Halcyon Threat Insights 012: January 2025 Ransomware Report

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings based on intelligence collected from our customer base in December 2024. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

The IT, Education, and Finance sectors were the most targeted industry verticals in December 2024:

• Information & Technology: 34% (+6% mo/mo)

• Education: 13% (Flat % mo/mo)

• Finance & Insurance: 9% (-4% mo/mo))

• State & Local Government: 9% (+1% mo/mo)

• Other: 7% (+6% mo/mo)

• Manufacturing: 6% (-7% mo/mo)

• Retail Trade: 6% (+3% mo/mo)

• Healthcare & Pharmaceutical: 5% (Flat % mo/mo)

• Professional, Scientific & Technical Services: 5% (+2% mo/mo)

• Arts, Entertainment & Recreation: 4% (-4%% mo/mo)

• Transportation & Warehousing: 1% (-1% mo/mo)

• Utilities: 1% (-1% mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

Hacktool.EdRSilencer/EDRStealer: A malicious tool designed to disable Endpoint Detection and Response (EDR) solutions to neutralize security mechanisms that monitor and analyze endpoint behavior, making it easier to deploy additional malware or conduct unauthorized activities undetected. It operates by either terminating them or modifying their configurations to render them ineffective. The tool may also steal authentication tokens or credentials from compromised systems, enabling lateral movement across networks.

Hacktool.Lazagne/Clyp: A credential-stealing tool designed to extract sensitive information, such as usernames, passwords, and authentication tokens, from compromised systems and is often leveraged to gain unauthorized access to user accounts, escalate privileges, and facilitate further malicious activities within targeted environments. It works by targeting locally stored credentials in applications, web browsers, email clients, databases, and password management tools and exploits insecure credential storage mechanisms, decrypting or exposing encrypted data using known algorithms or vulnerabilities. It is a favorite among attackers due to its modular architecture and ease of use. In many cases, it is used alongside other tools to expand an attacker’s foothold, enabling lateral movement within a network or deploying additional payloads, such as ransomware or keyloggers.

Hacktool.MailBruter/MailHack: A malicious tool designed to compromise email accounts by brute-forcing credentials or exploiting vulnerabilities in email servers and services and is used to gain unauthorized access to email accounts, which can then be leveraged for spam campaigns, phishing attacks, or further infiltration of targeted organizations. It systematically attempts a vast number of username-password combinations, exploiting weak or reused credentials. Some variants are equipped with advanced features, such as evading detection by throttling attempts, using proxy servers to mask activity, or integrating exploits for known vulnerabilities in email protocols like SMTP, IMAP, or POP3. Attackers can use it to distribute malware, steal sensitive information, or impersonate the account owner in targeted spear-phishing campaigns.

Hacktool.Netscan/NetTool: A utility commonly used by attackers to scan networks and identify connected devices, open ports, and services running on a target system. While network scanning tools are often legitimate utilities employed by IT professionals for troubleshooting and security assessments, malicious actors frequently misuse them to gather reconnaissance data for cyberattacks. This tool generates detailed reports of network topology, device configurations, and accessible resources. Many variants include additional features, such as banner grabbing to identify software versions or plugins for exploiting known vulnerabilities in real-time. This tool is often deployed during the initial phases of a cyberattack, serving as a precursor to activities like exploitation, lateral movement, or data exfiltration.

Hacktool.sharphound/msil: A powerful reconnaissance tool commonly used by attackers to map Active Directory (AD) environments. It is part of the BloodHound toolkit, which is widely employed by both security professionals during penetration testing and malicious actors in advanced cyberattacks. Written in .NET (Microsoft Intermediate Language), it is efficient and versatile for gathering data from Windows-based systems. This tool is designed to extract detailed information about AD structures, including user permissions, group memberships, trust relationships, and other configurations. It enables attackers to identify potential pathways for privilege escalation, lateral movement, or domain dominance within a network. It collects this data through various methods, such as querying AD services, using LDAP (Lightweight Directory Access Protocol), or exploiting compromised user credentials. Once the data is collected, it is uploaded to BloodHound for visualization, where it is analyzed to find attack paths.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan/Backstab.killav: A type of malware specifically designed to disable antivirus (AV) and security solutions on a targeted system which allows attackers to deploy additional malware, such as ransomware, spyware, or keyloggers, without triggering detection or prevention protocols. It typically works by terminating processes associated with antivirus software, modifying system registry entries to disable startup protections, or exploiting vulnerabilities within the AV software itself. In some cases, it uses privilege escalation techniques to bypass administrative controls and ensure persistence. Advanced variants may also block updates to security software, rendering systems defenseless against emerging threats. Once active, it prepares the system for deeper compromise by erasing logs, masking malicious activity, and opening pathways for lateral movement within a network.

