Halcyon Threat Insights 018: July 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team - join us for the next Threat Insights webinar (or watch on-demand here): bit.ly/3HNfaaC

Here are the key insights from the Halcyon Rise Team (Research, Intelligence, Services, Engineering) based on intelligence collected from our customer base throughout June 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

Manufacturing, Insurance, and the Business Services sectors were the most targeted industry verticals in June 2025:

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

• Hacktool.rdpwrap/component (Remote Access): A utility classified as a potentially dangerous tool often abused by threat actors to enable unauthorized Remote Desktop Protocol (RDP) access on Windows systems. It works by patching the Microsoft Terminal Services components to allow concurrent RDP sessions and bypass restrictions on multiple simultaneous logins—capabilities not natively allowed on non-server editions of Windows. While RDPWrap itself is not inherently malicious, it becomes a significant risk when deployed without the user’s knowledge or consent. In threat actor campaigns, it's often dropped post-compromise to silently activate RDP and establish persistent, covert remote access. Because RDPWrap operates by modifying system DLLs (like termsrv.dll) and injecting itself into the Windows service structure, it can evade traditional administrative alerts and circumvent group policy settings that normally restrict RDP usage. Attackers frequently pair it with credential theft or brute-force tools to maintain stealthy access across multiple machines in an environment. The tool is especially dangerous in lateral movement scenarios where visibility into RDP activity is limited, and EDR systems may not flag the patched components. In enterprise environments, the unauthorized presence of RDPWrap is a red flag for deeper compromise and should be treated as an indicator of advanced unauthorized access or persistence techniques.

• Hacktool.connectwise/vsntfa25 (Remote Access): A post-compromise utility abused by threat actors to silently install and configure the ConnectWise ScreenConnect remote access software on targeted systems. It enables covert remote desktop control without user consent and is typically used to maintain persistent access following an initial intrusion. It often includes preconfigured parameters that suppress alerts, hide the installation window, and set up unattended access with attacker-controlled credentials. Because it leverages a legitimate IT support tool, it easily bypasses many security controls and often evades detection by endpoint protection solutions. It can be deployed via script or as part of a larger toolset, sometimes bundled with other utilities like PowerShell droppers or living-off-the-land binaries to reduce the forensic footprint. Once installed, it grants full interactive control, enabling lateral movement, data exfiltration, or deployment of additional payloads such as ransomware. Its presence in an environment—especially when installed in stealth mode—is a high-confidence indicator of unauthorized remote access and should trigger immediate containment and investigation.

• Hacktool.msil/rubeus (Privilege Escalation): credential theft and Kerberos abuse tool frequently used by threat actors to perform advanced post-exploitation actions in Windows environments, often with the goal of privilege escalation. Written in C# and typically compiled to a .NET executable, it enables attackers to extract Kerberos tickets from memory, perform pass-the-ticket and pass-the-hash attacks, request ticket-granting tickets (TGTs) via overpass-the-hash, and execute Kerberoasting attacks to retrieve service account credentials. These techniques allow attackers to move laterally and elevate privileges by impersonating higher-level accounts or gaining access to domain administrator credentials. It can also request new tickets using valid credentials or existing TGTs, making it effective for maintaining stealthy and prolonged access. It is usually deployed after initial compromise and is often obfuscated or reflectively loaded into memory to avoid detection by endpoint security tools. Because it interfaces directly with Windows authentication subsystems and mimics legitimate Kerberos activity, it can blend into normal operations in environments lacking behavioral monitoring. Its use is strongly associated with sophisticated threat actors and red team toolkits, and its presence in a network should be treated as a high-confidence indicator of an ongoing or advanced compromise.

