Ransomware Tool Matrix Project Updates: May 2025
Introduction
This blog is a summary and analysis of recent additions to the Ransomware Tool Matrix (RTM) as well as the Ransomware Vulnerability Matrix (RVM). Feedback from the infosec community about these projects has been overwhelmingly positive and many researchers have contacted me to tell me how helpful they have found these to be. It makes me happy to hear how doing something in my spare time can help stop ransomware attacks and cybercriminals from exploiting our society’s systems. And it is for that reason, I shall continue to maintain these projects as long as ransomware is still around. For anyone new to these projects, please read the descriptions on GitHub or feel free to watch my talk explaining the project at BSides London.
Background on the current ransomware ecosystem as of May
2025
Following the impact of Operation Cronos against LockBit and the exit scam by ALPHV/BlackCat, the ransomware ecosystem has been even more unstable than usual. The exit scams and law enforcement infiltration operations have created a zero trust environment for the cybercriminals participating in the ransomware economy. The days of affiliates putting their faith in one RaaS platform seem to be long gone and many are experimenting and going from one RaaS to the next.
Sources of Threat Intelligence for the RTM
The RTM was updated with OSINT reports shared by
cybersecurity researchers at various private service providers or vendors. The
thing to remember about these reports is that the tool usage is going to be
slightly outdated due to the time it takes incident response teams to wrap up
an investigation, compile findings, and publish a report.
From the reports, threat groups such as Qilin, BlackSuit,
RansomEXX, Medusa, BianLian, Hunters International and PLAY have been active
for over one year or for multiple years. These are established groups. Since
RansomHub and LockBit have shut down, it is more likely than not that the
affiliates have already shifted to one of the other RaaS platforms, like Qilin,
among others.
There has also been a number of ransomware operations suspected
to be linked to Chinese cyber-espionage groups, such as RA World (for using PlugX),
NailaoLocker (for using ShadowPad and PlugX), and CrazyHunter (for its focus on
Taiwan).
Threat groups such as IMN Crew, QWCrypt (linked to RedCurl),
NightSpire, SuperBlack, and Helldown are all rising threat groups that have
more recently begun their ransomware campaigns.
These factors have led to seeing a large variety of tool
usage in ransomware operations being observed across the landscape. The
reliance on tools from sites like GitHub and other free software sites, however,
continues to remain a constant theme among all of these ransomware operations.
List of sources used for the May 2025 major update to the RTM:
Group Name |
Report Publish Date |
URL |
Qilin |
25 April 2025 10 March 2025 |
|
IMN Crew |
24 April 2025 |
|
CrazyHunter |
16 April 2025 |
|
RansomEXX |
8 April 2025 |
|
BlackSuit |
31 March 2025 |
|
QWCrypt |
26 March 2025 |
|
RansomHub |
26 March 2025 20 March 2025 |
|
Medusa |
26 March 2025 6 March 2025 |
|
BianLian |
26 March 2025 |
|
PLAY |
26 March 2025 |
|
NightSpire |
25 March 2025 |
|
Hunters International |
19 March 2025 |
|
SuperBlack |
13 March 2025 |
|
LockBit |
24 February 2025 |
|
NailaoLocker |
20 February 2025 18 February 2025 |
|
RA World |
13 February 2025 22 July 2024 |
|
Helldown |
7 November 2024 |
Tools Used by Multiple Groups
- EDRSandBlast and WKTools are relatively new tools that are being used by multiple groups to deactivate and overcome EDR tools that many victims will have on their networks to prevent ransomware attacks.
- Typical ransomware tools, such as PsExec, Mimikatz, and Rclone remain effective and still used by multiple ransomware gangs for the foreseeable future.
Tool |
Type |
Groups Using It |
WinSCP |
Exfiltration |
NightSpire Hunters International |
Mimikatz |
Credential Theft |
RansomHub Qilin Helldown |
Impacket |
Offensive Security Tool |
RansomHub RA World NailaoLocker |
Rclone |
Exfiltration |
RansomHub Hunters International Medusa |
NetScan |
Discovery |
RansomHub Medusa |
WKTools |
Discovery |
RansomHub BianLian PLAY |
Advanced IP Scanner |
Discovery |
Hunters International BianLian |
Advanced Port Scanner |
Discovery |
Hunters International Helldown |
AnyDesk |
RMM Tool |
Medusa BianLian |
EDRSandBlast |
Defense Evasion |
Medusa Qilin |
New Tools Added to the RTM
- The most notable new tools added to RTM include several defense evasion tools for deactivating EDRs, discovery for sensitive files, and tunnelling tools to conceal adversary network connections.
Tool |
Type |
Groups Usage |
Bublup |
Exfiltration |
BlackSuit |
WKTools |
Discovery |
BianLian, PLAY |
AmmyyAdmin |
RMM Tool |
BianLian |
CQHashDump |
Credential Theft |
NailaoLocker |
Throttle Stop Driver |
Defense Evasion |
Medusa |
KillAV |
Defense Evasion |
Medusa |
BadRentdrv2 |
Defense Evasion |
RansomHub |
Toshiba Power Driver (BYOVD) |
Defense Evasion |
Qilin |
ZammoCide |
Defense Evasion |
CrazyHunter |
FRP |
Networking |
Medusa |
Stowaway |
Networking |
RansomHub |
Navicat |
Discovery |
Medusa |
Everything.exe |
Discovery |
NighSpire |
RoboCopy |
Discovery |
Medusa |
NPS |
Networking |
RA World |
SharpGPOAbuse |
Offensive Security Tool |
CrazyHunter |
Attrib |
LOLBAS |
BlackSuit |
Curl |
LOLBAS |
QWCrypt (RedCurl) |
PCA Utility (pcalua) |
LOLBAS |
QWCrypt (RedCurl) |
Exploits used by Ransomware Gangs added to the RVM
- As is now usual, multiple ransomware groups have been targeting Fortinet networking devices for initial access into to victim environments.
- Multiple ransomware groups continue to exploit the Windows Common Log File System (CLFS) for local privilege escalation to run hacking tools and steal credentials.
- Other exploits involve targeting edge devices, such as Check Point VPNs or PAN Firewalls, or exposed servers, such as Atlassian Confluence Data Center Servers.
- The targeting of Veeam backup software should come as no surprise as preventing backups or stealing sensitive files, such as Active Directory backups, are key objectives of ransomware gangs to complete their mission.
Ransomware Group |
Exploited CVEs |
NightSpire |
CVE-2024-55591 (FortiOS) |
RansomHub |
CVE-2022-24521 (Windows CLFS) |
LockBit |
CVE-2023-22527 (Confluence) |
Hunters International |
CVE-2024-55591 (FortiProxy) |
SuperBlack |
CVE-2024-55591 (FortiProxy) |
RA World |
CVE-2024-0012 (PAN-OS) |
NailaoLocker |
CVE-2024-24919 (Check Point VPN) |
RansomEXX |
CVE-2025-29824 (Windows CLFS) |
Conclusion
My recommendation for defenders who continue the fight against ransomware is to take some of the findings from this report and begin threat hunting, detection rule writing, and start blocking some of these tools not present in the environments you are protecting.
Here are a few sites to help you get started with: