Halcyon Threat Insights 014: March 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team (Research, Intelligence, Services, Engineering) - join us for the next Threat Insights webinar (or watch on-demand here): https://bit.ly/4imK9HG

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings based on intelligence collected from our customer base in February 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

The Manufacturing, Retail and Hospitality sectors were the most targeted industry verticals in February 2025:

• Manufacturing: 13%

• Retail: 10%

• Hospitality: 9%

• Insurance: 9%

• Government: 8%

• Business Services: 7%

• Healthcare Services: 7%

• Hospitals & Physicians Clinics: 6%

• Education: 6%

• Finance: 5%

• Other: 4%

• Holding Companies & Conglomerates: 3%

• Energy, Utilities & Waste: 3%

• Software: 3%

• Law Firms & Legal Services: 1%

• Organizations: 1%

• Transportation: 1%

• Consumer Services: 1%

• Media & Internet: 1%

• Construction: 0.5%

• Unconfirmed Industry: 0.5%

• Real Estate: 0.4%

• Telecommunications: 0.3%

• Agriculture: 0.3%

Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

Hacktool.Mimikatz/HacktoolX (VT Score: 65): Commonly referred to as Mimikatz, is an open-source cybersecurity tool designed to interact with Windows security components. Initially developed for educational purposes, it has since been adopted by both security professionals and malicious actors. Its primary functionality includes extracting plaintext passwords from memory, performing pass-the-hash attacks, injecting code into remote processes, and generating Kerberos "golden tickets," which grant unauthorized access within a network. Its capability to operate without writing files to disk makes it particularly stealthy, often evading traditional antivirus detection mechanisms.

Hacktool.MSIL/JuicyPotato (VT Score: 61): Commonly known as JuicyPotato, this sophisticated privilege escalation tool targets Windows operating systems. It is an evolved version of the RottenPotatoNG exploit, designed to leverage the SeImpersonatePrivilege and SeAssignPrimaryPrivilege rights assigned to certain Windows service accounts. By exploiting these privileges, it can impersonate higher-privileged tokens, allowing attackers to execute processes with SYSTEM-level permissions. It operates by abusing the Windows Component Object Model (COM) server and Background Intelligent Transfer Service (BITS). Attackers specify a COM server's Class Identifier (CLSID) and a program to launch. It then manipulates the COM server to run the specified program with elevated privileges.

Hacktool.MSIL/Fochi (VT Score: 59): A detection name used by cybersecurity solutions to identify a specific category of hacking tools developed using Microsoft's Intermediate Language (MSIL) for the .NET framework. These tools are typically designed to bypass software licensing mechanisms, enabling unauthorized activation of Microsoft products such as Windows and Office suites. Related tools like HackTool.MSIL/Gendows and HackTool.MSIL.KMSAuto are known to facilitate the activation of unregistered Microsoft software products.

Hacktool.Chisel/RedCap (VT Score: 53): Commonly referred to as "Chisel," this is a fast TCP/UDP tunnel that is often employed as a penetration testing tool. It functions as a reverse proxy, facilitating secure data transfer between networks by tunneling traffic through an encrypted channel. While Chisel is designed for legitimate purposes, such as securely connecting networks and aiding in network diagnostics, it has also been misused by malicious actors to establish unauthorized access to compromised systems. A variant dubbed "Infamous Chisel" is associated with the notorious Sandworm threat group. It specifically targets Android devices, enabling persistent access and data exfiltration over the Tor network. Infamous Chisel components were designed to scan files and network information periodically, exfiltrating system and application configuration files from infected devices. It also provides network backdoor access via Secure Shell (SSH) and facilitated additional capabilities like network monitoring, traffic collection, and network scanning.

Hacktool.Strictor/RDPWrap (VT Score: 53): Commonly known as RDP Wrapper Library, it is an open-source project designed to extend the functionality of Microsoft's Remote Desktop Protocol (RDP) on Windows operating systems. By acting as a layer between the Service Control Manager and Terminal Services, RDPWrap enables features such as concurrent RDP sessions and Remote Desktop Host support on systems where these capabilities are typically restricted, especially in non-server editions of Windows. The ability to enable multiple remote desktop connections without notifying the logged-in user can be exploited for unauthorized access, making systems vulnerable to potential breaches.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan.ClipBanker/Zusy (VT Score: 61): Also known as Tinba (Tiny Banker), it is a sophisticated banking trojan that primarily targets Windows platforms.It is designed to steal sensitive financial information by intercepting and manipulating data during online banking sessions. Once installed, it operates by monitoring the user's browsing activity. When the user visits specific banking websites, the malware injects malicious code into the web pages, creating fake forms that prompt the user to enter personal and financial information. This data is then transmitted to the attacker's server. The malware may also manipulate clipboard contents, especially targeting cryptocurrency wallet addresses, replacing them with addresses controlled by the attacker to misdirect funds.