• Hacktool.defendnot/nodefender (Security Bypass): A malicious utility designed to disable Microsoft Defender Antivirus and related Windows security features, clearing the path for follow-on exploitation without interference from built-in protections. It modifies registry keys, disables real-time protection, tamper protection, and cloud-delivered protection, and can also turn off Windows Security notifications to avoid alerting users or administrators. It is often deployed early in an attack chain, typically delivered via script or bundled into loader frameworks, and may operate silently in the background with no visible prompts. It is commonly used by ransomware actors and commodity malware operators to harden the environment against detection and response tools before dropping the main payload. Because it directly interferes with native Windows defenses, its presence is a strong indicator of malicious intent and should trigger immediate incident response actions to verify the integrity of affected systems and determine if additional tooling or malware has already been deployed.

• Hacktool.gamehack/msil (Security Bypass): A .NET-based tool originally created to cheat in video games but frequently repurposed by threat actors as a versatile memory manipulation and code injection utility. It allows direct interaction with running processes, enabling attackers to modify in-memory values, patch functions, and inject malicious code into legitimate applications. It is commonly used to tamper with or disable security software, bypass integrity checks, and alter system behavior in ways that enable persistence, privilege escalation, or stealthy payload execution. It can also function as a lightweight loader, injecting malicious binaries into trusted processes to evade detection. Critically, it is often used to bypass security mechanisms such as user access control (UAC), code signing validation, and behavioral monitoring tools—allowing malicious activity to proceed without triggering alarms. Because it operates at a low level and is typically unsigned, obfuscated, or disguised as legitimate software, it can slip past traditional defenses unless advanced monitoring is in place. Its presence in enterprise environments—particularly outside of known gaming contexts—should be treated as a serious red flag, as it often signals unauthorized manipulation of system memory or an active attempt to bypass security controls and deliver further malicious payloads.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

• Trojan.comet/darkkomet (Initial Access): A legacy remote access trojan (RAT) that, despite being publicly discontinued, remains active in the wild due to its ease of use and widespread availability on underground forums. It is often used as an initial access tool, typically delivered through cracked software, malicious email attachments, or trojanized installers that trick users into execution. Once launched, it establishes a connection to a command-and-control server using configurable ports and grants full remote control over the compromised system. Capabilities include keylogging, webcam and microphone activation, file upload/download, registry editing, and system surveillance. It can be customized using a builder to evade basic antivirus detection and is often configured to run silently in the background, disabling security tools, hiding its presence, and establishing persistence across reboots. While commonly used by low-level threat actors, stalkers, and script kiddies, it has also been deployed in targeted espionage campaigns, especially in politically motivated surveillance operations. Its presence in an environment indicates successful social engineering and compromise at the initial access stage, followed by high-risk remote control activity. Detection should be treated as a critical security incident, as it gives the attacker broad, invasive, and often covert access to the victim’s system.

• Trojan.killav/r002c0dda24 (Security Bypass): An aggressive malware component designed specifically to terminate security processes and neutralize endpoint protection mechanisms during an active intrusion. It systematically scans for and kills processes associated with antivirus software, EDR agents, firewalls, and forensic tools to create a blind spot for follow-on payloads such as ransomware or credential stealers. It may use predefined process name lists, invoke task-killing APIs, or exploit vulnerabilities in security products to shut them down silently. It typically runs with elevated privileges and may disable Windows services, delete scheduled tasks, or tamper with registry entries to prevent the restart of defensive tools. It is often deployed as part of a broader malware package and may be dropped by loaders, droppers, or as a post-exploitation payload after attackers gain access. Its presence is a strong signal of active malicious operations in progress and indicates a clear attempt to disable defenses, delay detection, and increase dwell time within the environment. Systems showing evidence of this component should be isolated immediately and investigated for additional compromise.

• Trojan.lumma/midie (Credential Harvesting): A variant of the Lumma Stealer malware family, a sophisticated information stealer sold in cybercrime forums as a Malware-as-a-Service (MaaS) offering. It is designed to harvest a wide range of sensitive data from infected systems, including browser-stored credentials, cryptocurrency wallet information, session cookies, autofill data, and system metadata. It supports exfiltration over secure channels to attacker-controlled servers and often employs multiple layers of obfuscation and anti-analysis techniques to evade detection. It can run as a standalone executable or be delivered as part of a multi-stage loader framework, sometimes packed to delay analysis. It aggressively targets Chromium-based browsers and can extract tokens from messaging platforms, VPN clients, and gaming accounts, making it a popular tool for credential harvesting and initial access brokering. Its use is often linked to financially motivated actors and criminal groups seeking to monetize stolen data or resell access to compromised accounts. Detection of this variant should prompt a full credential hygiene reset, review of exfiltrated data paths, and immediate containment actions, as it typically signals widespread credential exposure and the potential for follow-on attacks.

