Halcyon Threat Insights 015: April 2025 Ransomware Report

NOTE: Every month get the latest ransomware news and analysis from the Halcyon RISE Team (Research, Intelligence, Services, Engineering) - join us for the next Threat Insights webinar (or watch on-demand here): https://lnkd.in/gthcVJxZ

Here are the key insights from the Halcyon Threat Research and Intelligence Team findings based on intelligence collected from our customer base in March 2025. The evolving ransomware landscape continues to reveal intriguing trends when analyzed comprehensively:

Threats Prevented by Industry Vertical

The Manufacturing, Financial and Business Services sectors were the most targeted industry verticals in March 2025:

‍Threat Types by Category

Halcyon detected and blocked a wide variety of threats that were missed by other security layers in our client’s environments that are often precursors to the delivery of the ransomware payload:

‍Ransomware Precursors: Hack Tools

Halcyon detected a variety of hack tools being used in customer environments. While these tools may have been developed for legitimate uses, they are often abused in ransomware operations and may be indicators of compromise. Some of the hack tools detected include:

Hacktool.mimikatz/hacktoolx (VT Score 67): A well-known post-exploitation tool used to extract plaintext passwords, hashes, PINs, and Kerberos tickets from memory in Windows systems. Originally developed for legitimate security research and penetration testing, it has since been widely adopted by threat actors for credential dumping and lateral movement within compromised networks. Mimikatz exploits weaknesses in the Windows authentication architecture, particularly the LSASS process, to gain unauthorized access to privileged credentials.  

Hacktool.remoteexec/remcom (VT Score 63): Enables remote execution of processes across networks, typically without requiring a GUI, making them powerful for both system administration and post-exploitation in cyberattacks. It is a lightweight, open-source utility similar in function to PsExec, allowing users to run commands on remote computers as if they were executed locally. It works by installing a service on the target system to facilitate command execution, often using administrative privileges. It helps threat actors move laterally across networks, deploy malware, exfiltrate data, or maintain persistence. Their low footprint and ability to bypass certain detection mechanisms make them attractive to attackers, including ransomware groups and advanced persistent threat (APT) actors.

Hacktool.sharphound/msil (VT Score 58): A powerful post-exploitation tool used primarily for Active Directory (AD) reconnaissance. It is the data collection component of the BloodHound framework, which visualizes AD relationships to identify privilege escalation and lateral movement paths. It gathers detailed information on group memberships, session data, trust relationships, and ACLs (Access Control Lists) across a Windows domain environment. The MSIL (Microsoft Intermediate Language) designation refers to the .NET-based implementation of SharpHound, indicating the binary is compiled from a high-level language like C# into an intermediate form used by the .NET runtime. This makes it easy to customize and difficult to detect using traditional signature-based security tools.

Trojan.venom/htool (VT Score 50): A malicious payload typically used in targeted cyberattacks to enable remote access, data exfiltration, or system compromise. Variants may include features such as keylogging, screen capture, command execution, file transfers, and credential harvesting. The malware not only functions as a backdoor but also includes embedded hacking utilities that assist attackers during post-exploitation phases. It is often deployed in sophisticated attacks by advanced persistent threat (APT) groups, red teams, or ransomware operators.

Hacktool.ammyy/ammyyadmin (VT Score 47): A legitimate remote desktop software tool designed to allow users to control computers over the internet for technical support, administration, or collaboration. However, due to its lightweight nature, ease of use, and lack of installation requirements, it is frequently misused by cybercriminals. Enables full remote access to a system, allowing attackers to navigate the file system, execute programs, install additional malware, or exfiltrate data—all without raising immediate suspicion. Because it’s a trusted and signed application, many security solutions may not flag it as inherently malicious, which makes it attractive for stealthy operations.

Ransomware Precursors: Trojans

Halcyon detected an array of Trojans that may be precursors to ransomware payloads. Detecting and blocking trojans can prevent attackers from escalating privileges, moving laterally though the network, compromising user credentials, exfiltrating sensitive data and more. Some of the trojans identified include:

Trojan.lotusblossom/agentwdcr (VT Score 63): A backdoor trojan associated with the Lotus Blossom (also known as Spring Dragon or APT41) threat group, a cyber-espionage actor believed to operate in alignment with Chinese state interests. This trojan is primarily used in targeted attacks against government agencies, defense contractors, educational institutions, and technology organizations across the Asia-Pacific region. It enables attackers to execute remote commands, exfiltrate data, download additional payloads, and maintain long-term access to compromised networks. It establishes communication with a command-and-control (C2) server, allowing attackers to stealthily manage and expand their presence within the network. The malware often uses obfuscation, encryption, and legitimate Windows tools to evade detection and remain persistent.

Trojan.elsentric/razy: (VT Score 60): A malicious software variant primarily designed for information theft, browser manipulation, and cryptocurrency-related fraud, which is notable for its persistence mechanisms and stealth. It is often delivered via malicious email attachments, cracked software, or rogue advertising scripts, and once executed, it targets web browsers to inject fake content, redirect users, and steal sensitive data. It specializes in modifying browser settings and injecting malicious scripts into web pages viewed by the victim. Its primary focus is on cryptocurrency theft, including stealing wallet credentials, replacing cryptocurrency addresses in clipboard memory, and displaying fake login pages for online exchanges. It can also modify search results, insert rogue advertisements, and even alter financial transaction data displayed to the user.

Trojan.lummastealer/lumma (VT Score 60): A highly active and evolving information-stealing malware designed to harvest sensitive data from infected systems. Distributed as part of the malware-as-a-service (MaaS) ecosystem. It is widely used by cybercriminals to steal login credentials, browser-stored passwords, cookies, cryptocurrency wallets, autofill data, and system information. It is typically delivered through phishing emails, malicious attachments, cracked software, or exploit kits. It is known for its stealth, speed, and adaptability. Once executed, it quickly collects targeted information, packages it into encrypted archives, and exfiltrates the data to attacker-controlled command-and-control (C2) servers. The malware supports anti-analysis techniques, including obfuscation and virtualization checks, to avoid detection and analysis by security tools and researchers.

Trojan.hematite/upatre (VT Score 58): A small but dangerous malware downloader that was widely used in cybercrime campaigns, particularly between 2013 and 2016. Though lightweight and seemingly simple, it played a key role in delivering a range of high-impact malware, including banking trojans like Dyre, Zeus, and Dridex, as well as ransomware and other information stealers. Once executed on a victim’s system, it establishes a connection to a remote command-and-control (C2) server and downloads additional payloads tailored to the attacker’s goals. It often uses encrypted communication to evade network-based detection and includes anti-analysis features to hinder reverse engineering. Although it is not a data stealer or extortion tool, its real danger lies in what it delivers. Its small footprint and effective delivery mechanisms made it a favorite among cybercriminals for distributing large-scale malware campaigns.

Trojan.killav/blindedr (VT Score 53): A malicious program designed to disable or bypass security software on an infected system. Its primary function is to terminate antivirus processes, firewalls, endpoint protection agents, and monitoring tools to create a clear path for additional malware deployment. This allows attackers to maintain persistence, execute further payloads, or exfiltrate data without being detected or blocked. Once activated, it scans for known antivirus and security-related processes and forcibly shuts them down using API calls or process injection techniques. Some variants may also alter system registry settings, disable Windows Defender, or tamper with update mechanisms to prevent future detection. It is commonly used in conjunction with ransomware, stealers, or remote access trojans (RATs), acting as a preparatory step to ensure a successful attack. Its use is a hallmark of more sophisticated or targeted operations, where stealth and evasion are critical.

Ransomware Payloads Blocked

Halcyon also detected and blocked several families of ransomware that could have significantly disrupted the targeted organizations and their operations. Keep in mind that the ransomware payload is the tail end of an attack, which is why Halcyon also detects and blocks the precursors to ransomware as detailed above. Some of the ransomware payloads detected include:

Trojan.maze/lethic (VT Score 63): Maze ransomware encrypts files using strong encryption algorithms and appends custom extensions. Maze operators ran a public leak site to expose non-paying victims, setting a trend adopted by many ransomware gangs that followed. Lethic, on the other hand, is an older spam botnet trojan that was once used to send large volumes of malicious spam, often distributing other malware like Maze. It establishes backdoor access and can download additional payloads, making it an effective loader in multi-stage attacks. When detected together as Trojan.Maze/Lethic, it signals both an active ransomware campaign and potential initial access via spam-based infection vectors, requiring urgent containment and full incident response.

Trojan.coroxy/play (VT Score 62): A malicious tool used during the pre-encryption phase of ransomware attacks to facilitate system compromise, network traversal, and deployment of the Play ransomware payload. The term "Coroxy" refers to a loader or malware dropper that masquerades as legitimate system processes while delivering and executing second-stage payloads, including ransomware, information stealers, or remote access trojans (RATs). Coroxy is notable for its stealth, often running in memory, using obfuscation, and disguising itself with fake Microsoft-signed process names like "Cortana.exe." It can disable antivirus tools, create scheduled tasks, and execute commands that prepare the system for ransomware deployment.

Ransomware.incransom/imps (VT Score 61): A relatively recent ransomware strain that has emerged as part of the growing trend of targeted, double-extortion attacks. Once inside a network, it conducts reconnaissance to identify valuable data and critical systems. It often uses living-off-the-land techniques to avoid detection—leveraging legitimate Windows tools for privilege escalation, lateral movement, and data exfiltration. When ready, it executes the IMPS (IncRansom Malware Payload System) encryption module, which locks files using strong cryptographic algorithms and appends a custom extension. The IMPS component is known for its speed and ability to encrypt files across both local and network drives, often after disabling security tools and backup services. Some variants also include unique victim IDs and TOR-based communication for ransom negotiation.

