{ "id": "305f09c4-6e05-48f6-b005-f9c9ce83436c", "created_at": "2026-04-06T00:13:32.296618Z", "updated_at": "2026-04-10T03:37:50.08235Z", "deleted_at": null, "sha1_hash": "7911c2244b6ca18d513d95c3df58be73447ded4e", "title": "2026 Unit 42 Global Incident Response Report", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 186268, "plain_text": "2026 Unit 42 Global Incident Response Report\r\nArchived: 2026-04-05 16:01:48 UTC\r\nExecutive Summary\r\nWe see four major trends that will shape the threat landscape for 2026.\r\nFirst, AI has become a force multiplier for threat actors. It compresses the attack lifecycle, from access\r\nto impact, while introducing new vectors. This speed shift is measurable: in 2025, exfiltration speeds for\r\nthe fastest attacks quadrupled.\r\nSecond, identity has become the most reliable path to attacker success. Identity weaknesses played a\r\nmaterial role in almost 90% of Unit 42 investigations. Attackers increasingly “log in” with stolen\r\ncredentials and tokens, exploiting fragmented identity estates to escalate privileges and move laterally.\r\nThird, software supply chain risk has expanded beyond vulnerable code to the misuse of trusted\r\nconnectivity. Attackers exploit software-as-a-service (SaaS) integrations, vendor tools and application\r\ndependencies to bypass perimeters at scale. This shifts the impact from isolated compromise to widespread\r\noperational disruption.\r\nFourth, nation-state actors are adapting stealth and persistence tactics to modern enterprise\r\noperating environments. These actors increasingly rely on persona-driven infiltration (fake employment,\r\nsynthetic identities) and deeper compromise of core infrastructure and virtualization platforms, with early\r\nsigns of AI-enabled tradecraft used to reinforce these footholds.\r\nWhile these four trends each present a challenge, attacker success is rarely determined by a single attack\r\nvector. In more than 750 incident response (IR) engagements, 87% of intrusions involved activity across multiple\r\nattack surfaces. This means defenders must protect endpoints, networks, cloud infrastructure, SaaS applications\r\nand identity together. Further, nearly half (48%) involved browser-based activity, reflecting how often attacks\r\nintersect with routine workflows like email, web access and day-to-day SaaS usage.\r\nMost breaches were enabled by exposure, not attacker sophistication. In fact, in over 90% of breaches,\r\npreventable gaps materially enabled the intrusion: limited visibility, inconsistently applied controls, or excessive\r\nidentity trust. These conditions delayed detection, created paths for lateral movement, and increased impact once\r\nattackers obtained access.\r\nSecurity leaders must close the gaps attackers rely on. First, reduce exposure by securing the application\r\necosystem, including third-party dependencies and integrations, and hardening the browser, where many\r\nintrusions now begin. In parallel, reduce area of impact by advancing zero trust and tightening identity and access\r\nmanagement (IAM) to remove excessive trust and limit lateral movement. Finally, as the last line of defense,\r\nensure the security operations center (SOC) can detect and contain threats at machine speed by consolidating\r\ntelemetry and automating response.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 1 of 28\n\n1. Introduction\r\nIn 2025, Unit 42 responded to more than 750 major cyber incidents. Our teams worked with large organizations\r\nfacing extortion, network intrusions, data theft and advanced persistent threats. Targets spanned every major\r\nindustry and more than 50 countries. In each case, the situation had escalated to the point where the SOC called\r\nfor backup.\r\nWhen that call comes, our incident responders move quickly to investigate, contain and eradicate the threat. We\r\nhelp organizations establish what happened, restore operations, and reduce the risk of recurrence by strengthening\r\ncontrols, visibility and resilience.\r\nEach intrusion tells a story: what the attacker targeted, how they gained access, how the activity escalated and\r\nwhat could have stopped it sooner. In the aggregate, these stories become trends and provide insight into the\r\nglobal threat landscape. They show what’s changing in adversary tradecraft, the repeated mistakes organizations\r\nmake, and most importantly, what defenders can do to keep their organizations safe. This report distills those\r\nlessons.\r\nOver the past year, attack speeds continued to accelerate. Attackers are still early in their adoption of AI-enabled\r\ntradecraft, but its impact is already visible. AI reduces friction across reconnaissance, social engineering, scripting,\r\ntroubleshooting and extortion operations. It enables greater scale and the ability to launch multiple attacks\r\nsimultaneously. The result is a shrinking window for detection and containment, where what happens in the first\r\nminutes after initial access can determine whether an incident becomes a breach.\r\nAt the same time, most breaches still follow familiar paths. And that is why our most important conclusion\r\nremains unchanged: security is solvable. In more than 90% of incidents, misconfigurations or lapses in security\r\ncoverage materially enabled the intrusion. Attackers are adapting, but they most often succeed by exploiting\r\npreventable gaps — inconsistent control deployment, incomplete telemetry, over-permissive identity trust and\r\nunmanaged third-party connectivity across SaaS and cloud.\r\nThis report is organized as a practical guide to the current threat landscape:\r\nEmerging threats and trends: How attacker tradecraft is evolving — AI as a force multiplier, identity as\r\nthe most reliable path to success, expanding software supply chain risk through trusted connectivity and\r\nevolving nation-state tactics.\r\nInside the intrusion: An aggregate view of observed tactics, techniques and procedures across Unit 42\r\ninvestigations — what attackers target, how they get in, how fast they move and the impacts they drive.\r\nRecommendations for defenders: Concrete steps to close the gaps that enable compromise, constrain area\r\nof impact, and build response capability fast enough to stop incidents before they escalate.\r\nUnit 42 operates 24/7 to protect the digital world from cyberthreats. The goal of this report is straightforward: to\r\nturn what we learn on the front lines into decisions that stop incidents before they become breaches.\r\nSam Rubin\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 2 of 28\n\nSam Rubin\r\nSVP of Consulting and Threat Intelligence\r\nUnit 42\r\n2. Emerging Threats and Trends\r\nTrend 1. AI Has Become a Force Multiplier for Attackers\r\nAI is changing the economics of intrusions. It increases attacker speed, scale and effectiveness while opening\r\nentirely new attack vectors.\r\nWhile much of this activity occurs on adversary infrastructure — beyond our ability to directly observe — Unit 42\r\ninvestigations and research reveal a clear shift. In 2025, threat actors moved from experimentation to routine\r\noperational use. AI is not an attacker “easy button,” but it is a massive friction reducer. It allows threat actors to\r\nmove faster, iterate more frequently, and operate with fewer human constraints.\r\nAI Increases the Speed and Scale of Attacks\r\nAI compresses the attack lifecycle and reduces the manual effort required to operate across multiple targets.\r\nFaster vulnerability exploitation: The window between disclosure and exploitation continues to shrink. Threat\r\nactors are automating the “monitor → diff → test → weaponize” loop. Unit 42 research found that attackers start\r\nscanning for newly discovered vulnerabilities within 15 minutes of a CVE being announced. Exploitation attempts\r\noften begin before many security teams have even finished reading the vulnerability advisory.\r\nParallelized targeting: Operator time is less of a constraint. AI-assisted workflows allow actors to run\r\nreconnaissance and initial access attempts across hundreds of targets in parallel, and then concentrate effort where\r\nthey find a weak signal.\r\nRansomware at scale: We see actors using AI to reduce manual work during deployment (script generation,\r\ntemplating) and extortion (messaging consistency). The shift is not that ransomware is new, it is that the operator\r\ntime required to run it at scale is dropping.\r\nIn a ransomware investigation, Unit 42 recovered operational scripts used to deploy payloads, coordinate lateral\r\nmovement and impair security controls at scale. Several elements were consistent with AI-assisted development,\r\nincluding unusually thorough commenting, templated variants and efficiency-focused fallback logic. The net\r\neffect was machine-like execution across hundreds of systems, compressing the time and effort typically required\r\nto stage a multi-phase deployment.\r\nIn an extortion case, Unit 42 negotiators observed responses that were unusually consistent in tone, grammar,\r\ncadence and turnaround time across exchanges. These patterns are consistent with templated or AI-assisted\r\nmessaging. Even partial automation matters: it enables actors to run more concurrent negotiations and apply more\r\ndisciplined pressure, without tying up a human operator on every thread.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 3 of 28\n\nWhat this means in time-to-impact: Last year, Unit 42 simulated an AI-assisted attack that reduced time-to-exfiltration down to 25 minutes. Real-world IR data reflects this acceleration: the fastest 25% of intrusions\r\nreached exfiltration in 1.2 hours, down from 4.8 hours the calendar year prior.\r\nAI Improves Attacker Outcomes\r\nAI is raising the success rate of known attack techniques.\r\nHyper-personalized social engineering: We have moved past “phishing with better grammar.” Actors can\r\nautomate open-source intelligence (OSINT) collection, including professional and organizational context, to craft\r\nlures that match the target’s role and relationships.\r\nSynthetic identities: Threat actors like Muddled Libra and North Korean IT workers increasingly use deepfake\r\ntechniques to steal credentials and pass remote hiring workflows.\r\nMalware development: In the Shai-Hulud campaign, Unit 42 assessed that attackers used a large language model\r\n(LLM) to generate malicious scripts.\r\nLowered barrier to entry: Purpose-built malicious LLMs and jailbreak attacks continue to reduce the skill\r\nrequired to produce persuasive lures and functional code variants. The net effect is that more actors are able to\r\nexecute credible tradecraft faster, with fewer mistakes.