Halcyon’s Director of Research and Comms, Anthony M. Freed Sheds Light on Ransomware Trends and Defenses Against Them

Published on February 12, 2025
Written by:
Vishwa Pandagle
Vishwa Pandagle
Cybersecurity Staff Editor

Formed by industry veterans from IBM, Optiv, Blackberry, and Cyclance, Halcyon toils day and night to secure its customer's digital infrastructure from ransomware and other threats. With this dedication towards information security, it comes as no surprise that Halcyon customers have never had their enterprise successfully attacked by ransomware.

We invited Anthony M. Freed, Halcyon Director of Research and Comms, to share insights about the current ransomware landscape and found a treasure trove of information. 

Read on to find out more about it.

1. Please tell us how Halcyon was formed and its impact so far?

Halcyon was formed in 2021 by a team of cybersecurity industry veterans after battling the scourge of ransomware (and advanced threats) for years, at some of the largest global security vendors. 

Comprised of leaders from Boldend, Cylance (now Blackberry), Accuvant (now Optiv), and ISS X-Force (now IBM), Halcyon is focused on building products and solutions for mid-market and enterprise customers. 

While technically headquartered in Austin, TX, and San Diego, CA, we are unified by our globally distributed, 100% remote workforce and our mission. 

To this date, zero Halcyon customers have been the victim of a successful ransomware attack, zero customers have had sensitive data exposed, zero customers have faced disruptions to their business operations, zero customers have had to deal with the arduous task of restoring from backups, and zero customers have had to pay a ransom.

2. What are the solutions and services offered by Halcyon? Can you share their key features and benefits?

Ransomware continues to wreak havoc on businesses worldwide, with 6 in 10 organizations (59%) falling victim to ransomware attacks in the past year alone.

These incidents exposed 195,414,994 records and resulted in $133.5 million in ransoms paid—a stark reminder of the devastating financial and operational impacts of data breaches initiated by ransomware. 

In today’s high-stakes cybersecurity landscape, organizations of all sizes require purpose-built solutions to combat this pervasive threat. 

The Halcyon Anti-Ransomware Platform sets a new standard by combating ransomware before, during, and after attacks, eliminating downtime, reputational harm, business disruption, and the need to pay ransom. 

Delivered via a lightweight agent, Halcyon detects ransomware that may have bypassed EPP/EDR, preventing it from executing. 

Additionally, Halcyon’s behavior engine detects ransomware actions and halts them automatically. 

Lastly, if Halcyon observes ransomware encryption, Halcyon captures encryption key material, enabling recovery without paying any ransom or using backups. 

Halcyon DXP (Data Exfiltration Prevention) also prevents data loss that can be as damaging as an encryption event, so organizations are not victimized in data extortion and double extortion attacks. 

3. Can you share about Halcyon’s anti-ransomware platform? Have there been any recurring incidents or patterns of exploitation that you have noticed? 

According to Halcyon research, ransomware groups employ a variety of tactics, techniques, and procedures (TTPs) to compromise systems and evade detection. Some of the most common TTPs include:

  1. Credential Harvesting: Attackers often steal credentials stored in web browsers to gain unauthorized access to networks. For instance, the Qilin ransomware group has been observed harvesting VPN credentials from Google Chrome browsers on compromised endpoints.
  2. Disabling Security Defenses: Ransomware groups utilize tools to disable endpoint detection and response (EDR) systems. The RansomHub group, for example, combines Kaspersky's TDSSKiller and LaZagne to bypass security defenses and steal credentials. 
  3. Process Termination: To maximize impact, ransomware like Arcus Media targets and terminates business-critical processes, including SQL servers and email clients, before encrypting data. 
  4. Data Exfiltration and Double Extortion: Many ransomware operators exfiltrate sensitive data and threaten to publish it if the ransom is not paid, a tactic known as double extortion. This approach increases pressure on victims to comply with ransom demands. 
  5. Exploiting Vulnerabilities: Attackers often exploit known vulnerabilities in applications and services to gain initial access. For example, Qilin operators are known to exploit vulnerable applications, including Remote Desktop Protocol (RDP).
  6. Use of Legitimate Tools for Malicious Purposes: Ransomware groups frequently use legitimate administrative tools to conduct malicious activities, making detection more challenging. For instance, RansomHub has been observed using tools like TDSSKiller and LaZagne for disabling EDR and credential harvesting.

These evolving TTPs highlight the importance of implementing robust cybersecurity measures, including regular updates, employee training, and advanced threat detection solutions, to defend against ransomware attacks.