Ransomware.rhysida/encoder (VT Score 60): The Encoder component of Rhysida is responsible for encrypting victim files using robust cryptographic algorithms, appending a “.rhysida” extension, and leaving behind ransom notes demanding cryptocurrency payments. The ransom message often includes a unique victim ID and a TOR link for negotiation. Rhysida actors gain initial access through phishing emails, compromised credentials, or unpatched vulnerabilities, and often leverage legitimate IT tools like RDP, PowerShell, or Cobalt Strike to evade detection. They are known to disable security tools, destroy backups, and exfiltrate large volumes of data before encryption begins.

Trojan.bianlian/filecryptor (VT Score 59): A dual-purpose malware variant that combines characteristics of both a mobile banking trojan and a ransomware payload, depending on the attack scenario. Originally identified as a mobile-focused banking trojan targeting Android devices, BianLian evolved into a broader threat ecosystem, including desktop ransomware operations that utilize custom file encryption (FileCryptor) techniques to extort victims. The FileCryptor component is often customized per campaign and may include obfuscation, anti-analysis features, and tailored encryption routines to bypass detection. Unlike more traditional ransomware, BianLian operations often include manual post-exploitation activities, such as data exfiltration and lateral movement within enterprise networks.

March Ransomware News

• Medusa Ransomware Leverages Signed Malicious Driver to Bypass EPP/EDR: Researchers have observed that the Medusa ransomware-as-a-service (RaaS) operation employs a malicious driver, dubbed ABYSSWORKER, to disable anti-malware tools through a bring your own vulnerable driver (BYOVD) attack.  

• RansomHub’s EDR-Killer Shows Up in Medusa, BianLian and Play Attacks: A recent analysis has uncovered that affiliates of the RansomHub ransomware group are employing a custom tool, EDRKillShifter, to disable Endpoint Detection and Response (EDR) software on compromised systems.  

• Threat Actor RedCurl Develops Ransomware to Encrypt Hyper-V Servers: RedCurl, a threat actor active since 2018 and known for stealthy corporate espionage, has begun deploying ransomware in addition to its traditional data exfiltration methods.  

• Cross-Platform VanHelsing Ransomware Targets Windows, Linux and VMware ESXi: Researchers have identified a new ransomware-as-a-service (RaaS) group called VanHelsing, which launched on March 7 and has already targeted three organizations, demanding $500,000 from each.  

• CISA, FBI and MS-ISAC Alert on Medusa Ransomware: The Cybersecurity and Infrastructure Security Agency (CISA), in collaboration with the FBI and MS-ISAC, has issued a #StopRansomware advisory warning about the growing threat of Medusa ransomware.

Threat Actor Spotlight:  Ghost

Ghost ransomware, known as GhostLocker, was first introduced in October 2023 by GhostSec, a hacktivist group originally linked to Anonymous. Its release marked a significant shift in GhostSec’s operations—from ideologically motivated attacks to financially driven cybercrime.

The initial version of GhostLocker was developed in Python and packaged with tools such as PyInstaller and Nuitka. Early variants functioned by dropping files and spawning child processes to perform encryption.  

In January 2024, GhostSec released GhostLocker 2.0, re-engineered in Golang to improve evasion techniques and expand cross-platform support for Windows, Linux, and VMware. The ransomware uses the Fernet symmetric encryption algorithm, built on AES-128 in CBC mode with PKCS7 padding.

Marketed as an enterprise-grade ransomware tool, GhostLocker offers a web-based builder with a range of customizable payload options. Its features include anti-detection measures, automated data exfiltration, multiple persistence mechanisms, and a WatchDog process for maintaining system control. Operated as a Ransomware-as-a-Service (RaaS), the platform provides affiliates with a management portal to deploy tailored attacks.  

Affiliates pay an upfront fee between $999 and $1,200, with referral-based discounts creating a pyramid-style incentive model. The service also supports double extortion tactics, stealing data before encryption to pressure victims with the threat of public exposure. Revenue-sharing arrangements for affiliates remain undisclosed.

GhostLocker is the result of collaboration between several threat groups—GhostSec, Stormous, SiegedSec, ThreatSec, and BlackForums—collectively referred to as “The Five Families.” These alliances point to an increasing level of coordination and professionalization within the cybercriminal ecosystem, particularly among groups that originated as hacktivists.

In early 2024, GhostSec and Stormous deepened their cooperation with the launch of a joint RaaS platform called STMX_GhostLocker, further streamlining the ransomware’s distribution and affiliate engagement.

GhostLocker has been used to target a wide range of sectors, including technology, education, healthcare, manufacturing, and critical infrastructure. Attacks have been reported across the Middle East, Africa, Asia, and parts of Europe and the Americas.  

Beginning in early 2021, the broader Ghost ransomware group initiated widespread attacks by exploiting unpatched, internet-facing systems, leading to compromises in more than 70 countries. While exact figures for GhostLocker remain unavailable, average ransom demands across ransomware cases climbed to approximately $5.2 million in early 2024.

Learn more about the leading ransomware threat actors by consulting the Halcyon quarterly RaaS (Ransomware as a Service) and extortion group reference guide, Power Rankings: Ransomware Malicious Quartile, and check out the Halcyon Attacks Lookout resource site.