\r\nAn unsophisticated actor exfiltrated sensitive data but had no plan for the shakedown. To bridge the gap, they used\r\nan LLM to script a professional extortion strategy, complete with deadlines and pressure tactics. The result was\r\nsurreal: The actor recorded a threat video from their bed while visibly intoxicated, reading the AI-generated script\r\nword-for-word from a screen. The threat lacked technical depth, but the model supplied coherence. AI didn’t make\r\nthe attacker smarter; it just made them look professional enough to be dangerous.\r\nBottom line: AI improves the attackers’ rates of success at each stage. It improves the quality of lures, shortens\r\nthe time needed to adapt tools and reduces dependence on constant operator intervention, making extortion more\r\nconsistent and scalable.\r\nAI Creates New Attack Vectors\r\nEnterprise AI adoption creates a new class of risk: Living off the AI land (LOTAIL). Just as attackers misuse\r\nPowerShell or Windows Management Instrumentation (WMI), they are now weaponizing legitimate AI platforms\r\nand embedded assistants.\r\nTurning your AI platform into a weapon: Threat actors use valid credentials to misuse enterprise AI platforms.\r\nFor example, recent Unit 42 research on Google Vertex AI demonstrated how attackers could misuse custom job\r\npermissions to escalate privileges and use a malicious model as a Trojan horse to exfiltrate proprietary data.\r\nThe attacker’s co-pilot: With compromised credentials, an intruder can use an internal assistant to pull context at\r\nmachine speed, including requesting integration guides, admin runbooks or network maps. The assistant becomes\r\na force multiplier, allowing intruders to understand the environment with fewer mistakes.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 4 of 28\n\nAn insider weaponized their company’s own AI assistant to stage an attack. Forensic analysis showed the insider\r\nused the tool to research internal systems, generate a custom denial-of-service (DoS) script and troubleshoot errors\r\nin real time. The assistant bridged a skill gap, enabling the actor to target core infrastructure they likely could not\r\nhave operated against as effectively without AI support.\r\nThe risk is clear: if a tool can help employees get work done, it can also help intruders understand your\r\nenvironment and move with fewer mistakes.\r\nCountermeasures: Defending Against AI-Driven Threats\r\nThese tactics will help you defend against AI-assisted attacks:\r\nCounter AI-accelerated attack speed\r\nAutomate external patching: Mandate automated patching for critical CVEs on internet-facing assets to\r\nclose the 24-hour exploitation window.\r\nAutonomous containment: Deploy AI-driven response to drive down mean time to detect/respond\r\n(MTTD/MTTR) and isolate threats before they can automate lateral movement.\r\nDefend against improved tradecraft\r\nBehavioral email security: Transition from signature-based filters to engines that identify anomalies in\r\ncommunication patterns.\r\nIntent-based awareness: Move beyond simply training employees to spot typos. Shift to out-of-band\r\n(OOB) verification for all sensitive requests (e.g., wire transfers, credential resets or remote hiring).\r\nProtect the AI attack surface\r\nMonitor model telemetry: Correlate unusual AI API calls or scripts sourced from model outputs with\r\nknown evasion techniques.\r\nPrompt visibility: Alert on sensitive queries to internal LLMs (e.g., “find all passwords”) and enforce\r\nstrict permission boundaries for tokens and service accounts.\r\nTrend 2. Identity Is the Most Reliable Path to Attacker Success\r\nIn the past year, identity weaknesses played a material role in nearly 90% of the investigations Unit 42 handled. In\r\nour caseload, identity shaped intrusions end to end. It served as the way in, the path to privilege escalation and the\r\nmechanism for lateral movement using valid access.\r\nAs organizations move deeper into SaaS, cloud and hybrid environments, the network perimeter matters less.\r\nIdentity — the linkage between users, machines, services and data — has become the practical perimeter. In many\r\ncases, threat actors don’t need a sophisticated exploit chain. They log in with stolen credentials, hijacked sessions\r\nor mis-scoped privileges.\r\nAuthenticated access changes the dynamics of an intrusion. It lets adversaries move faster, blend into normal\r\nactivity and expand their area of impact with fewer obstacles. This trend is accelerating as machine identities,\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 5 of 28\n\nembedded AI applications and fragmented identity estates expand the number of access paths attackers can\r\nexploit.\r\nThe Way In: Identity-Driven Initial Access\r\nUnit 42 case data shows that 65% of initial access is driven by identity-based techniques. While defenders focus\r\non patching vulnerabilities, threat actors often bypass software controls by targeting users and authentication\r\npaths.\r\nWe see the following primary routes to initial access:\r\nIdentity-related social engineering (33%): Identity-based phishing (22%) and other social engineering\r\n(11%) remain the leading drivers of modern breaches. Rather than simple credential theft, these tactics\r\nincreasingly focus on multi-factor authentication (MFA) circumvention and session hijacking, allowing\r\nattackers to bypass authentication controls and move laterally by exploiting trusted identity workflows.\r\nCredential misuse and brute force (21%): Previously compromised credentials (13%) and brute force\r\nactivity (8%) allow attackers to gain access with little interaction. By using valid accounts obtained from\r\nprior breaches or underground markets, actors log directly into virtual private networks (VPNs), remote\r\naccess gateways and cloud portals, bypassing traditional perimeter defenses without triggering early\r\ndetection.\r\nIdentity policy and insider risk (11%): Stemming from internal trust and architectural flaws, these\r\nvectors involve the exploitation of valid permissions. Attackers leverage IAM misconfigurations (3%),\r\nsuch as overly permissive policies, to escalate privileges and inherit access, while insider threats (8%)\r\ninvolve the abuse of legitimate credentials.\r\nIdentity and vulnerability management are not separate fights. A leaked credential can create the same exposure as\r\nan unpatched internet-facing system.\r\nThe Way Through: Identity Turns Access Into Impact\r\nAfter initial access, identity gaps are one of the most common ways attackers turn a foothold into a high-impact\r\nbreach. In modern environments, authenticated actions determine speed and blast radius.\r\nUnit 42 analysis of more than 680,000 identities across cloud accounts found that 99% of cloud users, roles and\r\nservices had excessive permissions, some unused for 60 days or more. This creates an environment where lateral\r\nmovement is easier than it should be, because many identities carry privileges they don’t need day to day.\r\nAttackers exploit both human and machine identities as operational levers:\r\nPrivilege escalation: Over-scoped roles, inherited permissions and unretired legacy grants create\r\nrepeatable paths to higher privilege. Once an attacker can write to IAM, they can often escalate quickly\r\nwithout deploying novel tooling.\r\nCredential reuse and lateral movement: Actors commonly test compromised credentials across other\r\nsystems. This is especially true where passwords are reused across production and non-production\r\nenvironments, or where shared accounts still exist.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 6 of 28\n\nToken and OAuth misuse: Stolen session tokens and illicit OAuth grants let attackers bypass interactive\r\nauthentication (including MFA), persist without repeated logins and operate with fewer obvious alerts.\r\nTrust paths (e.g., shared administrative accounts, delegated access and third-party tools) become fast lanes for\r\nlateral movement. Without tight privilege boundaries and strong identity segmentation, a single compromised\r\nidentity can expand into broad access.\r\nThe Expanding Identity Attack Surface\r\nThe identity landscape is expanding and fragmenting. As organizations adopt cloud, SaaS and AI-enabled\r\nworkflows, identity moves into areas that often sit outside consistent governance, creating areas where attackers\r\noperate with reduced visibility.\r\nThree trends are driving this shift:\r\nThe rise of machine and AI identities: Non-human identities, like service accounts, automation roles,\r\nAPI keys and emerging AI agents, often outnumber human users. These identities are frequently over-privileged, rely on long-lived credentials and are inconsistently monitored. For an attacker, compromising a\r\nservice account can be higher leverage and quieter than compromising a person.\r\nShadow identities: Cloud and AI adoption has increased the volume of unsanctioned accounts, developer\r\nenvironments and third-party connectors. These shadow identities often bypass standard onboarding,\r\nreview and logging, creating access paths the SOC might not see until after impact.\r\nIdentity silos: Most enterprises operate multiple identity systems (e.g., Active Directory, Okta, cloud-native IAM). When authentication and authorization are fragmented, so is visibility. Attackers can move\r\nbetween on-premises and cloud environments while leaving incomplete trails in any single control plane.\r\nMisconfiguration at scale turns identity from a control into a liability. When machine identities, shadow access\r\nand fragmented identity estates combine, attackers gain more reliable paths to persist and expand. And defenders\r\nlose end-to-end visibility.\r\nCountermeasures: Disrupting Identity-Driven Tradecraft\r\nThese tactical steps can disrupt the identity-related tradecraft observed in Unit 42 cases:\r\nDeploy phishing-resistant MFA: Standard MFA is not enough against modern bypass and adversary-in-the-middle tactics. Prioritize FIDO2/WebAuthn hardware keys or passkeys for high-value roles (admins,\r\nexecutives, developers).\r\nInventory and rotate machine identities: Establish continuous discovery for non-human identities\r\n(service accounts, automation roles, API keys). Immediately rotate static credentials for any privileged\r\nservice account that has not changed in 90 days and reduce credential lifetime wherever possible.\r\nHarden the session: Attackers increasingly pivot post-login by stealing tokens and misusing OAuth\r\ngrants. Reduce session lifetimes for sensitive applications and enforce conditional access that continuously\r\nevaluates device health, location and risk during the session.\r\nEliminate standing admin rights: Move privileged access to a just-in-time model. Remove persistent\r\nadmin grants and require time-bound elevation with approvals and strong logging, so a compromised\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 7 of 28\n\naccount yields minimal privilege by default.