• Trojan.component/fakegoop (Credential Harvesting): A deceptive malware loader that mimics legitimate Google Updater processes to blend in with trusted system activity. It typically uses names like “GoogleUpdate.exe” or similar variants to masquerade as part of Chrome or Google service updates, often installed in system directories to avoid suspicion. It functions as a payload delivery mechanism, silently downloading and executing secondary malware—commonly credential stealers such as RedLine, Lumma, or Vidar, which are designed to extract browser-stored passwords, cookies, session tokens, and credentials from crypto wallets, messaging apps, and VPN clients. It may also deliver ransomware or remote access trojans as part of a multi-stage attack chain. Persistence is often established via scheduled tasks, registry autoruns, or services to ensure continued operation after reboot. It is typically distributed through cracked software, malicious installers, or phishing-laced executables. Because it does not exhibit overtly malicious behavior on its own, it often evades detection by posing as a legitimate update process while its follow-on payloads carry out credential harvesting and other malicious actions. Its presence is a red flag for a broader compromise, and detection should trigger immediate review of process hierarchies, dropped binaries, and outbound network activity to assess the scope of credential theft and follow-on access risk.

• Trojan.msil/notfoundkeylogger (Credential Harvesting): A lightweight keylogging trojan written in .NET that is designed to covertly capture and exfiltrate user input from infected systems. It records keystrokes in real time, allowing attackers to harvest credentials entered into login forms, messaging apps, browsers, and other sensitive applications. Captured data is typically written to local log files or transmitted to a remote command-and-control server controlled by the attacker. It may also collect clipboard contents and basic system information to aid in victim profiling. Because it is often small, obfuscated, and bundled with cracked software or malicious installers, it can bypass basic antivirus tools—especially if delivered as part of a multi-stage attack. In many cases, it operates silently in the background without triggering visible alerts and may be configured to persist across system reboots. Its primary use is credential harvesting for account takeover, identity theft, or resale of access to underground markets. Detection of this keylogger should be treated as a serious security incident, as it indicates that usernames, passwords, and other sensitive input may have already been compromised.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

• Ransomware.akira/filecryptor (Encryption): The file-encrypting component of the Akira ransomware family, a human-operated threat known for targeting corporate networks across multiple sectors. It is deployed post-compromise after attackers have established access, disabled security controls, and exfiltrated sensitive data for double extortion. Once executed, it systematically encrypts files using a hybrid scheme—typically combining symmetric AES encryption with RSA to secure the keys—leaving behind a ransom note and appending a unique extension (such as .akira) to affected files. It targets both local and networked drives and is capable of encrypting shadow copies to prevent recovery. The cryptor is optimized for speed and is often configured to skip critical system files to avoid crashing the system before ransom demands can be issued. Prior to encryption, operators may use tools like Mimikatz, Rubeus, and Cobalt Strike to escalate privileges, move laterally, and identify high-value assets. The presence of this component indicates the final stage of an attack, following reconnaissance, credential theft, and data exfiltration. Recovery without the decryption key is typically not possible, and its execution should trigger immediate incident response and ransomware containment procedures.

