Halcyon Threat Insights 013: February 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon team - join us for the next Threat Insights webinar live Feb 11, 2025, 10:00AM PST / 1:00PM ET (or watch on-demand here): https://bit.ly/4guzyZw

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings based on intelligence collected from our customer base in January 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

The IT, Education, and State & Local Government sectors were the most targeted industry verticals in January 2025:

• Information & Technology: 23% (-11% % mo/mo)

• Education: 12% (-1% mo/mo)

• State & Local Government: 10% (+1% mo/mo)

• Professional, Scientific & Technical Services: 9% (+4% mo/mo)

• Manufacturing: 9% (+3% mo/mo)

• Finance & Insurance: 9% (flat mo/mo)

• Healthcare & Pharmaceutical: 7% (+2% mo/mo)

• Arts, Entertainment & Recreation: 7% (+3% mo/mo)

• Retail Trade: 7% (+1% mo/mo)

• Transportation & Warehousing: 3% (-2% mo/mo)

• Other: 3% (-5% mo/mo)

• Utilities: 1% (Flat mo/mo)

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools  

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

‍HackTool.TStomp: A specialized malicious tool designed to manipulate and disrupt message queuing systems, particularly targeting ActiveMQ, RabbitMQ, and other message brokers that rely on the STOMP (Simple Text Oriented Messaging Protocol) protocol. Its primary function is to exploit vulnerabilities in these systems to perform unauthorized actions, including message interception, tampering, deletion, and denial-of-service (DoS) attacks. TStomp operates by sending crafted STOMP frames to message brokers, allowing attackers to bypass authentication mechanisms, disrupt message flows, and compromise data integrity. This tool is often used in advanced persistent threat (APT) campaigns to undermine secure communications within enterprise environments, exfiltrate sensitive data, or create persistent backdoors for further exploitation. While originally designed for security testing, it has been repurposed by malicious actors to target critical infrastructure, financial institutions, and cloud-based services that rely heavily on message queuing for real-time data processing.

‍HackTool.Mimikatz/HackToolX: A powerful post-exploitation tool commonly used by security pros for legitimate testing, but it is also frequently exploited by cybercriminals for malicious purposes. Originally developed as an open-source project, Mimikatz is designed to extract plaintext passwords, hash credentials, PINs, and Kerberos tickets from system memory, enabling attackers to escalate privileges and move laterally within a network. It operates by exploiting vulnerabilities in Windows authentication protocols, such as Windows Security Account Manager (SAM) and Local Security Authority Subsystem Service (LSASS). Once executed, it can retrieve sensitive credential data, facilitating unauthorized access to critical systems, even in highly secured environments. Cybercriminals often deploy this tool during advanced persistent threat (APT) campaigns, ransomware attacks, and network breaches to harvest credentials, bypass security controls, and maintain long-term access.

‍Hacktool.AngryIPScan: A detection name used by cybersecurity software to flag the unauthorized or potentially malicious use of Angry IP Scanner, an open-source network scanning tool. When used with malicious intent, it becomes a powerful reconnaissance tool for cybercriminals. Attackers often deploy it to scan networks for vulnerable devices, open ports, and unprotected services. This information can be used for further attacks, including brute-force authentication attempts, vulnerability exploitation, and lateral movement within a network. Since the tool operates stealthily and does not require installation, it can evade some security defenses, making it a popular choice among threat actors.

‍HackTool.Kerbrute/Kerbrut: A powerful network reconnaissance and brute-force tool designed to interact with Kerberos authentication protocols commonly used in Windows Active Directory (AD) environments. Kerbrute is frequently exploited by threat actors to identify valid usernames, perform password brute-force attacks, and enumerate Active Directory accounts without triggering standard account lockout policies. Kerbrute operates by sending crafted authentication requests to the Key Distribution Center (KDC) of a domain controller. Its primary functions include user enumeration, password brute-forcing, and Kerberos pre-authentication attacks. Kerbrute’s speed, efficiency, and stealth make it a favored tool in advanced persistent threat (APT) campaigns and red team operations. Malicious actors use it to gain initial footholds, escalate privileges, and move laterally within targeted networks.

