Full Report
IntroductionThis blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continued to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.Background on the current ransomware ecosystem as of May 2025Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations has created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.Sources of Threat Intelligence for the RTMThe RTM was updated with OSINT reports shared by cybersecurity researchers at various private service providers or vendors. The thing to remember about these reports is that the tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.From the reports, threat groups such as Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active for over one year or for multiple years. These are established groups. Since RansomHub and LockBit have shut down, it is more likely than not that the affiliates have already shifted to one of the other RaaS platforms, like Qilin, among others.There has also been a number of ransomware operations suspected to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX), NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on Taiwan).Threat groups such as IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown are all rising threat groups that have more recently begun their ransomware campaigns.These factors have led to seeing a large variety of tool usage in ransomware operations being observed across the landscape. The reliance on tools from sites like GitHub are other free software, however, continues to remain a constant theme among these ransomware operations.List of sources used for the May 2025 major update to the RTM: Group Name Report Publish Date URL Qilin 25 April 2025 10 March 2025 redpiranha.netpicussecurity.com IMN Crew 24 April 2025 s-rminform.com CrazyHunter 16 April 2025 trendmicro.com RansomEXX 8 April 2025 microsoft.com BlackSuit 31 March 2025 thedfirreport.com QWCrypt 26 March 2025 bitdefender.com RansomHub 26 March 2025 20 March 2025 welivesecurity.comsecurity.com Medusa 26 March 2025 6 March 2025 welivesecurity.comsecurity.com BianLian 26 March 2025 welivesecurity.com PLAY 26 March 2025 welivesecurity.com NightSpire 25 March 2025 s-rminform.com Hunters International 19 March 2025 esentire.com SuperBlack 13 March 2025 forescout.com LockBit 24 February 2025 thedfirreport.com NailaoLocker 20 February 2025 18 February 2025 orangecyberdefense.comtrendmicro.com RA World 13 February 2025 22 July 2024 security.comunit42.paloaltonetworks.com Helldown 7 November 2024 truesec.com Tools Used by Multiple GroupsEDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future. Tool Type Groups Using It WinSCP Exfiltration NightSpireHunters International Mimikatz Credential Theft RansomHubQilinHelldown Impacket Offensive Security Tool RansomHubRA WorldNailaoLocker Rclone Exfiltration RansomHubHunters International Medusa NetScan Discovery RansomHubMedusa WKTools Discovery RansomHubBianLianPLAY Advanced IP Scanner Discovery Hunters International BianLian Advanced Port Scanner Discovery Hunters International Helldown AnyDesk RMM Tool MedusaBianLian EDRSandBlast Defense Evasion MedusaQilin New Tools Added to the RTMThe most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections. Tool Type Groups Usage Bublup Exfiltration BlackSuit WKTools Discovery BianLian, PLAY AmmyyAdmin RMM Tool BianLian CQHashDump Credential Theft NailaoLocker Throttle Stop Driver Defense Evasion Medusa KillAV Defense Evasion Medusa BadRentdrv2 Defense Evasion RansomHub Toshiba Power Driver (BYOVD) Defense Evasion Qilin ZammoCide Defense Evasion CrazyHunter FRP Networking Medusa Stowaway Networking RansomHub Navicat Discovery Medusa Everything.exe Discovery NighSpire RoboCopy Discovery Medusa NPS Networking RA World SharpGPOAbuse Offensive Security Tool CrazyHunter Attrib LOLBAS BlackSuit Curl LOLBAS QWCrypt (RedCurl) PCA Utility (pcalua) LOLBAS QWCrypt (RedCurl) Exploits used by Ransomware Gangs added to the RVMAs is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials. Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission. Ransomware Group Exploited CVEs NightSpire CVE-2024-55591 (FortiOS) RansomHub CVE-2022-24521 (Windows CLFS) CVE-2023-27532 (Veeam) LockBit CVE-2023-22527 (Confluence) Hunters International CVE-2024-55591 (FortiProxy) SuperBlack CVE-2024-55591 (FortiProxy) RA World CVE-2024-0012 (PAN-OS) NailaoLocker CVE-2024-24919 (Check Point VPN) RansomEXX CVE-2025-29824 (Windows CLFS) Conclusion My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.Here are a few sites to help you get started with:https://rulehound.com/ruleshttps://detection.fyihttps://www.snapattack.com/community
Analysis Summary
# Tool/Technique: Ransomware Tool Matrix (RTM) Analysis - May 2025 Update
## Overview
This summary focuses on the updates to the Ransomware Tool Matrix (RTM) as of May 2025, reflecting the current ransomware ecosystem instability following operations against LockBit and the ALPHV/BlackCat exit scam. The RTM summarizes tools used by ransomware threat actors across various stages of their operations, aiding defenders in threat hunting and detection engineering.
## Technical Details
- Type: Analysis Framework/Intelligence Aggregation
- Platform: Not applicable (Intelligence resource for various platforms targeted by ransomware)
- Capabilities: Aggregates and categorizes tools used by ransomware gangs, provides mappings for defense evasion, discovery, exfiltration, and C2.
- First Seen: Ongoing updates, major update referenced is May 2025.
## MITRE ATT&CK Mapping
The document focuses on aggregate tool usage across several tactics, including:
- **Defense Evasion:** (Via tools like EDRSandBlast, WKTools, KillAV, BadRentdrv2, Throttle Stop Driver)
- **Credential Access:** (Via tools like Mimikatz, CQHashDump)
- **Exfiltration:** (Via tools like Rclone, WinSCP, Bublup)
- **Discovery:** (Via tools like NetScan, Advanced IP Scanner, Advanced Port Scanner, Everything.exe)
- **Command and Control:** (Via networking/tunnelling tools like FRP, Stowaway, NPS)
## Functionality
### Core Capabilities
The RTM documents the consistent reuse of classic tools alongside newer specialized utilities by current ransomware operations.
* **Persistence/Widespread Use:** Tools like PsExec, Mimikatz, and Rclone remain highly effective and utilized by multiple gangs.
* **Discovery:** Tools such as Advanced IP Scanner, Advanced Port Scanner, NetScan, and Everything.exe are consistently used for network and environment reconnaissance.
* **Remote Management:** RMM tools like AnyDesk and AmmyyAdmin are observed.
### Advanced Features
The update highlights an increased reliance on specialized tools designed specifically to counteract defensive measures:
* **EDR Bypass/Defense Evasion:** New tools like EDRSandBlast and WKTools are specifically mentioned for deactivating or overcoming Endpoint Detection and Response (EDR) solutions. Other defense evasion tools include KillAV, BadRentdrv2, and Toshiba Power Driver (BYOVD).
* **Exfiltration/Tunnelling:** Tools like Bublup (Exfiltration) and networking utilities like FRP, Stowaway, and NPS are being used to conceal network connections.
* **LOLBAS Usage:** Threat actors continue to leverage Living Off The Land Binaries and Scripts (LOLBAS) such as Attrib and PCA Utility (pcalua).
## Indicators of Compromise
The context does not provide specific, actionable IOCs (Hashes, IPs) for individual malware samples, but lists the *types* of tools observed:
- File Hashes: Not specified in this summary context.
- File Names: Not specified in this summary context.
- Registry Keys: Not specified in this summary context.
- Network Indicators: Tools observed suggest use of networking/tunnelling (FRP, Stowaway, NPS), but specific external infrastructure is not detailed.
- Behavioral Indicators: Deactivation of EDR processes, network scanning, credential dumping, and large-scale file staging/exfiltration.
## Associated Threat Actors
Numerous ransomware groups and state-aligned entities are referenced in relation to their observed tool usage:
* **Established Groups:** Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International, PLAY.
* **Recent/Shifting Groups:** Affiliates likely shifted from LockBit or ALPHV/BlackCat to platforms like Qilin.
* **State-Linked Activity (Suspected Chinese Espionage):** RA World (PlugX), NailaoLocker (ShadowPad, PlugX), CrazyHunter.
* **Rising Groups:** IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown.
## Detection Methods
Detection should focus on the behavior associated with the documented tools:
- **Signature-based detection:** Signatures for known malware utilities (Mimikatz artifacts, Rclone binaries).
- **Behavioral detection:** Monitoring for EDR process termination/suspension (especially utilizing EDRSandBlast or WKTools behaviors), unusual internal network scanning (Advanced IP Scanner, NetScan), attempts to dump credentials, and use of portable utilities like WinSCP or Rclone for data staging.
- **YARA rules:** Could be developed for the new, specific offense tools mentioned (e.g., CQHashDump, ZammoCide).
## Mitigation Strategies
* **EDR Hardening:** Focus on improving detection capabilities against behavioral indicators associated with known evasion tools (WKTools, EDRSandBlast). Implement application allow-listing where possible.
* **Restrict Tool Usage:** Proactively block or monitor known malicious executables (PsExec, Mimikatz) where possible, though the frequent reuse of legitimate tools makes this challenging.
* **Network Segmentation:** Limit lateral movement capabilities by restricting administrative protocols used by tools like PsExec and Impacket.
* **Vulnerability Management:** Address known vectors exploited by ransomware groups.
* **BYOVD Defense:** Strengthen kernel-level monitoring to detect the loading of unverified drivers, such as the Toshiba Power Driver noted for Defense Evasion.
## Related Tools/Techniques
* **Classic Utilities:** PsExec, Mimikatz, Rclone, WinSCP, Impacket, AnyDesk.
* **Similar Evasion Tools:** EDRSandBlast, WKTools, KillAV, BadRentdrv2.
* **Related Intelligence Projects:** Ransomware Vulnerability Matrix (RVM), Russian APT Tool Matrix.