• Ransomware.nitro/msil (Encryption): A .NET-based ransomware variant designed to encrypt files on compromised Windows systems using fast, lightweight encryption routines. Typically written in C# and compiled to a Microsoft Intermediate Language (MSIL) executable, it is often deployed as part of opportunistic attacks via phishing campaigns, malicious downloads, or cracked software. Once executed, it scans local and mapped network drives, encrypting user documents, images, databases, and other valuable files using symmetric encryption—usually AES—with the encryption key sometimes hardcoded or transmitted to an attacker-controlled server. Encrypted files are renamed with a unique extension, and a ransom note is dropped in affected directories, demanding payment in cryptocurrency in exchange for a decryption tool. The cryptor may attempt to delete shadow copies and disable Windows recovery features to prevent easy restoration. Though not known for highly advanced evasion tactics, it can still bypass basic security tools if obfuscated or packed. It does not typically perform data exfiltration, focusing instead on rapid file encryption and disruption. Its detection should be treated as a confirmed ransomware event, and systems should be isolated immediately to prevent further spread or damage.

• Ransomware.conti/diavolo (Encryption): A file-encrypting payload originally associated with the Conti ransomware operation, believed to be a customized or rebranded variant used in targeted enterprise attacks. It is deployed manually by attackers after gaining privileged access within a network, typically following extensive reconnaissance, lateral movement, and data exfiltration. The Diavolo cryptor uses strong AES encryption to lock files, with RSA encryption applied to secure the symmetric keys, making recovery without a decryptor virtually impossible. It encrypts files across local systems and network shares, often appending a distinct extension and dropping ransom notes that include instructions for negotiation and payment, usually via a Tor-based site. The cryptor is built for speed and efficiency, skipping critical system files to maintain operational stability while maximizing disruption. It often attempts to disable security tools and delete shadow copies to block recovery. Diavolo is typically seen in double extortion campaigns, where stolen data is used as additional leverage to pressure victims into paying. Its deployment marks the final phase of a broader, highly coordinated intrusion and should prompt immediate isolation, forensic investigation, and incident response to contain the impact and assess the scope of data compromise.

• Ransomware.ransomexx/imps (Encryption): A variant of the RansomEXX (also known as Defray777) ransomware family, known for targeting large organizations and government entities in highly targeted, human-operated attacks. The IMPS cryptor is a compiled payload used in the final stage of the intrusion, designed to encrypt files across local drives and network shares using a combination of AES and RSA encryption. It typically appends a unique extension to encrypted files and drops a ransom note instructing victims to contact the attackers via email or a Tor-based portal for payment negotiations. Prior to deployment, operators perform extensive reconnaissance, disable endpoint protections, and exfiltrate sensitive data for use in double extortion. The cryptor may also attempt to terminate services or processes that could interfere with encryption, including backup and security software. IMPS is designed to avoid encrypting system-critical files, ensuring the victim system remains operational enough to display ransom instructions. It is often delivered manually via compromised remote desktop sessions or through elevated privileges obtained with credential theft tools like Mimikatz. Detection of this payload indicates the final phase of a sophisticated, targeted breach and should trigger immediate response efforts focused on containment, forensic analysis, and mitigation of both operational and data loss.

• Trojan.upatre/cryptolocker (Encryption): A first-stage downloader historically used to deliver the infamous CryptoLocker ransomware, one of the earliest widespread ransomware strains to use strong encryption and demand payment in cryptocurrency. The Upatre component is a compact, Windows-based trojan designed to silently download and execute secondary payloads—most notably CryptoLocker—after gaining initial access through malicious email attachments, typically disguised as shipping notifications or invoices. Once activated, it establishes an outbound connection to attacker-controlled servers and pulls down the ransomware payload. CryptoLocker then encrypts user files using RSA and AES encryption, appending a unique extension and displaying a ransom demand with a countdown timer to pressure payment. Upatre is engineered to avoid detection by using encrypted communications and minimal system footprint, often leveraging legitimate processes to mask its activity. While both Upatre and the original CryptoLocker campaigns have largely been dismantled, variants of this delivery chain still serve as the blueprint for modern ransomware distribution tactics. Detection of either component should be treated as evidence of a legacy-style ransomware infection chain that, if active, still poses a serious threat to data integrity and business continuity.

