Halcyon

🚨 THREAT ALERT: Not all ransomware failures are good news. Vect 2.0 proves it. On paper, it's flawed. In reality, it's dangerous in a different way - it can destroy your data without giving you any path to recover it. Halcyon’s latest analysis uncovered critical failures in both encryption modes: INTERMITTENT mode: Permanently destroys the cryptographic data needed for decryption at the moment of encryption. The nonces are gone before you ever see a ransom note - and no key Vect holds can bring them back. FULL mode: Silently skips most files due to a memory bug - but still introduces corruption, misnamed files, and irreversible data loss through broken encryption logic. Let’s be clear: This isn’t ransomware you can’t trust. It’s ransomware that removes recovery as an option - including paying your way out. And it’s spreading. Vect’s partnerships with access broker TeamPCP and BreachForums are expanding its affiliate network and putting this unstable tooling in more hands. More access. More attacks. More irreversible outcomes. Don’t wait until this shows up in your environment to understand the risk. Full technical breakdown + mitigation guidance → https://lnkd.in/e-9a8CiG #Ransomware #ThreatIntelligence #CyberSecurity

"They are predators. They are callous. And they are in many cases knowingly endangering and ending human lives - and they do not care." Those were the first words Cynthia Kaiser brought to the House Committee on Homeland Security last week. Not a data point. Not a policy recommendation. A verdict - from someone who spent 20 years hunting these groups inside the FBI Cyber Division. This is what #ransomware actually is: not a technical problem. Not financial crime. Predatory behavior - deliberate, calculated, and increasingly lethal. Her ask to lawmakers was straightforward: match the punishment to the crime. Designate attacks on hospitals as terrorism. Charge perpetrators with homicide when patients die. The legal authority already exists - it just hasn't been applied. Watch the clip below & find her full testimony/breakdown on the Halcyon blog.

If your security program isn’t built around how the business actually operates, it won’t deliver the impact you think it will. That’s the thread Gary Hayslip pulls on in his recent piece - and it’s one that hits deeper than tooling or frameworks. Because brand and culture aren’t abstract concepts. They shape how risk is tolerated, how decisions are made, and how teams respond to security in the first place. Miss that, and even the most mature program will struggle to gain traction. Get it right, and security becomes something else entirely: → A driver of trust → An enabler of speed → A partner to the business, not a blocker The shift from technical operator to strategic leader starts here: https://lnkd.in/enKNW_57 #CISO #CyberSecurity #Ransomware

Most ransomware stories are about attackers vs. defenders. This one isn't. It's attackers vs. each other - and it just exposed how these operations actually work. In April, #0APT and #KryBit leaked each other's infrastructure, affiliates, and negotiation data - opening a rare window into two live ransomware operations. What Halcyon's Ransomware Research Center found: 👉 0APT was largely fiction. All 190+ "victims" were fabricated - and the entire operation was running off an Android phone. It's now fully disrupted. 🚨 KryBit is real - and still standing. An emerging RaaS with functional encryptors, verified victims, and ransom demands between $40K–$100K. Expect them to rebuild. ⚠️ Everest and RansomHouse were minimally impacted and remain active, sophisticated threats. The infighting is notable - but the bigger takeaway is what it revealed about how #ransomware actually operates: data is staged and exfiltrated before encryption ever begins, and recovery pressure is the real weapon. Halcyon's full breakdown includes TTPs, IOCs, and priority mitigations for security teams: https://lnkd.in/ek7icnzS #ThreatIntel

The cloud didn't solve ransomware. It changed where the damage happens. Today's attackers aren't breaking into your environment - they're logging in. From a compromised endpoint, they move through stolen sessions and tokens, and the cloud does exactly what it was designed to do: sync everything, everywhere, instantly. No exploits. No failed controls. Just a trusted identity causing damage at scale - often before a single alert fires. In his latest piece, Halcyon's Sameh Sabry maps out how modern ransomware moves through cloud environments, where #cloud-native controls leave gaps, and why the endpoint remains the only place to stop the chain before impact. If you're a #CISO evaluating your real-time response to a credential-based attack, this is worth your time. 👇 https://lnkd.in/eFSdF7X5

69% of ransomware attacks in 2025 were deliberately staged at night and on weekends. Not a coincidence. Attackers know exactly when defenders aren't watching - and they plan around it. Halcyon's 2025 #Ransomware Evolution Report documents how the threat matured into something faster, more industrialized, and strategically harder to contain: → Dwell time collapsed from days to hours → 78% of incidents abused legitimate RMM tools - making malicious activity look like normal IT traffic → SMBs were targeted at nearly 4× the rate of large enterprises → Nation-states (Russia, Iran, China, North Korea) have all sponsored ransomware campaigns as a deniable instrument of disruption The headline for defenders: ransomware is no longer just a #malware problem. It's an access-driven, identity-centric intrusion model operating at speed and scale. Download the full report: https://lnkd.in/eT9WDTKQ

⚠️ THREAT ALERT: That app you just downloaded? It might already own your network. #EvilAI is one of the most deceptive #malware campaigns we've tracked - and it just surged across networks in the Americas and Europe. Here's what makes it dangerous: The fake apps actually work. AppSuite, Epi Browser, PDF Editor, and others behave exactly as advertised - while silently stealing credentials, establishing encrypted C2 channels, and staging #ransomware payloads in the background. In March 2026 alone, the Halcyon Ransomware Operations Center (ROC) blocked 68 EvilAI attempts against our clients. In every single case, all other endpoint security tools missed it. The campaign uses #AI-generated code with anti-analysis loops that force analysts off static detection entirely. Certificates rotate through disposable shell companies before revocations can catch up. And once it's in - it persists, enumerates your defenses, and calls home. Initial access won by EvilAI is being sold to ransomware groups including Qilin, Akira, and Play. Your users are the target. Your EDR may not be enough. Get the full #ThreatIntel from the Halcyon RRC for IOCs, TTPs, and mitigation steps. https://lnkd.in/eta7BeqZ

Twenty years chasing cybercriminals inside the Federal Bureau of Investigation (FBI)’s Cyber Division changes how you see the world. Ransomware stops looking like a tech problem - and starts looking like what it is: organized crime. Criminal entrepreneurs making deliberate decisions about who to target… and what consequences they’re willing to accept. This week, Halcyon’s Cynthia Kaiser brought that perspective to Congress - testifying before the House Committee on Homeland Security after two decades on the front lines. Her message was direct: #ransomware attacks on hospitals should be treated as terrorism - and when they result in patient deaths, prosecuted as homicide. And the case is getting harder to ignore. 👇 📈 Attacks on hospitals nearly doubled - from 238 in 2024 to 460 in 2025 ⚠️ At least 47 patient deaths have already been linked to hospital ransomware - a number that’s almost certainly higher today 🏥 Just months ago, an attack on the University of Mississippi Medical Center forced nine days of manual operations at the state’s only Level 1 trauma center This isn’t theoretical. It’s operational impact - at the worst possible moments, for the most vulnerable people. These groups have built their business model around a single assumption: that the consequences will never match the crime. Cynthia spent her career proving that assumption wrong. She’s not done. Read her full take on the blog: https://lnkd.in/eYEdQa2a #healthcare #cybersecurity

Today, Halcyon's SVP of Research, Cynthia Kaiser - former FBI Cyber Division Deputy Assistant Director - testified before the House Committee on Homeland Security on the ransomware crisis threatening American lives. The numbers tell a stark story: ransomware attacks on hospitals doubled from 238 in 2024 to 460 in 2025, making #healthcare the single most targeted sector in the country. These aren't just data breaches. They disrupt care. They close clinics. They kill people. Cynthia put it plainly to Congress: "They have simply decided these deaths are someone else's problem." Her message to lawmakers was direct: it's time to match the punishment to the crime. ⚖️ Ransomware attacks on hospitals should be designated acts of terrorism. Full stop. State, Treasury, and Justice Department designations would unlock sanctions, travel restrictions, and the full weight of counterterrorism tools against actors who knowingly target life-critical infrastructure. ⚖️ When a ransomware attack kills a patient, the perpetrators should be charged with homicide. The legal authority already exists. A University of Minnesota study linked hospital ransomware attacks to dozens of Medicare patient deaths. German authorities opened a negligent homicide investigation after a 2020 attack. The framework is there - it just hasn't been applied. Cynthia's testimony calls for DOJ guidance to change that. These proposals align with the Trump administration's new national cyber strategy and executive order on cybercrime, both calling for a more aggressive posture against ransomware actors. As Rep. Lou Correa noted at the hearing: "It sounds like the language is there, it just has not been applied in these circumstances." When the House Homeland Security Committee needed an expert to help shape national ransomware policy, they called Halcyon. The intelligence Cynthia brought to the Hill is the same intelligence that powers our platform and protects our customers every day. We're not just building technology to stop #ransomware. We're in the rooms where national policy gets made. 📰 Full coverage via CyberScoop: https://lnkd.in/esU7GgU2

Here’s the uncomfortable truth: Most ransomware attacks don’t look like ransomware… until it’s too late. They look like: →  Normal logins → Remote access tools → Routine admin activity That’s why they keep working. In March, Halcyon’s ROC team saw the same pattern play out again and again - and stopped 98.6% of attacks at the earliest stages. Before lateral movement. Before exfiltration. Before encryption ever had a chance. The latest ROC STAR Report breaks down what that actually looks like in real environments: → What attackers are using → Where they’re getting stopped → And what happens when they’re not Because #ransomware isn’t about getting in. It’s about what happens next. Full report: https://lnkd.in/epsWgJGA