\r\nTrend 3. Software Supply Chain Attacks Increasingly Drive Downstream Disruption\r\nSupply chain risk is no longer limited to vulnerable code. In 2025, the supply chain expanded to include SaaS\r\nintegrations, vendor management planes and complex dependency ecosystems. The defining pattern was\r\ndownstream disruption and parallel assessment. When an upstream provider reported a compromise or outage,\r\ncustomers were often left to stop and answer a basic question: are we affected? In many cases, they had limited\r\nvisibility into their own exposure.\r\nThe new failure mode is not one compromised customer. There are many customers pushed into parallel triage\r\nwhile the upstream picture is still unclear. This makes the supply chain a high-value target for both nation-states\r\nand criminal groups. A single compromise can create a one-to-many opportunity, delivered through the trusted\r\nconnectivity modern business relies on.\r\nSaaS Integrations: Inherited Permissions at Scale\r\nSaaS environments are stitched together through OAuth apps, API keys and workflow automation. These\r\nconnections routinely carry access to data and business processes. For attackers, compromised integrations can\r\nbecome a lateral movement path that looks like normal automation.\r\nThis exposure is reflected in Unit 42 investigations. Data from SaaS applications was relevant to 23% of cases in\r\n2025, up from 18% in 2024, 12% in 2023, and just 6% in 2022. The steady increase shows how attackers are\r\nmoving past traditional perimeters and concentrating on the cloud-based tools where modern work now takes\r\nplace.\r\nThe risk is inherited permissions. When an organization integrates a third-party app via OAuth, that application\r\nreceives whatever rights were originally granted, sometimes including the ability to read sensitive data, manage\r\nusers or modify records. If the upstream provider is compromised, those same permissions can be misused\r\ndownstream.\r\nIn a recent investigation involving a compromised sales engagement platform (Salesloft/Drift integration),\r\nattackers leveraged valid OAuth tokens to access downstream Salesforce environments. The activity resembled\r\nroutine customer relationship manager (CRM) automation and blended into expected integration traffic. Post-incident review revealed a deeper issue: the organization discovered nearly 100 additional third-party integrations\r\nconnected to Salesforce, many dormant, unmonitored or owned by former employees.\r\nOpen Source and AI: Dependency Sprawl and Build-Time Compromise\r\nOpen source remains the foundation of modern development, but the risk increasingly concentrates in indirect\r\ndependencies. Unit 42 research indicates that over 60% of vulnerabilities in cloud-native applications reside in\r\ntransitive libraries. These libraries are the “silent” dependencies pulled in through packages that your code relies\r\non.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 8 of 28\n\nThreat actors are also injecting malicious code into upstream packages to execute during install and build steps,\r\ncompromising pipelines before deployment. Development velocity compounds this risk. As GenAI-assisted\r\ncoding becomes mainstream, teams are ingesting more code and more dependencies faster. This is often done with\r\ninsufficient scrutiny of provenance, maintainer trust and downstream package behavior.\r\nWe investigated a campaign where threat actors uploaded malicious versions of legitimate npm packages. One\r\npackage, embedded deep in a dependency tree, executed attacker-controlled code immediately upon installation.\r\nBecause this activity occurs during build and install, it can bypass runtime detections and establish a foothold\r\nacross multiple build environments before anyone sees an alert.\r\nVendor Tools: Weaponizing Management Channels\r\nVendor tools, especially remote monitoring and management (RMM) and mobile device management (MDM)\r\nplatforms, are designed for privileged administrative action at scale. When attackers gain access to a vendor’s\r\nmanagement infrastructure (or the customer’s tenant), they can push malware, run commands or change\r\nconfigurations in ways that blend into routine administrative traffic. This trend is backed by our observations in\r\nthe field: We identified that 39% of command-and-control (C2) techniques were related to remote access tools\r\n(T1219).\r\nEnterprises also inherit risk from opaque third-party applications running inside critical workflows. When\r\ncustomers cannot inspect a vendor’s codebase or security assumptions, latent backdoors, hard-coded credentials or\r\nexposed interfaces can persist unnoticed.\r\nIn a multi-national investigation, a legacy third-party billing application exposed an undocumented,\r\nunauthenticated interface to the internet. Existing controls did not detect it because the traffic appeared consistent\r\nwith normal application behavior. Deeper assessment revealed structural flaws, including SQL injection points and\r\nhidden shell functionality. These issues had persisted for years because the customer could not inspect the\r\nunderlying code.\r\nThe Impact: From Response to Business Disruption\r\nSupply chain incidents amplify disruption through uncertainty. When a supplier is compromised, downstream\r\nteams operate in an information vacuum. The result is organizations going into “assessment mode” at scale, as\r\nteams pause changes, review integrations, isolate dependencies and attempt to confirm the absence of impact\r\nbefore normal operations resume.\r\nThree systemic gaps drive that burden:\r\nInventory gaps: Many organizations lack a unified view of SaaS connections, vendor agents and transitive\r\nlibraries, slowing the answer to “where is this used?”\r\nPermission opacity: Effective privileges of integrations, agents and tooling are difficult to determine\r\nquickly without manual review, making the true impact unclear.\r\nTelemetry gaps: Because activity arrives through trusted channels (updates, API calls, administrative\r\ntooling), logs often look legitimate, which can delay detection and increase investigation time.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 9 of 28\n\nLooking ahead: This challenge will compound as organizations adopt AI-enabled workflows and third-party\r\nagents. Supply chain risk will increasingly include not just code integrity, but the integrity of models, connectors\r\nand delegated actions executed on an organization’s behalf.\r\nCountermeasures: Safeguarding the Software Supply Chain\r\nDefending the supply chain requires reducing the time needed to assess exposure and the area of impact.\r\nMap SaaS ownership and scope: Inventory OAuth apps and integrations (SaaS security posture\r\nmanagement and discovery). Assign owners. Remove dormant integrations and those tied to departed\r\nusers.\r\nDesign “break-glass” severing plans: Predefine how to revoke tokens, disable connectors and isolate\r\nvendor agents without improvising during an upstream incident.\r\nLog vendor and integration activity at audit depth: Ensure you can answer what was executed, where\r\nand by whom. Alert on permission changes, token grants and anomalous admin actions.\r\nHarden build ingestion: Use software composition analysis (SCA) and provenance controls. Pin versions,\r\nrestrict new repositories and require review for new dependencies, especially those that execute at install or\r\nbuild time.\r\nTrend 4. Nation-State Actors Are Adapting Tactics to Modern Environments\r\nNation-state operations expanded in 2025, advancing espionage, pre-positioning and access campaigns. Across\r\ncampaigns affiliated with China, North Korea and Iran, three shifts stood out:\r\nGreater use of identity-driven access\r\nDeeper compromise of infrastructure and virtualization layers\r\nEarly experiments with AI-enabled tradecraft aimed at stealth and persistence\r\nChina-aligned groups moved beyond user-level activity into infrastructure and virtualization platforms. North\r\nKorean and Iranian operators broadened their use of recruitment lures, synthetic personas and tailored malware to\r\nestablish access. We also observed emerging AI-driven techniques, including deepfake identity creation and\r\nautomated C2 generation.\r\nThese developments reflect a shift toward access methods that are significantly harder for defenders to detect and\r\nvalidate.\r\nChina: Focused on the Edge and Virtualization\r\nChinese-nexus threat activity continued to prioritize long-term access and data collection. Notable shifts in 2025\r\nmoved from email-focused espionage to deeper exploitation of application, infrastructure and virtualization layers.\r\nPhantom Taurus exemplified this change, evolving from campaigns centered on sensitive email collection to direct\r\ntargeting of databases and web servers for collection and exfiltration. Its NET-STAR malware used advanced\r\nevasion techniques, posing significant risk to organizations with exposed web infrastructure.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 10 of 28\n\nSimilarly, we observed a year-long persistence campaign against information technology, SaaS and business-process outsourcing organizations (tracked by Unit 42 as activity cluster CL-STA-0242). The group behind the\r\ncampaign compromised virtualization platforms operated by IT service providers and deployed BRICKSTORM\r\nmalware, which concealed C2 traffic inside ordinary encrypted web sessions, making detection through network\r\nmonitoring far more difficult. CISA has publicly attributed BRICKSTORM activity to China state-sponsored\r\nactors.\r\nThese shifts illustrate a continued move away from user-level collection toward deeper compromises of\r\ninfrastructure and virtualized environments, where long-term access is both more durable and harder for defenders\r\nto detect.\r\nNorth Korea: Weaponized HR Part I\r\nNorth Korean threat activity remained a persistent challenge for enterprises in 2025. Multiple long-running\r\ncampaigns continued despite extensive public reporting, law-enforcement actions and multilateral sanctions\r\nmeasures.\r\nUnit 42 tracked at least two campaigns:\r\nWagemole: North Korean operatives obtained unauthorized remote employment with U.S. and European\r\norganizations and covertly routed income back to the regime. The access gained through these contractor\r\nand employee roles enabled both unauthorized financial payments and espionage. First publicly exposed in\r\n2023, Wagemole remained active in 2025, and we identified and evicted related activity from more than 20\r\nenterprise environments.\r\nContagious Interview: Since at least 2022, operators have targeted software developers and IT personnel\r\nthrough fictitious job interviews that deliver malware via coding challenges. In 2025 alone, we removed\r\nContagious Interview infections from more than 10 enterprise networks, underscoring the risks associated\r\nwith running unverified code on corporate systems.