Ransomware Tool Matrix Project Updates: May 2025

-

Introduction

This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM)Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.

Background on the current ransomware ecosystem as of May 2025

Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations have created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.

Sources of Threat Intelligence for the RTM

The RTM was updated with OSINT reports shared by cybersecurity researchers at various private service providers or vendors. The thing to remember about these reports is that the tool usage is going to be slightly outdated due to the time it takes incident response teams to wrap up an investigation, compile findings, and publish a report.

From the reports, threat groups such as Qilin, BlackSuit, RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active for over one year or for multiple years. These are established groups. Since RansomHub and LockBit have shut down, it is more likely than not that the affiliates have already shifted to one of the other RaaS platforms, like Qilin, among others.

There has also been a number of ransomware operations suspected to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX), NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on Taiwan).

Threat groups such as IMN Crew, QWCrypt (linked to RedCurl), NightSpire, SuperBlack, and Helldown are all rising threat groups that have more recently begun their ransomware campaigns.

These factors have led to seeing a large variety of tool usage in ransomware operations being observed across the landscape. The reliance on tools from sites like GitHub and other free software sites, however, continues to remain a constant theme among all of these ransomware operations.

List of sources used for the May 2025 major update to the RTM:

Group Name

Report Publish Date

URL

Qilin

25 April 2025

10 March 2025

redpiranha.net

picussecurity.com

IMN Crew

24 April 2025

s-rminform.com

CrazyHunter

16 April 2025

trendmicro.com

RansomEXX

8 April 2025

microsoft.com

BlackSuit

31 March 2025

thedfirreport.com

QWCrypt

26 March 2025

bitdefender.com

RansomHub

26 March 2025

20 March 2025

welivesecurity.com

security.com

Medusa

26 March 2025

6 March 2025

welivesecurity.com

security.com

BianLian

26 March 2025


welivesecurity.com

PLAY

26 March 2025


welivesecurity.com

NightSpire

25 March 2025

s-rminform.com

Hunters International

19 March 2025

esentire.com

SuperBlack

13 March 2025

forescout.com

LockBit

24 February 2025

thedfirreport.com

NailaoLocker

20 February 2025

18 February 2025

orangecyberdefense.com

trendmicro.com

RA World

13 February 2025

22 July 2024

security.com

unit42.paloaltonetworks.com

Helldown

7 November 2024

truesec.com

Tools Used by Multiple Groups

  • EDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.
  • Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future.

Tool

Type

Groups Using It

WinSCP

Exfiltration

NightSpire

Hunters International

Mimikatz

Credential Theft

RansomHub

Qilin

Helldown

Impacket

Offensive Security Tool

RansomHub

RA World

NailaoLocker

Rclone

Exfiltration

RansomHub

Hunters International Medusa

NetScan

Discovery

RansomHub

Medusa

WKTools

Discovery

RansomHub

BianLian

PLAY

Advanced IP Scanner

Discovery

Hunters International BianLian

Advanced Port Scanner

Discovery

Hunters International Helldown

AnyDesk

RMM Tool

Medusa

BianLian

EDRSandBlast

Defense Evasion

Medusa

Qilin

New Tools Added to the RTM

  • The most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections.

Tool

Type

Groups Usage

Bublup

Exfiltration

BlackSuit

WKTools

Discovery

BianLian, PLAY

AmmyyAdmin

RMM Tool

BianLian

CQHashDump

Credential Theft

NailaoLocker

Throttle Stop Driver

Defense Evasion

Medusa

KillAV

Defense Evasion

Medusa

BadRentdrv2

Defense Evasion

RansomHub

Toshiba Power Driver (BYOVD)

Defense Evasion

Qilin

ZammoCide

Defense Evasion

CrazyHunter

FRP

Networking

Medusa

Stowaway

Networking

RansomHub

Navicat

Discovery

Medusa

Everything.exe

Discovery

NighSpire

RoboCopy

Discovery

Medusa

NPS

Networking

RA World

SharpGPOAbuse

Offensive Security Tool

CrazyHunter

Attrib

LOLBAS

BlackSuit

Curl

LOLBAS

QWCrypt (RedCurl)

PCA Utility (pcalua)

LOLBAS

QWCrypt (RedCurl)

Exploits used by Ransomware Gangs added to the RVM

  • As is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.
  • Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials.
  • Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.
  • The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission.

Ransomware Group

Exploited CVEs

NightSpire

CVE-2024-55591 (FortiOS)

RansomHub

CVE-2022-24521 (Windows CLFS)
CVE-2023-27532 (Veeam)

LockBit

CVE-2023-22527 (Confluence)

Hunters International

CVE-2024-55591 (FortiProxy)

SuperBlack

CVE-2024-55591 (FortiProxy)

RA World

CVE-2024-0012 (PAN-OS)

NailaoLocker

CVE-2024-24919 (Check Point VPN)

RansomEXX

CVE-2025-29824 (Windows CLFS)

Conclusion

My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.

Here are a few sites to help you get started with:

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-sprea...
Read more

The Ransomware Tool Matrix

-
Image
Introduction Ransomware attacks are becoming increasingly damaging, but one thing remains consistent: the tools these cybercriminals rely on. The Ransomware Tool Matrix is a comprehensive resource that sheds light on the tactics, techniques, and procedures (TTPs) commonly used by ransomware and extortionist gangs. This repository provides defenders with actionable intelligence on the tools frequently leveraged by adversaries, thanks to the insights shared publicly by the US Cybersecurity and Infrastructure Security Agency (CISA)'s #StopRansomware advisories and The DFIR Report's publications, among others. This repository offers straightforward insights from compiled open source intelligence (OSINT) research that can be directly applied to threat hunting, detection engineering, and incident response operations. Project Background As defenders, we can turn the tables by exploiting a crucial flaw committed by ransomware gangs: tool reuse. Many ransomware gangs repeatedly rely on ...
Read more

The Russian APT Tool Matrix

-
Image
Introduction Based on feedback I have received from fellow CTI researchers, incident responders, and managed detection and response teams around my Ransomware Tool Matrix project, I decided to make another Tool Matrix focused on one hostile state in particular: Russia. Again, as defenders, we should exploit the fact the tools used by these Russian APT groups are often reused and through proactive defensive work, we can frustrate and even eliminate the ability of certain adversaries to launch intrusions. Using the Russian APT Tool Matrix comes with its own challenges. While it is undoubtedly useful to have a list of tools commonly used by Russian APTs to hunt, detect, and block, there are some risks, as noted in the repository. The new repository also contains multiple types of Russian threat groups, this includes adversaries part of the GRU, SVR, and FSB. The alias of each Russian threat group has been chosen by what the author of this repo believes it is most well-known as. ...
Read more