Trojan.ModiLoader/Zusy (VT Score: 58): A sophisticated malware variant that combines the functionalities of ModiLoader (also known as DBatLoader) and Zusy (also referred to as Tinba or Tiny Banker). This amalgamation poses significant threats to infected systems by facilitating the download and execution of additional malicious payloads and by stealing sensitive financial information. It is primarily utilized as a downloader trojan, designed to fetch and execute other malware components onto compromised systems. Recent campaigns have observed ModiLoader targeting small and medium-sized businesses (SMBs). The combination of ModiLoader and Zusy creates a potent threat landscape, as systems compromised by ModiLoader can be further exploited by Zusy to conduct financial fraud and data theft.

Trojan.Xtreme/XTrat (VT Score: 70): Also known as Xtreme Remote Access Trojan, is a type of malware that enables unauthorized remote control over infected Windows systems. First identified in 2010, it has been utilized in various cyber-attacks, notably targeting governmental entities such as the Israeli and Syrian governments in 2012. The malware provides attackers with extensive capabilities, including file management (uploading, downloading, and executing files), registry modifications, execution of shell commands, system control functions like shutdown or logoff, screen capturing, and keylogging to record keystrokes. Upon execution, it injects itself into legitimate processes such as IEXPLORE.exe and svchost.exe to evade detection and modifies system registries to ensure persistence across reboots. The malware communicates with remote servers to receive commands and exfiltrate data, posing significant risks to compromised systems.

Trojan.MSIL/DCRat (VT Score: 61): Also known as Dark Crystal RAT (DCRat), it is a sophisticated Remote Access Trojan (RAT) written in the Microsoft Intermediate Language (MSIL) for the .NET framework. DCRat is notable for its modular architecture and is often distributed as malware-as-a-service (MaaS) on underground forums. Capbilities include keystroke logging, capturing screenshots, accessing webcams, stealing passwords, and downloading or executing additional payloads. Its modular design allows cybercriminals to customize its functionality by adding or removing plugins, tailoring the malware to specific objectives.  

Trojan.Play/AgentB (VT Score: 60): Commonly referred to as Agent.B, it is a malicious software variant classified under the broader "Agent" family of trojans. This malware is designed to perform unauthorized actions on infected Windows systems, compromising user security and privacy. Agent.B manipulates legitimate Windows applications including Calculator, Notepad, and Paint to execute malicious tasks. It can redirect web traffic to predetermined websites, some of which may contain adult content or other malicious material. The trojan also has the capability to connect to remote servers to download and install additional unwanted or harmful software, further compromising the system's integrity.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Trojan.Locky/Crowti (VT Score: 70): Commonly known as Locky, it is a ransomware strain that encrypts a wide array of file types on the infected machine, rendering them inaccessible to the user. It employs robust encryption algorithms, such as RSA-2048 combined with AES-128, making unauthorized decryption practically unfeasible. Its impact is exacerbated by its ability to encrypt files on unmapped network shares, extending its reach within organizational networks. Additionally, it can function offline, meaning it does not require communication with a command-and-control server to encrypt files, thereby increasing its potency.

Ransomware.LockBit/LockBit2 (VT Score: 70): Released in 2021, LockBit 2.0, boasts enhanced encryption speed and efficiency, and introduced automated processes to accelerate attacks and incorporated new features to evade security measures. Notably, iy expanded its targets to include Linux systems, particularly VMware ESXi servers, demonstrating increased versatility. LockBit has been linked to numerous high-profile cyberattacks across various sectors globally, including critical infrastructure, healthcare, and financial services. The group's operations have led to significant financial losses and operational disruptions for affected organizations.

Trojan.Ludbaruma/Blocker (VT Score: 70): A malicious software variant that combines the characteristics of the Ludbaruma worm and the Blocker ransomware. This hybrid threat is designed to propagate across systems while encrypting user data to extort ransom payments. It operates as a worm, enabling the malware to self-replicate and spread across networks without user intervention. It often infiltrates systems through malicious email attachments, compromised websites, or by exploiting vulnerabilities in network protocols. Once inside a system, it can disable essential security features, such as Task Manager, Registry Editor, and Folder Options, hindering users' ability to detect and remove the threat.

Trojan.Avaddon/Rack (VT Score: 68): A malicious software strain that emerged in mid-2020, operating under the Ransomware-as-a-Service (RaaS) model. Once a user interacts with these elements, the ransomware is executed, encrypting a wide array of file types on the infected system. The ransomware is designed to evade detection by disabling security features and terminating processes associated with antivirus software. It also deletes shadow copies of files to prevent victims from restoring their data without paying the ransom. To pressure victims into paying the ransom, Avaddon employs a double extortion tactic. This involves exfiltrating sensitive data before encryption and threatening to publish it publicly if the ransom is not paid. This strategy increases the stakes for victims, as data breaches can lead to reputational damage and legal consequences.