\r\nIran: Weaponized HR Part II\r\nIranian threat activity remained high in 2025 as multiple groups continued operations against strategic sectors. Of\r\nparticular note are Screening Serpens and Curious Serpens, both of which used employment-themed lures to target\r\naerospace and satellite-communications providers. This activity reflects Iran’s long-running interest in\r\norganizations that handle sensitive technical and operational information.\r\nUnit 42 tracked the following campaigns:\r\nScreening Serpens (aka Smoke Sandstorm, UNC1549): This group targeted government organizations\r\nin the Middle East by creating fraudulent employment portals that mimicked well-known aerospace and\r\ndefense companies. These sites delivered malware packaged as job application materials, often signed with\r\nvalid code-signing certificates to increase credibility. Operational security errors allowed Unit 42\r\nresearchers to review the full infection chain, which prompted candidates to download an infected survey\r\nfile or document bundle.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 11 of 28\n\nCurious Serpens (aka APT33, Peach Sandstorm): Curious Serpens targeted a communications provider\r\nthrough job-recruitment lures sent by email and posted on career-oriented websites. The operation installed\r\na modular backdoor capable of collecting intelligence and staging follow-on payloads. Operators relied on\r\nlegitimate signed executables, DLL side-loading and evasion techniques, showing continued investment in\r\na specialized tool set designed to circumvent modern security controls.\r\nIn one Screening Serpens investigation, an attacker approached an employee through LinkedIn and personal email\r\nwith a tailored résumé file that installed malware and enabled using legitimate remote-management tools. Once\r\ninside, the operator gathered credentials, surveyed the environment, deployed a custom backdoor and attempted to\r\nremove activity traces, indicating an emphasis on persistence and stealth.\r\nUsing realistic employment themes and signed binaries increases the likelihood that victims will open malicious\r\nfiles. This highlights the need for sensitive sectors to monitor recruitment-related activity and verify any externally\r\nsourced documents or code.\r\nNation-State Adoption of Artificial Intelligence\r\nEvidence of large-scale AI adoption by nation-state actors remains limited, but 2025 offered early signs that some\r\ngroups are beginning to integrate AI into their operations. Much of this activity is difficult for defenders to\r\nobserve, since many likely use cases (such as malware development, infrastructure generation or analysis of\r\nexfiltrated data) occur outside enterprise environments and beyond conventional visibility. As capabilities\r\nadvance, understanding where nation-states are experimenting with AI is increasingly important for anticipating\r\nfuture tradecraft.\r\nAttackers appear most interested in using AI to strengthen persistence and build more durable footholds. Nation-state operators have shown a growing reliance on identity- and credibility-driven entry points and deeper\r\ncompromise of virtualized and application infrastructure. These access methods are already difficult for defenders\r\nto validate, and AI will likely make them more efficient and harder to disrupt.\r\nOne of the clearest public examples emerged in July, when Ukrainian authorities, in a CERT-UA advisory,\r\nreported that suspected Russian malware known as LAMEHUG used an LLM to generate C2 instructions through\r\nan API. Attributed to Fighting Ursa (aka APT28, Fancy Bear), the activity replaced a human operator with an\r\nautomated workflow.\r\nNorth Korean operators also showed signs of AI experimentation. In Unit 42 research associated with the\r\nWagemole campaign, investigators identified suspected North Korean accounts using AI-based image\r\nmanipulation services to create deepfake personas for employment fraud schemes. In a related Contagious\r\nInterview-style operation, attackers fabricated an entire company and populated it across multiple social\r\nnetworking platforms using AI-generated identities, repurposed accounts and modified profiles belonging to real\r\nprofessionals. The result was a convincing corporate façade designed to increase trust and improve the success\r\nrate of recruitment-driven access operations.\r\nCountermeasures: Defending Against Nation-State Adversaries\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 12 of 28\n\nFocus defenses on the access paths, infrastructure layers and trusted channels nation-state operators use to gain\r\nand maintain long-term access.\r\nTighten verification across identity and recruitment workflows: Strengthen checks on contractor\r\nonboarding and external hiring to catch synthetic personas, deepfakes and job-themed lures before they\r\nreach core systems.\r\nExpand monitoring across virtualized and application infrastructure: Baseline and log activity on\r\nvirtualization platforms, web-facing applications and service-provider environments. Alert on deviations\r\nthat signal persistence or lateral movement.\r\nHarden and monitor the use of trusted tools and channels: Review how signed binaries, encrypted\r\ntraffic, remote-management tools and collaboration platforms are used. Flag patterns that suggest\r\ncredential misuse or covert activity.\r\nInstrument and govern AI-related activity in sensitive workflows: Limit which AI services can interact\r\nwith identities, source code or sensitive data. Log their use and investigate anomalous patterns that could\r\nindicate automated persona creation or AI-driven operations.\r\n3. Inside the Intrusion\r\nThis section breaks down the behavior we observed in Unit 42 Incident Response investigations in 2025. We\r\norganize these observations into four dimensions to show what attackers are doing and how they are succeeding:\r\nThe attack surface: This is where attackers strike. Intrusions rarely stay in one lane; they now span\r\nendpoints, cloud infrastructure and identity layers simultaneously.\r\nThe entry point: This is how they get in. Phishing and vulnerabilities have tied as the leading initial access\r\nvectors, each at 22%. Attackers are pragmatic, they exploit human error and unpatched systems with equal\r\nfrequency to force the door open.\r\nThe velocity: This is how fast they move. While average times vary, the fastest group of attackers is\r\naccelerating, shrinking the window for effective defense.\r\nThe impacts: This is the cost to the victim. This year marked a shift away from encryption and toward data\r\ntheft and extortion.\r\n3.1. The Attack Surface: Intrusions Span the Enterprise\r\nAttacks Rarely Stay in One Lane\r\nTable 1 lists the primary attack surfaces involved in Unit 42 investigations in 2025, spanning endpoints, networks,\r\ncloud services, identity systems, applications, email and user-driven activity. These categories represent the\r\nprimary operational layers where we observed attacker activity during investigations. Because intrusions\r\nfrequently span multiple layers, they are not mutually exclusive and do not sum to 100%. A single incident may\r\ninvolve several at once.\r\nAttack Surface Percentage\r\nIdentity 89%\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 13 of 28\n\nAttack Surface Percentage\r\nEndpoints 61%\r\nNetwork 50%\r\nHuman 45%\r\nEmail 27%\r\nApplication 26%\r\nCloud 20%\r\nSecOps 10%\r\nDatabase 1%\r\nTable 1. Attack surfaces involved in intrusions, showing the percentage of incidents in which each surface was\r\naffected.\r\nAcross all incidents, 87% involved activity across two or more attack surfaces. Sixty-seven percent of incidents\r\ninvolved activity across three or more surfaces. Activity across four or more attack surfaces appeared in 43% of\r\nattacks, and we have observed cases with activity across as many as eight attack surfaces. While the distribution of\r\naffected attack surfaces varies year to year, this pattern reinforces the fact that intrusions rarely remain confined to\r\na single surface and often expand as access and opportunity grow.\r\nIdentity featured prominently in many incidents — at nearly 90% — representing one of the most commonly\r\ninvolved attack surfaces in our caseload.\r\nActivity targeting humans also appeared frequently, accounting for 45% of incidents. This pattern echoes the\r\nbroader themes in our recent Social Engineering Report, which highlights how human-layer interaction continues\r\nto play a decisive role in intrusion success.\r\nThe Browser Attack Surface: Attacks at the Human Interface\r\nBrowser activity played a role in 48% of investigations this year (up from 44% in 2024). This reflects how routine\r\nweb sessions expose users to malicious links, credential-harvesting pages and injected content when local controls\r\nare weak.\r\nIn one ClickFix incident we investigated, attackers directed an employee at a global industrial firm to a spoofed\r\nwebsite through search engine optimization (SEO) poisoning while searching for a restaurant. The site used\r\nsocial-engineering prompts to convince the employee to execute malicious code copied into their clipboard, after\r\nwhich the attacker attempted to run malware in memory. The attacker appeared to be trying to download an\r\ninfostealer, although we could not confirm the exact payload.\r\nA global medical technology firm experienced an intrusion that began with SEO poisoning. An administrator\r\naccessed a spoofed site hosting a malicious version of an administrative tool, and the link was later shared with a\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 14 of 28\n\ndomain administrator through an internal messaging call. This resulted in the execution of the compromised\r\nsoftware. After gaining a foothold, the attacker deployed ransomware across key systems, exfiltrated data and\r\nissued a ransom demand. The resulting disruption affected manufacturing, distribution, shipping and order\r\nprocessing for an extended period while systems were restored.\r\nUnmanaged applications and limited browser protections allowed an initial execution attempt in one incident\r\nbefore it was contained. In another, privileged execution of a malicious administrative tool enabled ransomware\r\ndeployment and broader operational disruption.\r\nThe Cloud Attack Surface: Compromising the Pipeline\r\nReflecting a continuation of last year’s pattern, about 35% of our investigations involved cloud or SaaS assets. In\r\nthese cases, the investigation required collecting logs or images from cloud environments or reviewing activity\r\nwithin externally hosted applications, indicating that the intrusion touched cloud-hosted assets or workflows.