Ransomware Watch

Know your enemy — in plain English.

Ransomware headlines are written for security engineers. We translate the latest threat research into language a business owner can actually use: who the attackers are, how they break in, and what it means for protecting your company.

Halcyon In partnership with Halcyon — the anti-ransomware platform whose research team tracks these groups in the wild. The intelligence below is summarized from Halcyon's published research and reframed by Intelligent Automation for small and mid-sized businesses.

See the Latest Trends Am I Protected? Let's Talk

Why This Matters

You don't need to be a target to be a victim.

Modern ransomware is a business. Criminal groups rent out their software, share profits, and increasingly aim at small and mid-sized companies — because they hold valuable data but rarely have enterprise-grade defenses.

Understanding how these groups operate is the first step to defending against them. This page gives you that understanding without the jargon — and shows you where Intelligent Automation fits in.

Our Cybersecurity Approach

What Is Ransomware?

The 30-second explanation.

Attackers sneak into your network, quietly steal a copy of your data, then scramble (“encrypt”) your files so you can't open them. They demand payment to unlock the files — and threaten to publish your stolen data if you refuse. It's extortion, twice over.

Double extortion: pay to unlock and pay to keep data private
RaaS: “Ransomware-as-a-Service” — rented to affiliates like software
Dwell time: how long attackers hide inside before striking

The Threat Landscape Now

Six things that changed about ransomware.

Each trend below comes from Halcyon's latest research — with a plain-English “what this means for you.”

Under 1 hour

Attacks now finish before you notice

Fast-moving groups like Akira can break in, spread, and encrypt an entire network in less than sixty minutes — far faster than a person can react.

What this means for you: you can't catch it mid-attack by hand. Automated detection and 24/7 monitoring are essential.

Halcyon: Akira

SMBs first

Small businesses are the main target

Halcyon's 2025 research shows attackers deliberately shifting toward small and mid-sized companies — and into industries like automotive, retail, and healthcare.

What this means for you: “we're too small to be a target” is the most dangerous assumption you can make.

Halcyon: 2025 Evolution Report

Backups first

Your backups get destroyed first

Newer variants hunt down and delete backups — even on Linux and virtual machines — before they start encrypting, so you have nothing to restore from.

What this means for you: backups must be offline or “immutable” (un-deletable) and tested regularly.

Halcyon: Pay2Key Linux

Security off

They turn off your security tools

Groups like Play disable endpoint protection and even seize control of network firewalls before encrypting — blinding your defenses at the worst moment.

What this means for you: a single antivirus isn't enough. Layered defense and outside monitoring catch what one tool misses.

Halcyon: Play

One click

A fake popup is the new front door

The “ClickFix” technique tricks employees with a fake error message that asks them to copy-and-paste a “fix” — which actually installs the malware themselves.

What this means for you: your people are the entry point. Security-awareness training is a frontline defense, not a checkbox.

Halcyon: ClickFix

AI-assisted

AI is making attackers faster

Halcyon finds AI isn't inventing new super-weapons — but it is lowering the skill barrier and speeding up the work, so more attackers can move more quickly.

What this means for you: the fundamentals still defend you — but the window to get them right keeps shrinking.

Halcyon: AI & Ransomware

Threat Actor Spotlight

Meet the most active ransomware groups.

Profiles summarized from Halcyon's Threat Actor Index. Threat levels reflect Halcyon's published research.

QilinSince Jul 2022

Ransomware-as-a-Service · Double extortion

Threat LevelCritical

Targets60+ countries; Windows, Linux & VMware environments

MethodSteals data first, then encrypts; pressures victims with leak threats

Why you should careOne of the most prolific groups operating today — and the parent of several fast-growing splinter crews.

The GentlemenEmerged 2026

Qilin splinter group · RaaS

Threat LevelCritical · Rising

Targets~300 organizations across 66 countries already

MethodScaling faster than any group Halcyon has tracked on record

Why you should careProof of how quickly a new brand can go from unknown to global — newcomers are not “low risk.”

Cl0pSince Feb 2019

RaaS · Mass exploitation

Threat LevelCritical

Targets11,000+ organizations; reportedly $500M+ extorted

MethodBreaks one widely-used tool (e.g. file-transfer software) to hit thousands at once

Why you should careYou can be hit through a vendor's software you didn't even know you relied on — supply-chain risk is real.

PlayActive

RaaS · Defense evasion

Threat LevelSevere

TargetsBusinesses across many sectors

MethodDisables endpoint security and seizes network firewalls before encrypting

Why you should careShows why “we have antivirus” isn't a strategy — attackers plan to turn it off.

AkiraActive

RaaS · Speed-focused

Threat LevelSevere

TargetsSmall and mid-sized businesses

MethodCompletes a full attack in under an hour — too fast for manual response

Why you should careSpeed is the whole point. Without automated detection, the fight is over before it starts.

Pay2KeyResurged 2026

Iranian-linked · Data destruction

Threat LevelSevere

TargetsHealthcare and critical environments

MethodEncrypts an entire environment in ~3 hours and destroys backups

Why you should careNation-state-linked groups blur the line between extortion and sabotage — recovery may not be an option.

View Halcyon's Full Threat Actor Index

Your Defensive Checklist

The good news: the fundamentals still work.

Every trend above points back to the same proven defenses. You don't need to fear ransomware — you need to put these in place, and keep them working.

Offline, immutable backups — tested restores attackers can't delete
Managed detection & 24/7 monitoring — catch fast attacks automatically
Layered endpoint defense — so disabling one tool isn't game over
Multi-factor authentication everywhere — close the easy front doors
Security-awareness training — your people vs. tricks like ClickFix
A written incident response plan — know what to do before it happens

Free Tool

Check your email security in 60 seconds.

Phishing is how most ransomware starts. Run a free scan of your domain's email defenses — SPF, DKIM, DMARC and more — with Argos Doppler. No signup.

Run Free Scan

Talk to Us

Not sure where you stand?

We'll review your backups, monitoring, and defenses against exactly these threats — no pressure, no jargon.

Request a Readiness Review

Halcyon

Threat intelligence on this page is summarized and reframed from research published by Halcyon, including its Threat Actor Index and Ransomware Research Reports. All credit for the underlying research belongs to Halcyon. Intelligent Automation has translated it into plain-language guidance for small and mid-sized businesses.

Source: Halcyon (halcyon.ai) · Summarized June 2026 · Updated monthly

Explore Halcyon Research

Turn Awareness Into Protection

Understanding the threat is step one. Defending against it is what we do.

Intelligent Automation brings enterprise-grade ransomware defense — backups, monitoring, training, and response planning — to small and mid-sized businesses, at prices that make sense.

Talk to Our Team Back to Resources