June Ransomware News

• Scattered Spider Tactics Observed Amid Shift to US Targets: Halcyon RISE Team shines a light on Scattered Spider’s evolving playbook—shifting focus to U.S. targets using stealthy tactics like multi-factor bypass, living-off-the-land tools, and human-verified account takeovers to launch high-stakes intrusions.

• AsyncRAT Campaign Continues to Evade Endpoint Detection: Halcyon RISE Team exposed AsyncRAT as a stealth architect‑approved toolkit—slithering in via cloud‑hosted trojans, evading every endpoint scanner, and laying the groundwork for credential theft, ransomware, and waves of follow‑on attacks.

• Russian Operation Zero (OpZero) Specializes in Acquiring Zero-Day Exploits: Russia’s Operation Zero isn’t just collecting zero-days—they’re building a government-backed stockpile of weaponized exploits, funneling them to ransomware crews and APTs alike in a quiet arms race hiding in plain sight.

• Uniquely Destructive PathWiper Payload Emerges in Ukraine Attacks: PathWiper’s debut in Ukraine was a live-fire test—its surgically destructive payload hunting and obliterating shared drives under the guise of admin tools signals that future ransomware gangs are already preparing to recycle this wiper in global attacks.

• Chaos Ransomware Evolves from Crude Wiper to DIY Destruction Toolkit: Chaos started as a blunt-force wiper, but it’s now a plug-and-play ransomware toolkit that turns even low-skilled operators into destructive threats—with customizable payloads that can encrypt, erase, or do both.

• New Ransomware Threat Adds File-Wiping Destruction to Encryption Attacks: Anubis isn’t just encrypting your data—it’s weaponizing it: a new ransomware strain that doubles as a wiper, offering attackers the chilling option to obliterate files entirely if victims refuse to pay.

Threat Actor Spotlight: DevMan Ransomware

DevMan is a ransomware group first identified in early 2025, operating as a closed and technically capable threat actor rather than a public Ransomware-as-a-Service (RaaS) platform. The group does not appear to work with affiliates and instead conducts attacks directly using its own proprietary toolset. Although primarily focused on Windows environments, early samples suggest DevMan is developing cross-platform capabilities, with limited functionality targeting Linux and VMware ESXi systems.

DevMan follows a data-extortion-first approach, though encryption remains a common element in most confirmed cases. This hybrid model sets it apart from pure data extortion crews and indicates an evolving strategy that blends encryption with theft of sensitive information. The group retains full control of the attack lifecycle—from initial access to negotiation—and has not been observed offering affiliate access or revenue sharing, reinforcing its status as a self-contained operation.

Initial access is typically achieved through phishing emails, brute-force attacks on Remote Desktop Protocol (RDP), or the exploitation of vulnerabilities in edge-facing services. Once inside, DevMan operators rely on PowerShell and cmd-based scripts to deploy payloads and disable security tools. Volume Shadow Copies (VSS) are deleted to prevent system recovery. For encryption, the group uses DragonForce encryptors with AES-256 to encrypt data and RSA-2048 to secure encryption keys.

DevMan’s toolset also includes Mimikatz for credential theft and the SoftPerfect Network Scanner for internal reconnaissance. Lateral movement is typically executed via PsExec or RDP, with a preference for lightweight, in-memory execution to minimize detection. The group also embeds custom info-stealer components into payloads, pointing to dual-use campaigns that combine ransomware deployment with credential harvesting.

DevMan primarily targets small to mid-sized enterprises across a range of sectors, including manufacturing, professional services, construction, and healthcare. Victim telemetry shows a geographic focus on North America and Western Europe, with an expanding footprint in Latin America. The group appears opportunistic, favoring targets based on ease of access rather than specific industry verticals.

Since its emergence in Q1 2025, DevMan has maintained a low-to-moderate but steadily increasing operational tempo, with approximately 40–50 confirmed victims listed on its leak site as of Q2 2025. Ransom demands have varied widely depending on the victim’s size and the sensitivity of exfiltrated data, ranging from $100,000 to $1.5 million. While not as aggressive as top-tier actors, DevMan has demonstrated the ability to scale its demands to match the profile of each victim.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.