4. Why are threat actors from Russia in cybersecurity news almost every day, and what is their real motivation, in your opinion? Can you share any commonly observed behavioral patterns in their activities, like their leak site posts, telegram chats, ransom notes, or other interactions?

  1. Evidence suggests that Russia directs ransomware operators to target sectors like healthcare, energy, and food supply chains, aligning these attacks with its strategic objectives. By undermining public confidence in Western institutions while maintaining plausible deniability, Russia uses ransomware as a tool to further its geopolitical ambitions. For example: The 2024 ransomware attack on the Stoli Group offers a clear example of how ransomware can be used as part of a coordinated strategy. The attack disrupted the company’s enterprise resource planning (ERP) systems, delayed financial reporting, and forced manual operations, contributing to a $78 million debt default. Recovery efforts are expected to extend into 2025.
  2. This cyberattack followed a series of actions by the Russian government targeting Stoli, including the seizure of the company’s last remaining assets in Russia—two distilleries valued at $100 million—and the designation of Stoli and its founder, Yuri Shefler, as “extremists.” These events are part of a long-standing effort by Russia to reclaim vodka trademarks once sold to private entities.
  3. The alignment between the ransomware attack and these state actions suggests more than coincidence. Rather, it appears to be a calculated effort to weaken a company deemed adversarial to Russian interests while advancing domestic objectives. This coordination illustrates how some ransomware attacks can be assessed to be influenced by state priorities.
  4. The Stoli case is just one example of a broader trend linking ransomware operations to Russian interests. A report from Chainalysis revealed that 74% of ransomware revenue went to attacker with ties to Russia in 2021. Such a concentration suggests an ecosystem deeply influenced, if not outright shaped, by Russian state objectives.
  5. Further evidence emerged with the onset of Russia’s invasion of Ukraine in 2022. During this period, ransomware attacks against Western targets declined sharply, while attacks against Ukrainian entities increased. This shift indicates that ransomware operators, often seen as independent criminal groups, are responsive to geopolitical developments and may act under the guidance of the Russian government.
  6. Groups like Conti and REvil, known for their connections to Russian intelligence, illustrate how closely intertwined some ransomware operators are with state interests. Ransomware attacks blur the distinction between criminal activity and state-sponsored operations, allowing Russia to pursue its objectives without risking direct attribution.
  7. One of the most concerning aspects of this dynamic is the focus on critical infrastructure. Attacks on sectors such as healthcare, energy, and food supply chains go beyond financial extortion. They threaten societal stability, disrupt essential services, and create long-term vulnerabilities.
  8. For instance, ransomware attacks on healthcare systems can delay treatments, compromise patient safety, and strain resources, particularly in already overburdened systems. Attacks on energy providers or food supply chains, meanwhile, can disrupt everyday life, drive up costs, and sow uncertainty. These outcomes align with broader objectives to weaken public confidence in government and institutions.
  9. Despite these broader impacts, ransomware attacks have largely been treated as criminal acts rather than threats to national security. While efforts by the Department of Justice to indict operators and seize funds are important, they have had limited success in deterring future attacks. Operators shielded by state actors, particularly those in Russia, remain beyond the reach of traditional law enforcement.
  10. To address this evolving threat effectively, it is essential to reframe ransomware attacks targeting critical infrastructure as national security incidents rather than isolated criminal acts. This shift in perspective would enable a more robust response, including:
    • Offensive Cyber Measures: Disrupting the infrastructure of ransomware operators and their enablers, particularly those operating within adversarial states.
    • Economic Sanctions: Targeting nations that harbor or sponsor ransomware groups to increase the costs of enabling these activities.
    • International Collaboration: Strengthening intelligence sharing and coordinated actions among allied nations to counter ransomware operations more effectively.
    • Cyber Deterrence Strategies: Establishing clear consequences for state-linked ransomware operations, potentially including proportional responses in the cyber or kinetic domains. 

5. How is critical infrastructure targeted using advanced technology? How has the threat landscape changed in the past few years in terms of the methods used for cyber attacks?