Trojan.Emotetu/Buecsvii: A sophisticated and highly modular Trojan that has evolved into one of the most dangerous malware strains in the cyber threat landscape. Originally designed to steal financial credentials, this Trojan now serves as a multi-functional malware loader, enabling distribution of additional payloads such as ransomware, spyware, and other Trojans. Once executed, it establishes persistence on the infected system, connects to a command-and-control (C2) server, and downloads additional modules tailored to the attacker’s objectives. These modules may include data exfiltration, credential theft, or lateral movement tools to expand the infection within a network. What sets it apart is its ability to adapt and evade detection through advanced obfuscation techniques, such as polymorphic code and encrypted communication with its C2 servers.

Trojan.Sirefef/Zeroaccess: A highly stealthy Trojan that is primarily known for its ability to establish a botnet, distribute other malware, and conduct click fraud or cryptocurrency mining. It operates by exploiting vulnerabilities in systems to gain unauthorized access and establish persistence. Once installed, it often modifies the Master Boot Record (MBR) or system drivers, making it difficult to detect and remove. The Trojan uses a peer-to-peer (P2P) communication protocol, allowing infected systems to function as part of a decentralized botnet that can evade traditional command-and-control (C2) server takedowns. Once active, it performs a variety of malicious tasks, such as downloading additional payloads, redirecting web traffic for click fraud, or utilizing system resources for cryptocurrency mining, which can severely degrade system performance.

Trojan.Hesperbot/Foreign: An advanced Trojan designed to steal sensitive financial information and facilitate unauthorized access to online banking accounts. Known for its sophisticated features and stealthy behavior, it establishes persistence on the infected system, often using rootkit components to avoid detection and is equipped with a wide array of malicious capabilities, including keylogging, screen capturing, video recording, and form grabbing, allowing attackers to collect login credentials and other sensitive data. One of its standout features is the ability to inject malicious code into legitimate banking sessions, redirecting victims to fake login pages or prompting them to download additional malware, enabling attackers to bypass multi-factor authentication (MFA) and compromise accounts even on secure platforms. The modular design and encrypted communication with its command-and-control (C2) servers make it highly adaptable and difficult to detect.

Trojan.Mediyes/Rootkit: A stealthy and highly dangerous piece of malware designed to infiltrate systems, establish deep persistence, and enable attackers to carry out a variety of malicious activities while evading detection. Combining the capabilities of a Trojan and a rootkit, Mediyes can remain hidden within an infected system while providing attackers with backdoor access and control. Once executed, it installs itself at the kernel level, modifying system processes and critical files to mask its presence, and its functionality allows it to intercept and manipulate system calls, effectively hiding files, processes, and network activities from both users and security tools. The Trojan component of Mediyes facilitates data theft, including capturing sensitive information like credentials and payment details. It can also enable attackers to inject malicious code into web traffic, redirecting victims to phishing sites or facilitating click fraud and may serve as a downloader for additional malware payloads, amplifying its impact.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Trojan.lockbit/fragtor: A highly sophisticated and destructive ransomware variant associated with the LockBit ransomware group known for its rapid encryption speed and evolving techniques. Once executed, the payload disables security tools, terminates processes, and encrypts files on infected systems, appending a unique extension to the encrypted files. What sets LockBit/Fragtor apart is its advanced capabilities, including anti-analysis mechanisms such as code obfuscation, sandbox evasion, and self-destruction features. It often spreads laterally within networks by exploiting weak credentials, unprotected RDP (Remote Desktop Protocol) connections, or privilege escalation techniques. The Trojan’s modular design allows attackers to customize payloads, making it adaptable to various attack scenarios.

Trojan.phobos/zusy: A dangerous and highly adaptable ransomware associated with ransomware campaigns and financial theft observed in various attack campaigns targeting a wide range of industries. Once executed, it establishes persistence on the infected system, encrypts critical files, and appends a unique extension. In addition to ransomware capabilities, some variants include information-stealing functions, such as capturing credentials, browser data, and payment details. It uses sophisticated evasion techniques, such as code obfuscation and sandbox detection to avoid detection by antivirus software, and disables system restore points, making recovery more challenging.

Ransomware.lockbit/blackmatter: A sophisticated and highly destructive ransomware strain known for its efficiency, stealth, and adaptability, it combines features from both the LockBit and BlackMatter ransomware families, making it a formidable threat. Once inside, the ransomware spreads laterally, exploiting privilege escalation and weak network segmentation to gain control of critical infrastructure and encrypts files rapidly. A defining feature is its ability to disable security solutions, delete backups, and evade detection using advanced obfuscation techniques. It often exfiltrates data before encryption, enabling attackers to threaten victims with data leaks if ransom demands are not met—known as double extortion.

Ransomware.akira/dacic: A potent ransomware strain associated with the Akira ransomware group known for its aggressive tactics and evolving techniques that scans the network for critical assets, disables security tools, and encrypts files with strong encryption algorithms, appending a distinct extension to the affected files. Its advanced capabilities include data exfiltration before encryption, making victims susceptible to data exposure even if backups are available, and its stealth features, such as process obfuscation and evasion of antivirus tools, allow it to bypass traditional security measures.