‍HackTool.AutoKMS/KMSAuto: An unauthorized activation tool designed to bypass Microsoft’s software licensing mechanisms, primarily targeting Windows operating systems and Microsoft Office products. It leverages the Key Management Service (KMS), a legitimate Microsoft technology used by enterprises to activate software in bulk. It emulates a local KMS server, tricking the system into thinking it’s connected to an official Microsoft server, thereby activating the software without a valid product key. While often used for software piracy, it poses significant security risks because it requires administrative privileges and can modify critical system files, disable security features, and create backdoors that expose systems to malware infections, including trojans, spyware, and ransomware.

‍Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

‍Trojan.DISKWRITER/LFBZH: A highly destructive Trojan designed to manipulate, corrupt, or overwrite critical data on infected systems. Its primary function revolves around unauthorized disk-writing operations, allowing attackers to alter system files, deploy malicious payloads, or even wipe data entirely. Once executed, it establishes a hidden foothold within the system, often embedding itself deep within the operating system to evade detection. It can modify boot records, encrypt or corrupt files, and create backdoors for persistent remote access. Its destructive capabilities make it particularly dangerous for organizations, as it can lead to data loss, system instability, and operational disruptions. It may also serve as a delivery mechanism for ransomware, spyware, or other forms of malware, amplifying its impact. Its advanced obfuscation and anti-detection techniques help it bypass traditional security measures, making early detection challenging.

‍Trojan.GXZM/XGGWC: A Trojan designed to infiltrate computer systems covertly, enabling unauthorized access and control over infected devices. It often disguises itself as legitimate software or embeds within seemingly harmless files, tricking users into executing it. Once activated, It establishes a stealthy connection to a remote command-and-control (C2) server, allowing cybercriminals to manipulate the compromised system without the user's knowledge. The primary functions of this Trojan include data exfiltration, system surveillance, and facilitating the download of additional malware. It can capture sensitive information such as login credentials, financial data, and personal documents. Additionally, it may disable security software, alter system settings, and create backdoors for persistent access, increasing the risk of further exploitation.

‍Trojan.BypassUAC: A highly evasive Trojan designed to exploit User Account Control (UAC) mechanisms in Windows operating systems. Its primary function is to elevate privileges without triggering UAC prompts, allowing it to execute malicious code with administrative rights silently. Once active, it manipulates legitimate Windows processes or exploits specific system vulnerabilities to escalate privileges. It often injects malicious code into trusted processes, disguising its activities and avoiding detection by security software. The risks include unauthorized system modifications, the disabling of security features, data exfiltration, and the installation of additional malware such as ransomware or spyware. Its stealthy nature makes early detection challenging, increasing the potential for prolonged compromise.

‍Trojan.DINWOD/BODEGUN: A stealthy trojan with core capabilities include data theft, system reconnaissance, and the deployment of additional malware payloads. It can capture sensitive information such as login credentials, financial data, and personal documents, posing significant risks to both individuals and organizations. Additionally, it may disable security defenses, modify system files, and create backdoors to maintain persistent access even after security measures are applied. What makes it particularly dangerous is its use of advanced obfuscation techniques to evade detection by traditional antivirus software. It often injects malicious code into legitimate processes, masking its presence while operating in the background.

‍Trojan.APBCW/R002C0XCP24: A stealthy trojan with a complex architecture that allows it to evade traditional security defenses. Once activated, Trojan.APBCW/R002C0XCP24 establishes a secure connection to a remote command-and-control (C2) server, enabling attackers to remotely control the infected system. Its capabilities include data exfiltration, keystroke logging, system reconnaissance, and deploying additional malware payloads such as ransomware, spyware, or backdoors. The Trojan can also disable security software, modify system configurations, and escalate privileges to maintain persistent access. What sets APBCW/R002C0XCP24 apart is its sophisticated obfuscation techniques, including code encryption and process injection, which allow it to operate undetected for extended periods.

