Halcyon Threat Insights 020: September 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team - join us for the next Threat Insights webinar (or watch on-demand here): bit.ly/4oxykSN

Here are the key insights from the Halcyon Ransomware Research Center based on intelligence collected from our customer base throughout August 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

Manufacturing, Retail, and Hospitals & Physicians Clinics were the sectors most targeted industry verticals in August 2025:

Threat Types by Category

Halcyon detected and blocked a wide variety of threats in client environments that were missed by other security solutions:

August 2025 Detections

Halcyon detects a range of behaviors and tooling at every stage of the ransomware attack chain from initial access through privilege escalation and lateralization to the final encryption payload. The following are just a few examples of detections from the August 2025:

Initial Access

• TrojanSpy.Trickbot (trojan.trickster/trickbot) (VT Score 62): While often delivered as a second-stage payload via Emotet, BazarLoader, or malspam, Trickbot can also function as an initial access tool in ransomware operations when delivered directly to victims through phishing campaigns or malicious downloads. In this role, it establishes the first persistent foothold, opening command-and-control channels and validating operator access. Trickbot’s modular architecture then extends its utility far beyond the entry point: credential harvesting modules steal domain and administrator logins, reconnaissance plugins map the environment, and lateral movement capabilities allow it to propagate across networks. These functions make Trickbot not just an entry vector but a bridge to later stages in the attack chain, including privilege escalation, defense evasion, and eventually enterprise-wide ransomware deployment. Historically, Trickbot infections have been the launchpad for Ryuk and Conti ransomware, underscoring its role as both an enabler of initial access and a cornerstone for the broader attack lifecycle.

Remote Access

• Custom.Go/Resocks (VT Score 4): A remote access backdoor written in Go that leverages SSH dynamic port forwarding to provide adversaries with flexible tunneling and proxy capabilities during ransomware operations. Once deployed, it establishes encrypted SOCKS proxies through compromised hosts, allowing attackers to pivot into restricted network segments and bypass perimeter defenses. Campaign-specific builds complicate static detection, ensuring persistence and operator control across diverse environments. While primarily serving the Remote Access stage, Resocks supports multiple parts of the ransomware chain by enabling stealthy lateral movement, covert data exfiltration, and sustained command-and-control connectivity. By converting compromised endpoints into encrypted relay nodes, it ensures attackers can manage intrusion paths and prepare infrastructure for large-scale ransomware deployment without triggering standard IDS signatures.

Privilege Escalation

• Hacktool.EFSPotato (hacktool.msil/efspotato) (VT Score 59): A Windows privilege escalation exploit that abuses the Encrypting File System Remote Procedure Call (EFSRPC) interface to coerce authentication and impersonate higher-privileged tokens such as SYSTEM. Similar in concept to JuicyPotato and PrintSpoofer, EFSPotato provides ransomware operators with a lightweight, in-memory escalation path that requires no driver installation, making it cleaner and faster to deploy during active intrusions. This token impersonation approach contrasts with Bring Your Own Vulnerable Driver (BYOVD) techniques such as leveraging HackSys Extreme Vulnerable Driver, which rely on dropping and exploiting a signed but flawed kernel driver to achieve escalation. While BYOVD offers kernel-level dominance for disabling defenses and tampering with the OS, EFSPotato is valued for its portability, reduced noise, and quick execution in campaigns. Within ransomware attack chains, EFSPotato bridges the gap between initial access and domain dominance, ensuring operators can disable protections, compromise backup systems, and stage encryption payloads without requiring heavier tooling, while still complementing deeper privilege escalation methods when full kernel control is needed.

Environment Enumeration

• Hacktool.Assasin (hacktool.msil/assasin) (VT Score 49): A reconnaissance utility designed to enumerate IP addresses within targeted environments, giving attackers an early map of the victim network. Written in .NET (MSIL), Assasin automates host discovery by scanning ranges of IP addresses and cataloging responsive systems, enabling ransomware operators to quickly identify viable targets for lateral movement. This stage is critical in the ransomware chain, as accurate network awareness directly informs privilege escalation and remote access operations. While Assasin provides automation and stealth advantages, attackers often blend its use with living-off-the-land binaries (LOLBins) such as arp -a, net view, or ping -t to avoid detection. In combination, these methods allow adversaries to balance flexibility with low visibility, ensuring they maintain situational awareness inside the environment. Enumeration tools like Assasin therefore serve as a foundation for later stages—guiding privilege escalation through exploits like EFSPotato, supporting BYOVD methods such as HEVD, and ultimately ensuring ransomware payloads can be deployed with maximum reach across high-value systems.