  1. The volume of ransomware attacks in the US and UK targeting healthcare and food supply chains further shows that a subset of ransomware incidents is not solely financially motivated but are part of a coordinated strategy to advance geopolitical objectives. Recognizing this dual nature of ransomware is essential to developing effective responses.
  2. Treating ransomware attacks targeting critical infrastructure as a purely cybercriminal action misses its broader implications. These attacks are not only about disrupting businesses for financial gain, they are also about eroding societal trust, creating instability, and advancing the strategic goals of states like Russia.
  3. By reclassifying some ransomware attacks as national security threats, policymakers can unlock a wider range of tools to deter and respond to these incidents. Without this change, responses will remain limited in scope and effectiveness, leaving critical infrastructure vulnerable to ongoing exploitation.
  4. Ransomware has evolved beyond being a tool for financial gain. For nations like Russia, it serves as a low-cost, high-impact mechanism to disrupt adversaries while avoiding direct confrontation. Recognizing and addressing this reality is a crucial step in protecting critical systems and ensuring national security in an era of increasingly complex threats.
  5. As cyber capabilities evolved into a critical theater of military operations, conventional wisdom held that a significant attack on critical infrastructure would likely be part of a broader strategy that included traditional kinetic warfare.
  6. However, we've observed a significant shift where criminal entities have enhanced their capabilities by adopting techniques previously exclusive to Advanced Persistent Threat (APT) operations, such as the use of zero-day vulnerabilities. Increasingly, there is compelling evidence of the convergence between nation-state and cybercriminal tactics, techniques, and procedures (TTPs) as well as shared attack infrastructures. The current overlap between cybercriminal activities and nation-state-supported operations has created an environment of plausible deniability for the nation-states involved.
  7. Today’s ransomware attacks employ techniques that are far advanced from the campaigns of even just a year or two ago. 
  8. Attackers are reinvesting ransom proceeds into hiring really talented developers who are constantly finding new ways to infect victims, evade detection, exfiltrate more sensitive data, and encrypt more files faster. Ransomware attacks used to be clumsier and more random, basically a numbers game where massive email spam campaigns or drive-by watering hole attacks designed to infect as many individual devices as possible while asking for ransoms of a fraction of a bitcoin - but those days have largely passed. It is highly unusual to see ransomware gangs using zero-days in attacks, as these exploits are valuable and usually leveraged in nation-state operations as opposed to cybercriminal attacks.
  9. Overall, attackers are automating scans looking for vulnerable applications to exploit as we have seen in the massive Cl0p campaigns targeting the MoveIT and GoAnywhere software bugs. They are also creating bespoke tools for more efficient collection and exfiltration of victim data and building out their RaaS platform services to smooth the negotiation and ransom payment process. But the marked increase in the exploitation of zero-day vulnerabilities by ransomware gangs is concerning, and further evidence that criminal actors are employing increasingly complex techniques that we used to only see in nation-state (APT) operations.

6. Based on Halcyon’s quarterly report, Medusa’s RaaS operations work on guessing weak passwords on Virtual Private Networks (VPNs). What are your thoughts about the guessing techniques that help them predict difficult passphrases or passwords? Do you think that victims’ social media posts help them in any way?

  1. Ransomware operators employ various techniques to compromise victims' VPN credentials, exploiting both technical vulnerabilities and human errors. One common approach is credential harvesting, where attackers use malware to extract saved VPN credentials from web browsers or deploy infostealers like RedLine and Vidar to capture stored login data. Some malware even monitors clipboard activity to intercept copied credentials and authentication tokens. Another widely used method is brute-force attacks, including dictionary attacks that cycle through common passwords, password spraying that tests widely used credentials against multiple accounts, and credential stuffing, which reuses login information from previous data breaches.
  2. Exploiting default and weak credentials is another major avenue for compromise. Many organizations fail to change factory-set VPN passwords, leaving them vulnerable to attackers who simply use publicly available default credentials. Even when passwords are changed, they are often weak or reused across multiple services, making them easy to guess. Compounding this issue is the exposure of VPN credentials within source code and logs—many organizations mistakenly hardcode credentials in scripts, store them in plaintext configuration files, or accidentally log them in error messages, all of which can be exploited by attackers searching public repositories like GitHub.
  3. Phishing and social engineering tactics are also effective means of obtaining VPN credentials. Attackers craft phishing emails containing links to fake login portals that mimic legitimate VPN authentication pages, tricking employees into submitting their credentials. Vishing, or voice phishing, involves cybercriminals posing as IT support to manipulate employees into revealing their VPN login information. Additionally, ransomware operators increasingly use MFA fatigue attacks, where they flood a user with endless multi-factor authentication prompts, hoping the victim will approve one out of frustration or confusion.
  4. Beyond social engineering, many ransomware groups exploit vulnerabilities in VPN software itself. Zero-day flaws and unpatched security weaknesses in services like Fortinet, Pulse Secure, and Cisco ASA have been prime targets for attackers looking to gain direct access to a victim’s network. Some sophisticated ransomware operations also conduct session hijacking, intercepting valid VPN session tokens to bypass authentication entirely. In some cases, attackers leverage man-in-the-middle (MitM) attacks, exploiting weak encryption settings in VPN configurations to capture unencrypted login credentials as they are transmitted. By combining these techniques, ransomware groups continually refine their ability to infiltrate organizations and deploy their payloads with devastating effectiveness.