\r\nCloud weaknesses varied, but even basic issues shaped attacker behavior once they established access. In one\r\ninvestigation, sensitive cloud credentials were found exposed in a public repository, expanding the paths attackers\r\ncould use to reach cloud environments.\r\nIn another investigation, attackers targeted a developer in an open-source forum and persuaded them to download\r\na poisoned debugging tool. This turned a routine collaboration into a point of cloud compromise.\r\nThe compromised tool provided attackers with access to the developer’s stored cloud credentials. They used these\r\ncredentials to reach backend systems and trigger unauthorized withdrawals across several blockchain networks.\r\nThis case shows how access obtained through cloud-native development workflows can be misused to reach\r\nsensitive systems and cause substantial impact.\r\n3.2. The Entry Point: Initial Access Comes from Predictable Paths\r\nInitial access in 2025 followed a familiar pattern, with most intrusions beginning through a concentrated set of\r\nwell-understood vectors. Figure 1 shows the distribution of those pathways across the past five years, highlighting\r\nhow phishing and software vulnerabilities consistently appear among the top entry points. While the relative\r\nbalance between vectors shifts year to year, the overall trend is stable: attackers continue to rely on a small\r\nnumber of dependable techniques to gain their initial foothold.\r\nFigure 1. Initial access vectors (2021–2025). Unit 42 data collection methodology has adjusted to provide more\r\ngranularity, reducing the “Other” category. Increased granularity also introduces new categories, such as “Insider\r\nthreat and Misuse of trusted relationships and tools.” When data is not available for a specific year, it is denoted\r\nby N/A.\r\nPhishing and Vulnerabilities Tie for Dominance\r\nPhishing and vulnerability exploitation are the most common initial access vectors, with each accounting for 22%\r\nof the initial access across 2025 incidents. This parity exists simply because both methods work incredibly well.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 15 of 28\n\nPhishing campaigns are achieving higher conversion rates as AI helps attackers craft credible, error-free lures that\r\nbypass traditional filters and engage users more effectively. At the same time, vulnerability exploitation is\r\naccelerating as attack surfaces expand and automation allows adversaries to scan for and exploit weaknesses faster\r\nthan defenders can patch. Because both vectors offer a reliable path to compromise, attackers are heavily utilizing\r\nboth.\r\nBeyond phishing and vulnerability exploitation, we see important trends for the other key initial access vectors\r\nacross the five-year dataset:\r\nPreviously compromised credentials declined to 13% in 2025, reversing heightened activity reported in\r\n2023 and 2024.\r\nActivity within the “Other Social Engineering” category grew substantially over the period, rising from 3%\r\nin 2021 to 11% in 2025 even after we introduced more granularity. Much of this growth appears to align\r\nwith direct-interaction tactics such as the help-desk manipulation techniques used by groups like Muddled\r\nLibra.\r\nBrute force fell from 13% to 8%, ending a multi-year rise and suggesting stronger identity controls across\r\nmany organizations.\r\nIAM misconfigurations remain a persistent initial access vector, appearing between 1% and 4% throughout\r\nthe five-year period.\r\nVulnerability Exploitation Is Driven by Opportunity, Not Novelty\r\nAttackers rely on vulnerability exploitation when it offers a clear operational advantage. The five-year pattern\r\nshows actors responding directly to the kinds of weaknesses available to them and the effort required to turn those\r\nweaknesses into access.\r\nWhen high-impact issues appear in widely deployed systems, operators move quickly because the potential reach\r\nis substantial and the work needed to automate exploitation is relatively low.\r\nThis pattern reflects attacker pragmatism. Operators tend to exploit whatever is most accessible and cost-effective\r\nat any given moment.\r\nBig Environments, Bigger Vulnerability Exposure\r\nThe data suggests that the largest enterprises face a different balance of initial-access risk: in 2025, vulnerabilities\r\naccounted for just over a quarter (26%) of initial access in these environments, compared with 17% for phishing.\r\nThis pattern indicates that larger firms may be reducing their phishing exposure through stronger email filtering,\r\nuser awareness and identity controls. These measures do not eliminate phishing risk but likely limit its\r\neffectiveness relative to smaller organizations.\r\nLarge, distributed environments with mixed ownership, legacy systems and uneven patching cycles make it easier\r\nfor exploitable weaknesses to persist even in well-funded organizations. For firms of this size, complexity itself\r\nincreases the likelihood that vulnerabilities go unaddressed, explaining why exploitation appears more frequently\r\nas an initial access vector.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 16 of 28\n\n3.3. Velocity: The Fastest Attacks Are Getting Faster\r\nThe time-to-exfiltration, which measures the duration between initial compromise and confirmed data theft, shows\r\na sharp acceleration at the fastest end of the spectrum. The quickest quartile of intrusions reached exfiltration in\r\njust over an hour (72 minutes) in calendar year 2025, down from nearly five hours (285 minutes) in 2024, as\r\nshown in Figure 2. The share of incidents reaching exfiltration in under one hour also increased—from 19% in\r\n2024 to 22% in 2025.\r\nTime to exfiltrate comparison between 2024 and 2025\r\nFigure 2. First-quartile attack speeds increased when comparing calendar year 2024 with calendar year 2025.\r\nAcross the full dataset, the median time to exfiltration (MTTE) was two days. Although longer than the fastest\r\nincidents, even the median highlights how quickly attackers can access and remove data once inside the\r\nenvironment.\r\nDefenders must be prepared for intrusions that progress from compromise to exfiltration in minutes or hours as\r\nwell as slower, more methodical operations that unfold over days that involve deeper reconnaissance and durable\r\npersistence.\r\n3.4. The Impact: Extortion Beyond Encryption\r\nEncryption appeared in 78% of extortion cases in 2025, a sharp decline from the near-or-above-90% levels for\r\n2021–2024 shown in Table 2. This represents the most pronounced year-over-year change in the dataset and shows\r\nthat traditional ransomware has not disappeared, but it is no longer uniformly present in extortion operations.\r\nExtortion Tactic 2021 2022 2023 2024 2025\r\nEncryption 96% 90% 89% 92% 78%\r\nData Theft 53% 59% 53% 60% 57%\r\nHarassment 5% 9% 8% 13% 10%\r\nTable 2. How extortion tactics have changed 2021–2025.\r\nThe reduction in encryption does not correspond to a rise in other individual tactics. Instead, it reflects that\r\nattackers increasingly view encryption as optional rather than essential. Several 2025 intrusions proceeded with\r\nextortion even when victims retained access to their systems. In these cases, data exposure, direct pressure or both\r\nwere sufficient to generate leverage without file-locking.\r\nData theft remained a consistent feature of extortion activity, appearing in more than half of cases year over year.\r\nThreat actors frequently used the threat of exposure on leak sites, and in some instances the resale of stolen data,\r\nto pressure victims regardless of whether encryption occurred.\r\nHarassment, while less common, remained a persistent tactic. These behaviors included contacting employees\r\ndirectly, threatening to publish internal information or claiming they would sell customer data to other actors if\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 17 of 28\n\nvictims didn’t pay. Some groups escalated pressure by reaching out to customers or partners, amplifying\r\nreputational and operational strain even when systems remained accessible.\r\nThese patterns show that extortion has decoupled from encryption. While encryption remains prominent, attackers\r\nnow have multiple reliable ways to create leverage. This broadens the range of conditions under which extortion\r\ncan occur. It also reinforces the need for visibility, rapid response and strong data-handling practices regardless of\r\nwhether attackers deploy ransomware.\r\nData Theft Remains Durable Leverage\r\nRansom economics helps explain why attackers continue to pursue these operations. Table 3 shows that median\r\ninitial demands increased from $1.25 million in 2024 to $1.5 million in 2025, and median payments also rose.\r\n2024 2025\r\nMedian initial ransom demands $1.25 million $1.5 million\r\nMedian ransom payments $267,500 $500,000\r\nTable 3. Ransomware remains a lucrative option for attackers.\r\nWhen measured against perceived annual revenue (PAR), these demands represented 0.55% of PAR, down from\r\n2% the prior year. Many ransomware groups appear to be researching victims’ ability to pay and using this\r\ninformation to calibrate demands. Asking for a lower percentage of PAR could reflect a strategy aimed at\r\nincreasing the likelihood of payment.\r\nAmong organizations that chose to pay, median payments rose from $267,500 to $500,000, though payments as a\r\nshare of PAR fell from 0.6% to 0.26%. The gap between initial demands and final payments shows how much\r\nroom victims often have to negotiate, and it underscores the value of structured negotiation in limiting financial\r\nexposure.\r\nThe choice to pay remains highly situational, influenced by operational impact, regulatory considerations, legal\r\nrequirements and business continuity needs. In 2025 cases where negotiations occurred, the median reduction\r\nbetween initial demand and final payment increased from 53% to 61%. This demonstrates how frequently\r\nexperienced negotiators can reduce costs even as overall attacker pricing trends upward.\r\nMany ransomware groups now operate with business-like structures including defined roles, affiliate programs\r\nand repeatable negotiation playbooks. Some cultivate “brand reputation” through dark web communications,\r\nportraying themselves as predictable or professional counterparts.\r\nThis brand maintenance extends to promise-keeping: in our 2025 dataset, threat actors fulfilled their commitments\r\n(such as providing decryption keys or allegedly deleting stolen data) in 68% of cases where they made a promise.\r\nFor defenders, these recognizable patterns can provide leverage, though they never eliminate the risk of engaging\r\nwith criminal actors.