Ransomware.incransom/imps: A ransomware variant known for its stealthy infection methods and aggressive extortion tactics associated with the INC ransomware group. Once it infiltrates a system, it encrypts files using strong encryption algorithms, rendering them inaccessible. A unique feature is its ability to disable security defenses and delete shadow copies, making file recovery difficult without backups. Some versions also include double extortion tactics, where attackers exfiltrate sensitive data before encryption and threaten to publish or sell it if the ransom is not paid.

December Ransomware News:

• Number of Ransomware Operations Disrupted in 2024: Nearly Zero: From coordinated takedowns to high-profile arrests, authorities managed to dismantle infrastructure, disrupt operations, and hold critical players accountable. However, the overall ransomware landscape continues to grow in both scale and impact.

• New LockBit4 Ransomware Payload May Emerge in 2025: LockBit ransomware, despite significant law enforcement actions earlier this year, is poised to return with its fourth iteration, LockBit 4.0, set to launch on February 3, 2025, according to the gang’s alleged leader, “LockBitSupp,” who announced the comeback via a dark web post.

• Cl0p Ransomware Group Embarks on Extensive Cleo Exploit Campaign: Cl0p, which claimed responsibility for the Cleo attacks in mid-December, announced on its Tor-based website that victims are being contacted with proof of data theft and offered a final chance to pay a ransom before their names are revealed.

• Ransomware and Data Exfiltration Attacks Put Energy Sector at Risk: The attack on ENGlobal Corporation, and the recent confirmation by Schneider Electric of a ransomware attack that resulted in the breach of 40 GB of sensitive data, highlight a growing national security concern about the cascading risks posed by cyberattacks on critical suppliers to the energy sector.

• US Sanctions Chinese Firm for Exploiting Firewall Vulnerability in Ragnarok Ransomware Attacks: The U.S. Treasury Department has imposed sanctions on Chinese cybersecurity firm Sichuan Silence and one of its employees, Guan Tianfeng, for their role in the April 2020 Ragnarok ransomware attacks targeting U.S. critical infrastructure and thousands of global victims.

Threat Actor Spotlight: Lynx Ransomware

According to the Power Rankings: Ransomware Malicious Quartile report, Lynx is a Ransomware-as-a-Service (RaaS) platform that surfaced in July 2024, has rapidly gained prominence as a significant cybersecurity threat. Within a few months, it executed over 22 attacks, predominantly targeting the manufacturing and construction sectors.  

Specializing in Windows environments, Lynx encrypts files and appends the .lynx extension, simultaneously deleting shadow copies to thwart recovery attempts and amplify its impact.

The group publicly claims to avoid targeting government, healthcare, and non-profit organizations; however, its operational strategy is clearly designed to cause maximum disruption. Using phishing campaigns and malicious downloads as its primary infection vectors, Lynx skillfully infiltrates and compromises networks through various entry points.

Technical Overview

Lynx ransomware is written in C++ and tailored specifically for Windows systems. It features a highly customizable payload with command-line options that enable attackers to:

• Specify files or directories for encryption,

• Terminate processes,

• Encrypt network shares, and

• Alter system settings.

Encryption techniques are sophisticated, employing AES-128 in CTR mode combined with Curve25519 Donna algorithms to secure files effectively. To maximize disruption, Lynx terminates processes and services that might interfere with encryption.  

Lynx leverages the Windows Service Control Manager and the Restart Manager API to handle files that are in use, ensuring smooth execution of its payload. The deletion of volume shadow copies further prevents data restoration, heightening the severity of the attack.

Extortion Techniques

Lynx employs both single and double extortion strategies:

• Single Extortion: Encrypting files to demand a ransom for decryption keys.

• Double Extortion: Exfiltrating sensitive data and threatening to release it publicly if the ransom is not paid.

Victims unwilling to comply face exposure on Lynx’s TOR-hosted leak site, where stolen data is published, increasing pressure on organizations to pay.

Industry Targets

Although initially focusing on manufacturing and construction, Lynx ransomware has expanded its operations to a wide range of industries, including:

• Finance

• Energy

• Architecture

• Logistics

• Technology

• Professional services

The group prioritizes businesses with high-value data and critical operations, aiming to maximize financial and operational leverage.

Growth and Ransom Demands

Since its mid-2024 debut, Lynx ransomware attacks have grown steadily, with activity surging in late 2024. This growth is fueled by its RaaS model, which allows affiliates to carry out attacks using Lynx’s sophisticated tools and infrastructure.  

Ransom demands have reportedly ranged from mid-five to seven figures, escalating as the group targets larger organizations and hones its double extortion tactics.

Lynx ransomware is a rapidly evolving threat that combines advanced technical capabilities with aggressive extortion strategies, making it a formidable adversary across diverse industry sectors.

Notable victims include Ascend Analytics, KidKraft Inc., Mark Thomas & Company, Arbitech LLC, Pyle Group, True Blue Environmental, TOC Logistics International, Gortemoller Engineering, Nebraskaland, Siltech Corporation, WIMCO Corp., DZS Inc and more.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.