‍Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

‍Ransomware.Dcryptor/HDDCrypt: A highly destructive ransomware variant also known as Mamba with a particular focus on critical infrastructure, corporate networks, and government systems. Unlike typical ransomware strains that encrypt individual files, it encrypts the entire hard drive, including the Master Boot Record (MBR), rendering the system completely inaccessible. Once executed, it uses disk-level encryption tools, such as modified versions of open-source encryption software, to lock the entire disk. A distinctive characteristic of this ransomware is its use of full-disk encryption, which prevents the operating system from booting, making data recovery significantly more challenging without the decryption key.

‍Ransomware.DarkSide/Encoder: A highly targeted ransomware strain known for its involvement in major cyberattacks, particularly against critical infrastructure, large enterprises, and high-value organizations. It operates under a RaaS model, a business-like operation that has made DarkSide a preferred tool among cybercriminal groups. It conducts extensive reconnaissance to identify and target critical data. It then encrypts files using strong encryption algorithms. In addition to encrypting data, it exfiltrates sensitive information and threatens to publicly release it if the ransom is not paid. This increases the pressure on victims to comply with the attackers' demands.

‍Ransomware.BadRabbit/DiskCoder: A highly aggressive strain of ransomware that is believed to be linked to previous ransomware campaigns such as NotPetya, sharing similar propagation techniques and encryption mechanisms. Once activated, it quickly encrypts files on the infected system using strong cryptographic algorithms. It also attempts to spread laterally within a network, targeting enterprise environments by leveraging brute-force attacks on SMB (Server Message Block) shares. Unlike some ransomware strains, it does not rely on exploit kits like EternalBlue but instead requires user interaction to initiate the infection.

‍Ransomware.DarkSide/Encoder: A highly targeted ransomware strain known for its role in high-profile cyberattacks against critical infrastructure and large organizations. First identified in 2020, it operates under a RaaS model, allowing affiliates to deploy the malware while its developers receive a share of the ransom payments. Once executed, it performs extensive reconnaissance to identify valuable data and high-impact systems. The ransomware encrypts files using robust encryption algorithms, appending unique file extensions.

‍Trojan.RansomHub/GenericFCA: Functions as a ransomware payload mechanism designed to infiltrate systems and encrypt critical data. Once executed, it establishes a covert connection to a remote command-and-control (C2) server, allowing attackers to manage the infection and deploy ransomware payloads. Its primary objective is to encrypt files on infected systems using strong encryption algorithms, rendering data inaccessible. It may also exfiltrate sensitive data before encryption, adding an extortion layer where attackers threaten to leak stolen information if the ransom is not paid. What makes it particularly dangerous is its modular design, allowing it to adapt and deliver different ransomware strains, evade detection through advanced obfuscation techniques, and disable security software to maximize impact.

‍January Ransomware News:  

• Nearly Nine-in-Ten Organizations Targeted by a Ransomware Attack in 2024: A recent Ponemon Institute survey revealed that 88% of organizations experienced at least one ransomware attack in the past year, emphasizing the widespread impact of ransomware threats.

• Vast Majority Who Pay Ransom Demand Still Cannot Recover Data: A recent survey reveals that less than 20% of companies that pay ransom demands after cyberattacks recover all their data, challenging the perception that paying is an effective solution.  

• GhostGPT Delivers AI-Assisted Tools for Cybercriminal Operations: Researchers tested GhostGPT and found it capable of generating phishing emails, such as a convincing Docusign scam. It can also assist in malware development, helping cybercriminals bypass security measures without spending time jailbreaking mainstream AI tools like ChatGPT.

• RansomHub Exploits Network Vulnerabilities with Python-Based Malware: Researchers have uncovered a sophisticated attack leveraging a Python-based backdoor to establish persistent access to compromised systems, ultimately deploying the RansomHub ransomware across targeted networks.  