Ransomware.Phobos/Crysis (VT Score: 67): Phobos and Crysis (also known as Dharma) are two significant ransomware families that have posed substantial threats to organizations worldwide. Phobos operates under a Ransomware-as-a-Service (RaaS) model, enabling cybercriminals with varying skill levels to launch ransomware attacks. The primary infection vector for Phobos is through unsecured Remote Desktop Protocol (RDP) connections, where attackers exploit weak or compromised credentials to gain unauthorized access to systems. Crysis, later rebranded as Dharma, has been a persistent ransomware threat over the years. Similar to Phobos, it commonly spreads through compromised RDP services and phishing emails containing malicious attachments disguised as legitimate software installers. Despite efforts to curb its spread, Dharma continues to evolve, with new variants like "Zilla" emerging, indicating the adaptability and resilience of this ransomware family.

February Ransomware News

• Clop Ransomware Group Exploits Cleo Vulnerabilities: The Clop ransomware group exploited vulnerabilities in Cleo's Managed File Transfer (MFT) software and claimed responsibility for 386 attacks across various sectors.

• Sanctions Imposed on Russian Hosting Provider Zservers: The US, UK and Australia jointly sanctioned Russia-based web-hosting provider Zservers for allegedly providing infrastructure facilitating LockBit's operations.

• Medusa Ransomware Targets Critical Infrastructure: Medusa continued its assault on critical infrastructure sectors, impacting over 300 victims as of February 2025. Targets included medical, education, legal, insurance, technology, and manufacturing industries.

• Arrests and Server Seizures Dismantle 8Base Ransomware Gang: International law enforcement agencies arrested four individuals suspected of leading the 8Base ransomware gang and seized 27 of their servers.

• RansomHub Emerges as a Dominant Ransomware Group: Operating as a RaaS, their payload is codedin Golang and C++, targets Windows, Linux and ESXi systems, emphasizing fast encryption.

Halcyon Attacks Lookout Statistics

The Halcyon Attacks Lookout resource provides timely news and analysis on the ransomware economy and tracks hundreds of ransomware attacks every month, including details on the attackers, victims, industry verticals, geolocations impacted and more. Here’s a snapshot of attack activity in the month of February:

‍Threat Actor Spotlight:  Sarcoma

According to the Power Rankings: Ransomware Malicious Quartile report, Sarcoma ransomware emerged in October 2024, and has garnered notoriety for its relentless tactics, high-profile data breaches, and adept exploitation of vulnerabilities.  

Sarcoma primarily employs phishing campaigns and vulnerability exploitation to infiltrate networks, posing an escalating threat. Their operations often target supply chains, deploying advanced encryption methods that render data recovery nearly impossible without complying with their ransom demands.  

Focusing on Windows operating systems, Sarcoma exploits platform-specific vulnerabilities and utilizes tools such as the Windows Service Control Manager, PowerShell, and Windows APIs to execute attacks with precision and maximize impact.  

As a notable instance of their sophistication, Sarcoma exploited a zero-day vulnerability and used Remote Monitoring and Management (RMM) tools for extensive network discovery, identifying and exploiting additional vulnerabilities to deepen infiltration. Unlike brute force attacks, Sarcoma employs a diverse and stealthy arsenal of tactics, techniques, and procedures (TTPs) to compromise systems effectively.  

To maintain persistence, Sarcoma modifies Windows Registry keys to ensure the ransomware payload remains active after system reboots and creates scheduled tasks to execute the malicious software periodically. They enhance their attacks by using tools like Mimikatz to dump credentials or exploiting vulnerable accounts to gain administrative access.  

Their payloads are encrypted to evade detection by antivirus solutions, and they terminate security-related processes, including endpoint protection services. Sarcoma ensures its encryption is nearly unbreakable by combining AES-256 for file encryption with RSA for secure key exchange.  

Additionally, they delete volume shadow copies (VSS) to eliminate recovery options and use encrypted communication channels to securely connect with their command-and-control (C2) servers, maintaining operational security throughout their attacks.  

Since its emergence, Sarcoma's attack volume has steadily increased, with a sharp rise in targeted campaigns across diverse industries, leveraging advanced TTPs to maximize disruption and extortion success. Their ransom demands have escalated over time, starting in the mid-five-figure range and growing to high-six or seven figures as the group targets larger organizations and adopts a double extortion model.  

Sarcoma has targeted various sectors worldwide, including healthcare, manufacturing, and finance. While their operations have primarily targeted companies in Australia, New Zealand, and Japan, they have begun expanding to other regions.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.