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 18 of 28\n\nRecovery practices also shape extortion outcomes. About 41% of victims were capable of restoring systems from\r\nbackup without needing to pay, which reduced the operational impact of encryption but did not eliminate\r\ndowntime. Even with recovery, many organizations still faced system rebuilds, containment work and other delays\r\nbefore returning to normal operations. Restoration is also fragile: in 26% of extortion cases, attackers impacted\r\nbackups, adding further disruption.\r\nWhen encryption is mitigated through backup restoration, or when backups fail entirely, the threat of exposure\r\ncontinues to pressure victims, ensuring data theft remains central to extortion activity.\r\n4. Recommendations for Defenders\r\nThis section identifies the systemic weaknesses that enable attacks and the practical steps required to stop them.\r\nBy addressing the root causes rather than just their symptoms, organizations can elevate their defenses to\r\nwithstand both common and emerging threats.\r\n4.1. Common Contributing Factors: Why Attacks Succeed\r\nAttacker success is rarely about zero-day exploits. Across the incidents we responded to in 2025, we found that in\r\nmore than 90% of incidents, preventable gaps in coverage and inconsistently applied controls directly\r\ncontributed to the intrusion.\r\nThese gaps determine how easily an attacker gains initial access, how quickly they move laterally and whether\r\ndefenders can detect and respond in time. Across this year's investigations, three systemic conditions appeared\r\nrepeatedly.\r\n1. Visibility Gaps: Missing Context Delays Detection\r\nMany organizations fail to leverage the telemetry needed to observe early-stage attacker behavior. Critical\r\nindicators of initial access and early attacker activity often go unnoticed because the SOC has not operationalized\r\nsignals across endpoint, network, cloud and SaaS layers. The result is missing context: defenders might see\r\nindividual events, but lack the correlation to recognize an active intrusion.\r\nThis fragmentation forces responders to manually reconstruct attacks from disparate tools, creating delays that\r\nattackers exploit. In 87% of incidents, Unit 42 investigators reviewed evidence from two or more distinct sources\r\nto establish what happened, with complex cases drawing on as many as 10. A lack of unified visibility consistently\r\nslowed detection, allowing adversaries to begin lateral movement before defenders could see the full picture.\r\n2. Environmental Complexity: Inconsistency Creates the Path of Least Resistance\r\nSecurity baselines are rarely applied universally. Over time, environmental drift, driven by legacy systems,\r\ntechnology adoption or merger and acquisition activity, makes it difficult to enforce a consistent standard across\r\nthe enterprise.\r\nIn multiple investigations, critical controls like endpoint protection were fully deployed in one business unit yet\r\nmissing or degraded in another. This inconsistency creates a path of least resistance. Over 90% of data breaches\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 19 of 28\n\nwere enabled by misconfigurations or gaps in security coverage, rather than novel exploits.\r\n3. Identity: Excessive Trust Leads to Lateral Movement\r\nAcross our investigations, identity weaknesses repeatedly turned an initial foothold into broader access. The core\r\nissue was often excessive trust — privileges and access paths that were too permissive or remained in place long\r\nafter they were needed.\r\nAttackers escalated privileges by misusing unretired legacy roles and over-permissioned service accounts. Rather\r\nthan breaking in, they advanced by using valid access where the organization had left too much trust behind.\r\nThese failures reflect identity drift. As permissions accumulate and exceptions persist, intruders encounter fewer\r\nbarriers. Nearly 90% of incidents trace back to an identity-related element as a critical source of the investigation\r\nor a primary attack vector.\r\n4.2. Recommendations for Defenders\r\nThe recommendations that follow focus on practical steps to address the systemic conditions described above.\r\n1. Empower Security Operations to Detect and Respond Faster\r\nWith the fastest attacks now exfiltrating data in roughly an hour, security operations must move at machine speed.\r\nThis comes from empowering the SOC with comprehensive visibility across the enterprise, AI to identify the\r\nsignal in the noise, and automation to drive immediate response and remediation. Adopting these six capabilities\r\nwill put your SOC in the best position to succeed:\r\nIngest all relevant security data. Attackers do not operate in silos, yet defenders often monitor in them. In\r\n2025, visibility gaps — particularly across SaaS, cloud identity and automation layers — were a primary\r\ndriver of attacker success. Critical telemetry often existed but remained trapped in disparate systems,\r\npreventing defenders from correlating identity shifts with automation outputs or browser-stored artifacts\r\nlike session tokens.\r\nTo detect modern intrusions, organizations must ingest and normalize signals from identity providers,\r\ncloud platforms and SaaS applications into a unified view. This consolidation closes the weak spots\r\nattackers exploit, allowing defenders to identify escalation routes early. Whether using rule-based detection\r\nor AI, the quality of insight depends entirely on the completeness of the data feeding it.\r\nPrevent, detect and prioritize threats with AI-driven capabilities. High alert volumes and fragmented\r\ntools allow attackers to hide by spreading activity across systems. Without correlation, these actions appear\r\nunrelated, delaying escalation. AI-driven capabilities are essential to stitch these disparate signals into a\r\nunified operational view.\r\nBehavioral analytics help surface subtle anomalies, such as unusual token use or lateral movement through\r\ncloud automation, that rule-based detection often fails to catch.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 20 of 28\n\nAI strengthens defense by correlating events across identity, endpoint, cloud and network layers,\r\nprioritizing high-fidelity incidents over background noise. This allows security teams to distinguish\r\ncoordinated attacks from routine activity instantly, ensuring analysts focus their efforts on the threats that\r\npose the greatest risk rather than chasing false positives.\r\nEnable real-time threat response with automation. Delays in containment often stem from unclear\r\nownership and manual validation steps that cannot keep pace with attacker automation. Effective response\r\nrequires assigning explicit authority for automated containment actions, such as revoking tokens or\r\nisolating workloads, so that execution can proceed without hesitation.\r\nBy replacing ad hoc judgment with standardized, validated playbooks, organizations ensure that response\r\nfollows an auditable sequence. However, to meet the pace of modern threats, agentic AI must be deployed\r\nas the ultimate defense accelerator. These autonomous systems dynamically investigate complex alerts,\r\ncorrelating data across domains at machine speed to gain a complete picture.\r\nOnce validated, agents are authorized to execute dynamic, surgical containment actions, from isolating\r\naffected systems via microsegmentation to automatically revoking compromised credentials. This\r\ndisciplined, intelligent approach dramatically reduces operational drift, limits attacker dwell time and\r\nprevents isolated compromises from escalating into broader incidents.\r\nTransition from reactive to proactive security. To shift from reactive defense, organizations must move\r\nbeyond traditional pentesting to continuous adversarial testing. Point-in-time audits rarely capture the\r\ninterplay of identity drift and cloud misconfigurations that attackers exploit in real-world intrusions.\r\nDefenders need to validate how controls perform under realistic conditions, ensuring telemetry pipelines\r\nand response workflows operate as intended.\r\nProactivity extends to recovery. Resilient organizations verify that systems are free of residual access, such\r\nas compromised credentials or altered configurations, before restoring services. Ensuring that remediation\r\naddresses root causes, rather than simply restoring outdated snapshots, helps prevent rapid reinfection and\r\nsupports long-term resilience.\r\nUplevel the SOC for high-performance outcomes. During active incidents, inconsistent containment or\r\nunclear ownership creates openings for attackers to re-establish access. High-performance SOCs eliminate\r\nthis variance by ensuring response actions are applied uniformly, regardless of the analyst or time of day.\r\nConsistency under pressure is critical; it prevents isolated compromises from escalating into broader crises.\r\nAchieving this requires bridging operational silos across Security, IT, and DevOps. Playbooks should\r\nreflect how systems operate today, rather than how they were originally designed, so that automated actions\r\nalign with real business logic. Empowering analysts with broader responsibility, such as end-to-end\r\nincident response rather than alert triage alone, improves retention, increases versatility and drives\r\nmeasurable business outcomes.\r\nDeepen your bench with an IR retainer. The right retainer extends your capabilities beyond emergency\r\nresponse. To stay ahead, organizations must test and validate controls against the specific behaviors threat\r\nactors use in the wild. Recurring assessments across offensive security, AI security, SOC processes and\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 21 of 28\n\ncloud security help confirm that telemetry pipelines and response workflows operate as intended under\r\nrealistic attack conditions.\r\nYour IR retainer partner should provide rapid access to specialists for proactive readiness checks, detection\r\nengineering and validation, ensuring that defensive improvements hold up over time. By pairing\r\ncontinuous testing with retained expertise, organizations improve resilience.\r\nBy aligning your SOC with these core principles, you transform your defense into a high-velocity response engine\r\ncapable of outmaneuvering adversaries and stopping threats before they escalate.\r\n2. Adopt Zero Trust to Constrain the Area of Impact\r\nZero trust is a strategic necessity in an environment where identity has become the primary attack surface. The\r\ngoal is to eliminate implicit trust relationships between users, devices and applications and to continuously\r\nvalidate every stage of a digital interaction.\r\nIn reality, achieving zero trust is complex. However, even small gains will reduce the attack surface, constrain\r\nlateral movement and minimize the impact of any initial access to your environment. By removing the assumption\r\nof safety inside the perimeter, defenders force attackers to work harder for every inch of access, slowing their\r\nvelocity and creating more opportunities for detection.\r\nContinuously verify users, devices and applications. Attackers frequently exploit the static trust that\r\npersists after an initial login. Once inside, they use stolen session tokens or valid credentials to masquerade\r\nas legitimate users, often bypassing perimeter controls entirely. Static checkpoints at the front door are no\r\nlonger sufficient.\r\nContinuous verification treats trust as dynamic, with decisions revisited as conditions change during a\r\nsession. Validating identity context, device health and application behavior in real time allows\r\norganizations to detect when a legitimate session is hijacked or when user behavior deviates from the norm.\r\nAs a result, compromised accounts or devices remain useful to attackers for only a limited period, reducing\r\nopportunities to expand access or stage data.\r\nEnforce least privilege to constrain attacker movement. Excessive permissions act as a force multiplier\r\nfor attackers. In many 2025 incidents, intruders bypassed internal controls by taking advantage of identity\r\ndrift, using accumulated privileges and unretired roles that organizations failed to remove. Rather than\r\nrelying on complex exploits, they moved laterally through valid but over-provisioned access paths.\r\nEnforcing least privilege reduces this attack surface by limiting users, services and applications to only the\r\naccess required for their function. This must extend beyond human users to include machine identities and\r\nservice accounts, which often retain broad, poorly monitored permissions. Removing unnecessary rights\r\neliminates the straightforward access paths attackers rely on, forcing them into more visible and difficult\r\ntechniques that are easier for defenders to detect.\r\nApply consistent inspection across trusted and untrusted traffic. Apply consistent inspection across\r\ntrusted and untrusted traffic. Attackers know that while the perimeter is guarded, internal “east–west”\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 22 of 28\n\ntraffic between workloads often passes without inspection. They exploit this trust by using encrypted\r\ninternal connections to move laterally and stage data without triggering alarms.\r\nTo achieve consistent, pervasive threat analysis, organizations must consolidate all network, cloud and\r\nsecure access service edge (SASE) security onto a single unified platform. This unified fabric delivers\r\nconsistent Layer 7 inspection everywhere, automatically enforcing policy via one management plane.\r\nThis consolidation enables the strategic shift to advanced cloud-delivered security services. This shift\r\nallows real-time, inline analysis of all traffic, including crucial decryption and inspection of traffic moving\r\nbetween internal workloads. This capability removes the spots where attackers hide, proactively stopping\r\nunknown phishing, zero-day malware and evasive C2 activity.\r\nControl data access and movement to reduce impact. The most damaging outcomes in many incidents\r\noccur not at initial compromise but during subsequent data access, staging and exfiltration. Attackers often\r\nsearch for repositories with weak controls or poorly monitored flows to quietly aggregate sensitive\r\ninformation before detection.\r\nStronger governance over how data is accessed, shared and transferred reduces these opportunities by\r\nlimiting where sensitive information can move and under what conditions. When data pathways are tightly\r\ncontrolled and consistently monitored, attackers face fewer options to prepare or extract valuable assets,\r\nreducing the scale and severity of potential loss even when a compromise occurs.\r\nBy systematically eliminating implicit trust, you strip attackers of the mobility they rely on, ensuring that a single\r\npoint of compromise leads to a contained incident rather than an enterprise-wide crisis.\r\n3. Stop Identity Attacks with Stronger Identity and Access Management\r\nIdentity is now the security perimeter, yet it too often remains poorly secured. Identity weaknesses were a\r\ndetermining factor in over half of the intrusions investigated in 2025, primarily because identity stores expanded\r\nfaster than the controls intended to govern them.\r\nAttackers consistently moved through the gaps created by this governance drift, exploiting legacy permissions and\r\nunmonitored service accounts to bypass perimeter defenses. To stop this, organizations must manage identity not\r\nas a static list of credentials, but as a dynamic operational asset across the entire lifecycle.\r\nCentralize identity management for humans and machines. You cannot govern what you cannot see.\r\nWhen identity data is fragmented across legacy directories, cloud providers and SaaS environments,\r\nattackers take advantage of the resulting weak spots.\r\nCentralizing user and machine identities into authoritative directories simplifies authentication and\r\nremoves hidden access paths that are difficult to monitor consistently. This consolidation should also\r\ninclude third-party integrations and API connectors so that every entity requesting access, whether a\r\nperson, a service account or an AI agent, is visible to security teams. With a unified control plane in place,\r\ndefensive AI can correlate login anomalies with suspicious activity, turning identity into an active\r\noperational signal rather than a static list of credentials.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 23 of 28\n\nCombat governance drift with continuous lifecycle management. Governance drift, where operational\r\nchanges move faster than the controls designed to guide them, remained a significant contributor to\r\nattacker leverage.\r\nRole transitions, rapid deployment cycles and everyday shortcuts widened the gap between written policy\r\nand actual access. Permissions held by workflow tools and service connectors often exceeded what policy\r\nintended. This created escalation paths that attackers exploited through legacy permissions and\r\nunmonitored service accounts. Treating identity as a lifecycle, by limiting automation to current needs and\r\nretiring excess access over time, helps close these gaps and restrict attacker movement after initial access.\r\nDetect and respond to identity-based threats. Defensive AI performs most effectively in environments\r\nwhere identities are managed as operational assets rather than static credentials. In our investigations,\r\norganizations with strong identity foundations showed earlier linkage between login anomalies, automation\r\nactivity and peripheral identity events, which contributed to faster containment.\r\nWhere governance was strong, detection pipelines produced clearer and more reliable indicators that\r\nhelped teams identify escalation behavior earlier. In contrast, weak governance created noise that obscured\r\nthese signals. Regular reviews keep permissions aligned to real requirements, improving the accuracy of\r\ndetection signals and ensuring that AI-assisted controls operate effectively.\r\nSecure AI and automation integrity. As organizations embed AI agents and automated workflows into\r\ncore processes, these systems become attractive targets for manipulation. In our investigations, we\r\nobserved assistant accounts deployed with broad default access and automation tools running without\r\nintegrity validation.\r\nTo prevent these tools from becoming vectors for attack, security teams must apply the same governance\r\nrigor to AI systems as they do to human users. This includes explicitly validating automation steps before\r\nthey enter production, applying integrity checks to AI-enabled workflows and ensuring that assistant\r\naccounts are hardened against misuse.\r\nBy treating identity as a dynamic operational system rather than a static directory, you eliminate the hidden\r\npathways attackers rely on and enable security teams to detect misuse the moment it occurs.\r\n4. Secure the Application Lifecycle from Code to Cloud\r\nProtecting the modern enterprise requires more than securing infrastructure. It requires securing the factory that\r\nbuilds it.\r\nIn 2025, attackers increasingly targeted the software supply chain and cloud APIs to bypass traditional perimeters,\r\ninjecting vulnerabilities into code or exploiting weak integrations before they ever reached production. To counter\r\nthis, organizations must extend security safeguards from the earliest stages of development through to runtime,\r\ntreating AI models, build pipelines and third-party code with the same rigor as internal systems.\r\nPrevent security issues from reaching production. Security must operate at the speed of development.\r\nIntegrating safeguards into DevOps and continuous integration and continuous deployment (CI/CD)\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 24 of 28\n\npipelines helps identify and remediate vulnerabilities in custom code, open-source components, and AI\r\nconfigurations before deployment.\r\nThe same approach applies to AI systems, where early assessment of model security and configuration\r\nreduces downstream risk. Hardening development tools and governing open-source dependencies helps\r\neliminate weak spots that attackers exploit to inherit trust within business workflows.\r\nSecure the software and AI supply chain. Although not the most common attack vector, supply chain\r\ncompromises yield the highest impact, especially for otherwise mature organizations. Weaknesses in build\r\nsystems, integration services and AI-related repositories allow attackers to reach downstream environments\r\nwithout ever interacting with a firewall.\r\nReducing this exposure requires strict provenance checks. Build environments and deployment pipelines\r\nmust have clear identity controls and integrity protections. External software libraries, API connectors and\r\nAI components should be evaluated for access patterns and update practices before adoption. Effective\r\nsupply chain governance gives detection processes a reliable baseline, making it easier to identify when a\r\ntrusted dependency begins behaving unexpectedly.\r\nIdentify and block runtime attacks. Once applications are live, the focus shifts to containment. Attackers\r\nfrequently attempt to persist and expand access by misusing legitimate cloud identities, APIs or workload\r\npermissions.\r\nReal-time detection, combined with consistent runtime controls such as behavioral monitoring, clear\r\nnetwork boundaries and limits on unexpected API interactions, helps disrupt these tactics. The same\r\nprotections should extend to AI hosting environments, where monitoring for model drift and unauthorized\r\ndata access limits attacker movement even after initial compromise.