Halcyon Threat Insights 018: July 2025 Ransomware Report

Halcyon's June 2025 ransomware intelligence briefing describes detections and blocks of ransomware precursors (hack tools like RDPWrap, ConnectWise ScreenConnect, Rubeus, and Defender-disabling utilities), a range of trojans and credential stealers (DarkComet, Lumma variants, FakeGoop, keyloggers), and multiple ransomware families (Akira, Nitro, Diavolo/Conti, RansomEXX/IMPS, Upatre/CryptoLocker). The report highlights trends across targeted industries (manufacturing, insurance, business services), outlines common TTPs (phishing, RDP brute force, credential theft, lateral movement with PsExec/RDP, VSS deletion), and includes a threat actor spotlight on DevMan — a self-contained ransomware group with 40–50 confirmed victims, dual data-extortion/encryption operations, and tooling for Windows (and limited cross-platform) environments.