Halcyon Threat Insights 020: September 2025 Ransomware Report

**Executive summary:** Halcyon’s August 2025 ransomware intelligence reports sector targeting (Manufacturing, Retail, Hospitals/Clinics), enumerates malware and tooling observed across the ransomware attack chain (e.g., Trickbot, Vidar, EFSPotato, Winexe, ngrok, shadow-copy deletion tools, and Akira ransomware), and profiles NightSpire as an emerging closed-group ransomware actor employing double extortion, credential theft, lateral movement, and shadow-copy deletion—with roughly 25–30 publicly listed victims and ransom demands typically between $150,000 and $2 million.