Credential Harvesting

• Trojan.Vidar/Stealer (trojan.vidar/stealer) (VT Score 23): A widely deployed infostealer frequently integrated into ransomware ecosystems, used to harvest credentials and sensitive data from infected hosts. Vidar targets browsers, password managers, cryptocurrency wallets, VPN clients, and remote access applications, extracting stored logins, autofill data, cookies, and authentication tokens. Its modular design allows operators to customize builds per campaign, and its reliance on encrypted command-and-control channels ensures exfiltrated data is transmitted covertly. While its primary role is credential theft, Vidar often serves multiple functions in the ransomware chain: validating access obtained through phishing or loaders, supplying stolen administrator and domain credentials for lateral movement, and identifying valuable accounts to disable defenses or compromise backups. The data harvested by Vidar is also leveraged for double-extortion, as exfiltrated credentials can provide leverage over third-party services and cloud environments. By pairing stealthy credential theft with operational flexibility, Vidar remains one of the most effective tools for ensuring ransomware affiliates can expand privileges and maintain persistent access across victim organizations.

Lateral Movement

• PUA.Winexe/Winexesvc (pua.winexe/winexesvc) (VT Score 43): A remote execution utility for Windows environments modeled after Microsoft’s PsExec, commonly abused by ransomware operators to propagate laterally once privileged credentials have been obtained. Winexe allows attackers to launch commands and services remotely across the network, effectively turning compromised administrator credentials into the ability to control multiple hosts simultaneously. Classified as a Potentially Unwanted Application (PUA), it often blends into administrative activity, making detection more difficult in environments where remote management tools are normally permitted. Within the ransomware attack chain, Winexe is deployed after credential harvesting and privilege escalation stages, serving as a reliable mechanism to distribute payloads, disable defenses, or stage ransomware executables across the environment. Its use highlights the attacker’s reliance on dual-use tools—mirroring legitimate IT workflows to avoid suspicion—while maintaining the speed and reach needed for enterprise-wide ransomware deployment. By pairing tools like Winexe with reconnaissance outputs from enumeration utilities, adversaries ensure their lateral movement is both targeted and efficient.

Security Bypass

• Trojan.KillAV/GenericML (trojan.killav/genericml) (VT Score 42): A malicious utility engineered to disable or tamper with endpoint protection, providing ransomware operators a clear path to execute payloads and encrypt files. KillAV variants typically enumerate active security services, then attempt to terminate processes, delete or alter configuration files, and disable drivers belonging to antivirus (AV) and endpoint detection and response (EDR) solutions. Some builds employ privilege escalation to inject code directly into security processes, while others rely on aggressive process-killing loops to keep defenses offline. Within ransomware attack chains, KillAV tools are commonly deployed after credential harvesting and privilege escalation, ensuring that once administrative control is gained, protective layers are dismantled before encryption begins.
  Machine learning–based detections like GenericML highlight a family of behaviors—service enumeration, registry manipulation, and forced process termination—rather than a single strain of malware. Importantly, attackers often blend KillAV usage with living-off-the-land binaries (LOLBins) such as sc stop, taskkill, or wmic process where name=… delete, which mimic legitimate IT administration. This combination of custom malware and native system utilities complicates detection and helps adversaries appear as normal operator activity. By neutralizing defenses through both malicious binaries and LOLBins, KillAV ensures ransomware payloads can execute reliably, disrupt recovery solutions, and expand control across high-value systems.

Data Exfiltration

• Risktool.Ngrok (trojan.ngrok) (VT Score 19): A legitimate tunneling utility frequently repurposed by attackers to establish covert outbound channels for data theft and command-and-control. Ngrok enables adversaries to expose internal services to the internet by creating secure tunnels through firewalls and NAT, bypassing perimeter monitoring and inspection. Within ransomware operations, ngrok is often staged after persistence and privilege escalation, providing a stealthy exfiltration path for stolen credentials, documents, and system reconnaissance data before encryption begins. Its classification as a risk tool reflects its dual-use nature—while benign for developers, its ability to create encrypted tunnels directly into corporate networks makes it attractive for adversaries seeking to avoid traditional IDS or DLP controls. Attackers frequently blend ngrok usage with other exfiltration techniques, using it as an encrypted proxy for tools like Vidar Stealer or custom scripts, ensuring sensitive data leaves the environment unnoticed. By embedding ngrok into the attack chain, ransomware operators reinforce the “double extortion” model, exfiltrating data for leverage while preparing to encrypt victim systems.