7. How can organizations defend against threats coming from cybercriminals like Sarcoma that use Windows-based tools and techniques? What are the most common steps they take to gain access? 

  1. Ransomware operators employ a range of sophisticated techniques to gain access to targeted Windows environments, exploiting vulnerabilities, weak credentials, and human error. One of the most common methods is abusing exposed Remote Desktop Protocol (RDP) services, where attackers launch brute-force attacks to guess weak passwords, leverage credential stuffing with stolen login details from data breaches or exploit unpatched RDP vulnerabilities like BlueKeep (CVE-2019-0708) and DejaBlue (CVE-2019-1181/1182) to gain unauthorized access. Phishing remains another prevalent entry point, with ransomware groups sending malicious email attachments containing weaponized Office documents, PDFs, or ZIP files that deploy malware upon opening. They also trick users into entering credentials on fake Microsoft 365 or VPN login pages and employ MFA fatigue attacks by repeatedly sending authentication requests until the victim approves access out of frustration.
  2. VPNs and remote access services are also prime targets. Attackers often harvest stored VPN credentials from browsers using infostealers like RedLine, exploit known vulnerabilities in VPN appliances such as Fortinet, Palo Alto, and Cisco, or take advantage of weak or default passwords. Many ransomware groups bypass the need for direct intrusion by purchasing stolen RDP, VPN, and Active Directory credentials from initial access brokers (IABs) on cybercriminal marketplaces, often sourced from malware logs and stealer campaigns. Exploiting Windows vulnerabilities is another key tactic, with attackers leveraging zero-day flaws and unpatched exploits like PrintNightmare (CVE-2021-34527) and ProxyLogon (CVE-2021-26855) to escalate privileges and execute code remotely. Privilege escalation attacks further help ransomware operators gain SYSTEM-level access by abusing local Windows security flaws.
  3. Once inside a network, attackers target Active Directory to facilitate lateral movement. They employ Kerberoasting to extract and crack hashed credentials, use pass-the-hash and pass-the-ticket techniques to impersonate authenticated users, and dump credentials from LSASS (Local Security Authority Subsystem Service) with tools like Mimikatz. Additionally, ransomware operators exploit software supply chains, injecting malicious code into legitimate software updates or targeting vulnerabilities in widely used enterprise applications such as Kaseya VSA and MoveIT Transfer. By combining these methods, ransomware groups continually refine their attack strategies, ensuring persistent and widespread compromise of Windows environments with devastating consequences.

8. Cl0p ransomware group has continued targeting file-sharing platforms year after year because it helps them find access to a larger number of clients from one platform. Last year, it was Cleo. Is there a way file-sharing platforms can improve security? What is your advice to file-sharing services and their clients? 

  1. Ransomware groups like Cl0p are able to exploit file-sharing programs so frequently because these applications often contain unpatched vulnerabilities, misconfigurations, and weak access controls, making them attractive targets for large-scale attacks. Cl0p, in particular, has repeatedly targeted zero-day vulnerabilities in widely used enterprise file-sharing solutions such as MOVEit Transfer, Accellion FTA, and GoAnywhere MFT to gain unauthorized access to sensitive data.
  2. The primary reason these attacks are so successful is that file-sharing programs are designed to store, process, and transfer large volumes of sensitive information, often across multiple organizations. Many of these applications are exposed to the internet and require complex configurations, which increases the risk of misconfigurations that attackers can exploit. Additionally, many organizations fail to apply security patches in a timely manner, allowing ransomware groups like Cl0p to exploit known vulnerabilities long after fixes have been released.
  3. Cl0p and other ransomware groups specialize in mass exploitation, where they scan the internet for vulnerable file-sharing servers, exploit them in automated attacks, and rapidly exfiltrate large amounts of data before deploying ransomware. Unlike traditional ransomware attacks that rely on encryption, Cl0p frequently uses double extortion tactics, stealing data and threatening to leak it unless a ransom is paid. Because file-sharing programs handle sensitive documents, personal information, and business records, the impact of these breaches is often severe, leading victims to pay large sums to prevent exposure.
  4. By continuously identifying zero-day flaws, leveraging publicly available exploits, and capitalizing on slow patching cycles, Cl0p and similar groups have successfully breached major organizations through file-sharing platforms, demonstrating how critical it is for companies to prioritize security updates, limit public exposure of these applications, and enforce strong authentication and access controls.


For a better user experience we recommend using a more modern browser. We support the latest version of the following browsers: For a better user experience we recommend using the latest version of the following browsers: