Ransomware Tool Matrix Project Updates: May 2025

Introduction

This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM)Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.

Background on the current ransomware ecosystem as of May 2025

Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations have created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.

Sources of Threat Intelligence for the RTM

The RTM was updated with OSINT reports shared by cybersecurity researchers at various private service providers or vendors. The thing to remember about these reports is that the tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.

From the reports, threat groups such as Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active for over one year or for multiple years. These are established groups. Since RansomHub and LockBit have shut down, it is more likely than not that the affiliates have already shifted to one of the other RaaS platforms, like Qilin, among others.

There has also been a number of ransomware operations suspected to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX), NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on Taiwan).

Threat groups such as IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown are all rising threat groups that have more recently begun their ransomware campaigns.

These factors have led to seeing a large variety of tool usage in ransomware operations being observed across the landscape. The reliance on tools from sites like GitHub and other free software sites, however, continues to remain a constant theme among all of these ransomware operations.

List of sources used for the May 2025 major update to the RTM:

Group Name

Report Publish Date

URL

Qilin

25 April 2025

10 March 2025


redpiranha.net

picussecurity.com

IMN Crew

24 April 2025


s-rminform.com

CrazyHunter

16 April 2025


trendmicro.com

RansomEXX

8 April 2025


microsoft.com

BlackSuit

31 March 2025


thedfirreport.com

QWCrypt

26 March 2025


bitdefender.com

RansomHub

26 March 2025

20 March 2025


welivesecurity.com

security.com

Medusa

26 March 2025

6 March 2025


welivesecurity.com

security.com

BianLian

26 March 2025


welivesecurity.com

PLAY

26 March 2025


welivesecurity.com

NightSpire

25 March 2025


s-rminform.com

Hunters International

19 March 2025

esentire.com

SuperBlack

13 March 2025


forescout.com

LockBit

24 February 2025


thedfirreport.com

NailaoLocker

20 February 2025

18 February 2025


orangecyberdefense.com

trendmicro.com

RA World

13 February 2025

22 July 2024


security.com

unit42.paloaltonetworks.com

Helldown

7 November 2024


truesec.com

Tools Used by Multiple Groups

  • EDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.
  • Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future.

Tool

Type

Groups Using It

WinSCP

Exfiltration

NightSpire

Hunters International


Mimikatz

Credential Theft

RansomHub

Qilin

Helldown


Impacket

Offensive Security Tool

RansomHub

RA World

NailaoLocker


Rclone

Exfiltration

RansomHub

Hunters International Medusa


NetScan

Discovery

RansomHub

Medusa


WKTools

Discovery

RansomHub

BianLian

PLAY


Advanced IP Scanner

Discovery

Hunters International BianLian


Advanced Port Scanner

Discovery

Hunters International Helldown


AnyDesk

RMM Tool

Medusa

BianLian


EDRSandBlast

Defense Evasion

Medusa

Qilin


New Tools Added to the RTM

  • The most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections.

Tool

Type

Groups Usage

Bublup

Exfiltration


BlackSuit

WKTools

Discovery


BianLian, PLAY

AmmyyAdmin

RMM Tool


BianLian

CQHashDump

Credential Theft


NailaoLocker

Throttle Stop Driver

Defense Evasion


Medusa

KillAV

Defense Evasion


Medusa

BadRentdrv2

Defense Evasion


RansomHub

Toshiba Power Driver (BYOVD)

Defense Evasion

Qilin

ZammoCide

Defense Evasion


CrazyHunter

FRP

Networking


Medusa

Stowaway

Networking


RansomHub

Navicat

Discovery


Medusa

Everything.exe

Discovery


NighSpire

RoboCopy

Discovery


Medusa

NPS

Networking


RA World

SharpGPOAbuse

Offensive Security Tool


CrazyHunter

Attrib

LOLBAS


BlackSuit

Curl

LOLBAS


QWCrypt (RedCurl)

PCA Utility (pcalua)

LOLBAS


QWCrypt (RedCurl)

Exploits used by Ransomware Gangs added to the RVM

  • As is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.
  • Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials.
  • Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.
  • The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission.

Ransomware Group

Exploited CVEs

NightSpire

CVE-2024-55591 (FortiOS)


RansomHub

CVE-2022-24521 (Windows CLFS)
CVE-2023-27532 (Veeam)


LockBit

CVE-2023-22527 (Confluence)


Hunters International

CVE-2024-55591 (FortiProxy)


SuperBlack

CVE-2024-55591 (FortiProxy)


RA World

CVE-2024-0012 (PAN-OS)


NailaoLocker

CVE-2024-24919 (Check Point VPN)


RansomEXX

CVE-2025-29824 (Windows CLFS)


Conclusion

My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.

Here are a few sites to help you get started with:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

The Ransomware Tool Matrix

The Russian APT Tool Matrix