Data Destruction

• Medusa Risktool, Shadow Copies Deletion (trojan.delshad) (VT Score 4): A destructive utility leveraged in ransomware operations to eliminate Windows Volume Shadow Copies, crippling built-in recovery mechanisms and maximizing the impact of encryption. By executing commands such as vssadmin delete shadows /all /quiet or invoking WMI methods, Delshad ensures that local backups and restore points are erased, leaving victims unable to recover without offline or external backup solutions. Although its VirusTotal score is relatively low, reflecting its overlap with administrative functionality, in adversary hands it becomes a decisive post-compromise step. Typically deployed after privilege escalation and lateral movement, Delshad is used once attackers have administrative rights across targeted hosts. Its role is straightforward but highly effective: inhibiting system recovery (MITRE ATT&CK T1490) and amplifying the leverage of double-extortion ransomware campaigns. By pairing shadow copy deletion with prior credential theft, exfiltration, and lateral spread, trojan.delshad ensures that victims face maximum disruption and limited recovery paths, locking them deeper into the extortion cycle.

Data Encryption

• Ransomware.Akira (VT Score: N/A – sample not submitted to VirusTotal): A double-extortion ransomware family that encrypts victim files while simultaneously exfiltrating sensitive data to pressure organizations into paying. Akira uses strong symmetric encryption (typically AES) for file contents paired with asymmetric key wrapping (RSA) to ensure victims cannot decrypt without attacker-provided keys. Once deployed, it systematically traverses the filesystem, targeting documents, databases, and backups, while often skipping critical system files to maintain OS stability. Operators deploy Akira after achieving domain-level privileges and lateral access, frequently disabling defenses and deleting shadow copies to maximize encryption reach. Beyond the cryptographic impact, Akira campaigns emphasize psychological pressure, publishing stolen data on leak sites to reinforce ransom demands. Its role in the ransomware attack chain is the final stage of impact, ensuring victims face operational downtime, data loss, and reputational damage. Akira’s efficiency in pairing encryption with extortion solidifies its place as a high-threat ransomware strain, exemplifying the modern trend of ransomware operations as both technical disruption and coercive business model.

Threat Actor Spotlight: NightSpire Ransomware

NightSpire is an emerging ransomware group first observed in early 2025. Although some early speculation suggested ties to older RaaS crews, NightSpire operates as a closed collective rather than a public Ransomware-as-a-Service platform. The group conducts all attacks internally, retaining control of operations and negotiations without outside affiliates.

NightSpire ransomware primarily targets Windows systems, with indications that development toward Linux and ESXi compatibility is underway, though broad cross-platform use has not yet been confirmed. The malware employs a double extortion model, combining AES-256 file encryption with RSA-2048 key encryption while exfiltrating sensitive data to pressure victims. A Tor-based leak site supports these efforts, listing victims who refuse to pay.

The group demonstrates a moderate but steadily advancing level of technical sophistication. Initial access typically comes through phishing emails with malicious attachments, compromised RDP credentials, or exploitation of vulnerable web applications. Once inside a network, operators rely on PowerShell, Windows Command Shell, and batch files to deliver payloads and disable defenses. Volume Shadow Copies are deleted to block recovery, and credential harvesting is carried out using Mimikatz. Lateral movement is achieved with PsExec, RDP, and WMI, while reconnaissance relies on tools such as Advanced IP Scanner. Obfuscation routines are used to evade detection and hinder sandbox analysis. Persistence is maintained through registry keys and scheduled tasks, and in some incidents, payloads were run from temporary directories using renamed processes to avoid endpoint monitoring.

Victimology shows a focus on professional services, real estate, healthcare, and regional manufacturing firms, particularly mid-market organizations in North America and Western Europe. Target selection suggests preference for companies with limited security resources but valuable datasets. Since its emergence, NightSpire has maintained a low-volume but consistent tempo, with roughly 25–30 victims publicly listed. Ransom demands typically range between $150,000 and $2 million, depending on organization size and the sensitivity of stolen data.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.