corresponding decryption key. This variant may also attempt to delete backups and disable recovery features like Volume Shadow Copies to increase the pressure on victims and reduce their ability to restore data without paying. It is commonly distributed through phishing campaigns, malicious attachments, cracked software, or exploit kits. It is considered a serious threat due to its data encryption and potential data loss. Immediate incident response, isolation, and forensic investigation are critical upon detection.

Trojan.hermes/fareit (VT Score 61): A hybrid malware strain that combines features of the Hermes ransomware family with the Fareit infostealer, creating a dual-threat tool capable of both encrypting data and stealing sensitive information from infected Windows systems. This variant is designed for maximum impact, typically deployed in targeted attacks that begin with credential theft and end in data encryption and extortion. Upon execution, it silently harvests data such as browser-stored passwords, email credentials, FTP logins, and cryptocurrency wallets. The stolen information is sent to a remote command-and-control (C2) server controlled by the attacker. Simultaneously or shortly after, the ransomware component activates, encrypting files across local drives, removable media, and mapped network shares using strong cryptographic algorithms. Encrypted files often receive a custom extension. This dual functionality enables attackers to monetize both the stolen data and the ransom payment, increasing the profitability of each infection. Detection may indicate a broader intrusion using exploit kits or other malware loaders. Detection of this threat indicates a severe compromise requiring immediate containment, forensic investigation, and data breach response.

Ransomware.akira/smyxdjjt (VT Score 58): A variant of the Akira ransomware family, a sophisticated and fast-evolving ransomware strain known for targeting enterprise environments through double extortion tactics. Once executed on a compromised Windows system, it encrypts valuable files across local drives, network shares, and mapped storage using robust encryption algorithms—typically combining AES for file locking with RSA for secure key exchange. Infected files are renamed with the .smyxdjjt extension, rendering them inaccessible without the attacker’s decryption key. This variant is often delivered via compromised credentials, unpatched vulnerabilities, or dropped as a payload during hands-on-keyboard intrusions. It may also disable security software, delete Volume Shadow Copies, and remove backups to maximize disruption. It represents a high-impact threat to data availability, operational continuity, and data privacy. Its detection should trigger immediate containment, incident response, and legal consultation due to the likelihood of both encryption and data exfiltration.

May Ransomware News

• Calling All Hunters: Halcyon Threat Research Incentive Program (TRIP): Halcyon TRIP is the first-ever ransomware-centric threat intelligence bounty program designed to reward independent threat researchers for their hard work in uncovering new and emerging ransomware threats.

• Hitting the Hardware: Ransomware Moves to the CPU: Experts warn that while this threat is currently theoretical, it highlights the need for heightened vigilance in hardware security, as malicious actors could eventually exploit similar methods.

• UK Retail Sector Grapples with Rising Ransomware Threats – What to Know: Recent ransomware attacks against major retailers have followed a familiar and increasingly dangerous pattern—multi-phase intrusions that blend social engineering with advanced post-compromise techniques, often months before the actual ransomware deployment.

• FBI Alerts on Silent Ransom Group Targeting Law Firms: SRG’s recent focus on legal firms began in Spring 2023, likely due to the sensitive nature of legal data. While law firms are the primary target, the group also targets other sectors like the medical and insurance industries.

• Australian Victims Now Required to Report Ransomware Payments to the Government: The new law applies to organizations with annual revenues of over AUD $3 million, as well as entities in critical infrastructure sectors—capturing around 6.5% of all businesses but representing roughly half of the nation’s economy. Affected organizations must report payments to the Australian Signals Directorate (ASD) within 72 hours or face civil penalties.

• Ransomware Attacks Targeting Agriculture and Food Production Doubled in 2025: Ransomware attacks against the food and agriculture sector surged in early 2025, with 84 incidents reported in just the first three months, more than double the number from Q1 2024.  

• Ransomware Operators and Chinese APTs Exploiting SAP NetWeaver Vulnerabilities: These flaws allow unauthenticated remote code execution, enabling attackers to deploy webshells for persistent access, and exploitation has been ongoing since January 2025.  

Threat Actor Spotlight: Fog

According to the Power Rankings: Ransomware Malicious Quartile report, Fog ransomware first emerged in May 2024 and quickly established itself as a formidable threat, primarily targeting Windows systems. It is considered a variant of the STOP/DJVU ransomware family but stands out for its advanced tactics, aggressive propagation, and increasing strategic sophistication.  

Originally focused on U.S. higher education institutions, Fog expanded its reach by late 2024 to include victims across sectors such as business services, manufacturing, finance, government, and technology. By early 2025, it accounted for a significant share of global ransomware activity.

Fog typically gains initial access through compromised VPN credentials, and in some cases, by exploiting vulnerabilities in VPN gateways, including SonicWall appliances. Once inside, operators move swiftly, using tools like Cobalt Strike and Mimikatz to escalate privileges—leveraging techniques such as pass-the-hash attacks and credential extraction from browsers and NTDS.dit files. For lateral movement, they rely on PsExec and RDP, enabling rapid spread across environments.

The ransomware disables Windows Defender, deletes Volume Shadow Copies, and removes Veeam backups to cripple traditional recovery efforts. Files are encrypted using AES-256, with the AES key secured via RSA-2048, and renamed with extensions like “.FOG” or “.FLOCKED.” Victims are left with ransom notes such as “readme.txt” or “HELP_YOUR_FILES.HTML,” detailing payment and decryption instructions.

Initially, Fog focused solely on encryption, but by July 2024, it adopted double extortion tactics, threatening to leak stolen data. Though not confirmed in all cases, there are indications Fog may also target virtualized environments, including VMDK files. Unlike many modern ransomware groups, Fog is not run as a Ransomware-as-a-Service (RaaS); instead, it operates under a closed model, with a centralized group conducting all aspects of the attack lifecycle. Ransom demands have ranged from $50,000 to several million dollars, reflecting the size and profile of the targeted organization.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site