• Ransomware Attack on Costa Rica Refinery Tests New US Response Program: A ransomware attack on Costa Rica’s largest oil refinery, RECOPE, in November 2024, became the inaugural test of the U.S. State Department's Foreign Assistance Leveraged for Cybersecurity Operational Needs (FALCON) program.  

• Critical Infrastructure Ransomware Tracker Surpasses 2,000 Attacks: A decade of data compiled by Temple University’s Critical Infrastructure Ransomware Attacks (CIRA) project reveals over 2,000 ransomware attacks targeting critical infrastructure worldwide since 2013.  

Halcyon Attacks Lookout Statistics

The Halcyon Attacks Lookout resource provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month, including details on the attackers, victims, industry verticals, geolocations impacted and more. Here’s a snapshot of attack activity in the month of January:

Threat Actor Spotlight: Cloak Ransomware

According to the Power Rankings: Ransomware Malicious Quartile report, the Cloak Ransomware-as-a-Service (RaaS) group, emerging in late 2022, has rapidly become a formidable cybersecurity threat, executing numerous attacks across diverse industries. Cloak gains network access through Initial Access Brokers (IABs) or sophisticated social engineering tactics, including phishing, malvertising, exploit kits, and drive-by downloads disguised as legitimate updates, such as Microsoft Windows installers.

Once inside a network, Cloak deploys its ransomware payload, a variant of the ARCrypter family believed to be derived from the leaked Babuk ransomware source code. Ransom notes appear as desktop wallpapers and text files named "readme_for_unlock.txt." The group deletes volume shadow copies to hinder recovery efforts, maximizing operational disruption.

Cloak exhibits advanced capabilities, including privilege escalation, process termination, and system disruption. Its payload utilizes the HC-128 encryption algorithm, with secure key generation involving CryptGenRandom and Curve25519_donna, creating robust encryption resistant to decryption efforts. The malware employs sophisticated delivery mechanisms, embedding the payload to evade detection, and targets security tools, backups, and databases to amplify damage.

Persistence mechanisms include registry modifications and user restrictions, ensuring prolonged operational downtime. Cloak uses intermittent encryption to optimize performance while maximizing data damage, particularly targeting large files. Anti-detection strategies involve executing from virtual hard disks, enabling quick detachment after malicious activities, and deploying anti-debugging techniques like enabling SeDebugPrivilege, respawning processes, and terminating security services.

Notably, Cloak shares a data leak platform with the Good Day ransomware operation, suggesting potential collaboration or operational overlap. This connection highlights Cloak's adaptability and expanding influence in the cyber threat landscape. Cloak's combination of sophisticated encryption, advanced evasion techniques, and aggressive system disruption cements its reputation as a highly effective and evolving ransomware threat, capable of evading detection, crippling critical systems, and exerting maximum pressure on its victims.

Cloak has been observed recruiting affiliates on underground forums, offering attractive profit-sharing schemes to entice participants providing an above-average 85/15 profit-sharing split, with no upfront payment required to access their platform. Victims who refuse to pay face further consequences, as Cloak publishes their stolen data on its leaks site for double extortion.

Cloak ransomware attack volume has steadily increased since its emergence in late 2022, with a significant rise in activity driven by its adoption of RaaS and its focus on leveraging advanced tactics to maximize impact and operational disruption. Cloak primarily targets small to medium-sized businesses in Europe, with Germany as a key focus. The group has extended its operations to countries in Asia and targets various sectors, including healthcare, real estate, construction, IT, food, and manufacturing.

Cloak ransomware’s ransom demands have escalated over time, initially targeting smaller organizations with mid-five-figure amounts and evolving to high-six or seven-figure sums as the group expanded its operations and targeted larger, more lucrative victims. The group boasts an exceptionally high payment rate of 91-96%, highlighting its effectiveness in coercing victims.

Notable victims include the Center for Orthopedics and Neurosurgery, Global Results Communications, Westermans International, St. James Place Retirement Community, Urologisches Kompetenzzentrum Hochfranken, Autohaus Ruland Viersen, Longview Bridge and Road, Ltd., and Dunlop Aircraft Tyres.  

‍Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.