\r\nAutomate cloud detection and response. In the cloud, speed is the only metric that matters. Delays in\r\nisolating affected workloads or revoking misused identities give attackers the room they need to escalate.\r\nAutomation allows SecOps teams to detect and respond to cloud-based threats continuously, using native\r\ncloud controls to contain incidents quickly. Actions such as isolating compromised containers or revoking\r\nsuspicious session tokens help prevent localized issues from escalating into broader outages or data loss.\r\nBuild a culture of secure AI and development. AI is now an operational asset, not just a tool. As\r\nassistants and automated prompts become embedded in daily workflows, they introduce behavioral risks\r\nthat technical controls alone cannot solve.\r\nA strong security culture treats AI systems with the same discipline as critical infrastructure. This includes\r\nreviewing how assistants are used, avoiding the exposure of sensitive data in prompts and validating AI-generated code. When teams understand that human judgment remains central to effective AI use,\r\ngovernance controls are reinforced rather than bypassed, ensuring that the drive for automation does not\r\noutpace the ability to oversee it.\r\nBy embedding security into the fabric of your development and runtime environments, you help ensure that the\r\nspeed of AI and cloud innovation drives business growth rather than systemic risk.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 25 of 28\n\n5. Secure the Attack Surface and the Human Interface\r\nSecuring the organization now requires looking beyond the corporate laptop. The modern attack surface has\r\nexpanded to include unmanaged contractor devices, public-facing cloud assets and the web browser itself, which\r\nhas become the primary workspace for the enterprise.\r\nAs defenders, we face a dual challenge. We must rigorously manage the external exposures that attackers\r\nconstantly scan for, while simultaneously securing the human interface where users interact with data, AI and the\r\nopen web. To protect this sprawling environment, security must extend its reach from the external edge down to\r\nthe browser session.\r\nReduce the attack surface with active exposure management. Unit 42 found that software\r\nvulnerabilities accounted for 22% of initial access for incidents this year, underscoring the urgent need to\r\nmove beyond simple discovery to active risk prioritization. Effective exposure management bridges this\r\ngap by creating a complete, continuous inventory of the digital footprint, including the shadow\r\ninfrastructure and unauthorized AI tools that traditional scans miss.\r\nCrucially, this strategy must filter out the noise, using threat intelligence to prioritize only those assets that\r\nare actively being targeted in the wild (such as CISA KEVs) and lack compensating controls. By focusing\r\nlimited resources on exploitable, business-critical risks, teams can close the window of opportunity before\r\nan attacker finds an open door.\r\nProtect the human interface. The browser is the new endpoint and the new corporate desktop. This is\r\nwhere employees access data, where contractors perform their work and unfortunately, where social\r\nengineering attacks like phishing are most effective.\r\nSecuring this interface requires an enterprise-grade secure browser that establishes a fully isolated and\r\nsecured corporate workspace for both managed and unmanaged devices. This powerful layer enforces data\r\ncontrols in real-time, regardless of the underlying hardware. It can disable copy and paste on sensitive\r\npages, prevent file downloads from unknown sources and identify advanced phishing sites that evade\r\nstandard email filters. By hardening the browser, organizations gain granular visibility into shadow AI\r\nusage and directly prevent sensitive corporate data from leaking into unauthorized GenAI tools.\r\nSecure third-party and unmanaged access. The rigid model of shipping corporate laptops to every\r\ncontractor or acquisition target is no longer sustainable or secure. Organizations need a way to enforce zero\r\ntrust access on unmanaged devices without the cost and complexity of legacy virtual desktop infrastructure\r\n(VDI) solutions.\r\nBy securing the workspace through the browser, companies can grant contractors and BYOD users secure\r\naccess to corporate applications while keeping business data strictly isolated from personal environments.\r\nThis approach accelerates merger and acquisition integration, and contractor onboarding while ensuring\r\nthat a compromised personal device cannot be used as a stepping stone into the corporate network.\r\nCollect unified telemetry and automate response. For the endpoints you do manage, data is the fuel for\r\ndefense. Detecting sophisticated attacks depends on collecting high-fidelity telemetry across processes,\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 26 of 28\n\nnetwork connections and identity behavior, then unifying that data within a central platform.\r\nWhen this data is analyzed by AI-driven engines, anomalies that would be invisible in isolation become\r\nclear indicators of compromise. However, detection is only half the battle.\r\nTo minimize damage, response mechanisms must be automated. Security teams must be empowered to\r\nisolate compromised endpoints, initiate forensic scans and remediate threats at machine speed, ensuring\r\nthat a localized infection does not become a systemic breach.\r\nBy securing the browser as the primary workspace and rigorously managing the external attack surface, you\r\nprotect the users and assets that traditional endpoint controls can no longer reach.\r\n5. Appendix\r\nWe organized the data in this section in three dimensions, providing defenders with a clearer view of the patterns\r\nwe have observed in 2025. First, we outline the MITRE ATT\u0026CK® techniques most closely linked to each tactic.\r\nWe then present regional and industry-level views that show how investigation types shift across geographies and\r\nsectors.\r\n5.1 Overview of Observed MITRE Techniques by Tactic\r\nThe following series of charts (Figures 3-14) show the MITRE ATT\u0026CK® techniques we observed in association\r\nwith specific tactics. Note that the percentages shown represent the prevalence of each technique when compared\r\nacross the other kinds of techniques identified for each respective tactic. These percentages don’t represent how\r\noften the techniques showed up in cases (see the website version to explore data about unique techniques and\r\ncases).\r\nSelect data\r\nInitial Access\r\nDiscovery\r\nExecution\r\nPersistence\r\nPrivilege Escalation\r\nDefense Evasion\r\nCredential Access\r\nLateral Movement\r\nCollection\r\nCommand and Control\r\nExfiltration\r\nImpact\r\nInitial Access\r\nFigure 3: Relative prevalence of techniques observed in association with the initial access tactic.\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 27 of 28\n\n5.2 Investigation Type by Region\r\nFigures 15-17 provide a regional and industry-level view of the investigations handled by Unit 42 during 2025.\r\nThey show how incident types vary across North America, EMEA and Asia Pacific, alongside a breakdown of the\r\nmost common investigation categories within the industries most represented in our data. These insights will help\r\nleaders understand where activity is concentrated and how exposure differs across sectors and geographies.\r\nThe geographic data highlights differences in investigation types regionally, while the industry charts show clear\r\npatterns in how threat activity aligns with sector-specific operations and technology stacks. High technology,\r\nmanufacturing, financial services and healthcare each exhibit distinct mixes of intrusion types, reflecting variation\r\nin attack surface, identity architecture and cloud maturity. Together, these views give security leaders a clearer\r\npicture of where threats are most active and how the operational context shapes the intrusions Unit 42\r\ninvestigates.\r\nSelect data\r\nNorth America\r\nEurope, the Middle East and Africa\r\nAsia-Pacific region\r\nNorth America\r\nFigure 15: Investigation type by region: North America.\r\n5.3 Investigation Type by Industry\r\nFigures 18-24 below show a breakdown of the top investigation types associated with the industries most\r\nrepresented in our incident response data.\r\nSelect data\r\nHigh Technology\r\nManufacturing\r\nProfessional \u0026 Legal Services\r\nWholesale \u0026 Retail\r\nFinancial Services\r\nState and Local Government\r\nHealthcare\r\nHigh Technology\r\nFigure 19: Investigation type by industry: High Technology.\r\nSource: https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nhttps://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion\r\nPage 28 of 28", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.crypsisgroup.com/insights/ransomwares-new-trend-exfiltration-and-extortion" ], "report_names": [ "ransomwares-new-trend-exfiltration-and-extortion" ], "threat_actors": [ { "id": "9ddc7baf-2ea7-4294-af2c-5fce1021e8e8", "created_at": "2023-06-23T02:04:34.386651Z", "updated_at": "2026-04-10T02:00:04.772256Z", "deleted_at": null, "main_name": "Muddled Libra", "aliases": [ "0ktapus", "Scatter Swine", "Scattered Spider" ], "source_name": "ETDA:Muddled Libra", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a63c994f-d7d6-4850-a881-730635798b90", "created_at": "2025-08-07T02:03:24.788883Z", "updated_at": "2026-04-10T02:00:03.785146Z", "deleted_at": null, "main_name": "COBALT TRINITY", "aliases": [ "APT33 ", "Elfin ", "HOLMIUM ", "MAGNALIUM ", "Peach Sandstorm ", "Refined Kitten ", "TA451 " ], "source_name": "Secureworks:COBALT TRINITY", "tools": [ "AutoCore", "Cadlotcorg", "Dello RAT", "FalseFont", "Imminent Monitor", "KDALogger", "Koadic", "NanoCore", "NetWire", "POWERTON", "PoshC2", "Poylog", "PupyRAT", "Schoolbag" ], "source_id": "Secureworks", "reports": null }, { "id": "7187a642-699d-44b2-9c69-498c80bce81f", "created_at": "2025-08-07T02:03:25.105688Z", "updated_at": "2026-04-10T02:00:03.78394Z", "deleted_at": null, "main_name": "NICKEL TAPESTRY", "aliases": [ "CL-STA-0237 ", "CL-STA-0241 ", "DPRK IT Workers", "Famous Chollima ", "Jasper Sleet Microsoft", "Purpledelta Recorded Future", "Storm-0287 ", "UNC5267 ", "Wagemole " ], "source_name": "Secureworks:NICKEL TAPESTRY", "tools": [], "source_id": "Secureworks", "reports": null }, { "id": "ad78338e-8bb6-4745-acae-27d3cc3cf76d", "created_at": "2023-11-17T02:00:07.580677Z", "updated_at": "2026-04-10T02:00:03.452097Z", "deleted_at": null, "main_name": "Bohrium", "aliases": [ "BOHRIUM", "IMPERIAL KITTEN", "Smoke Sandstorm" ], "source_name": "MISPGALAXY:Bohrium", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "3ce91297-e4c0-4957-8dd7-9047a3e23dc7", "created_at": "2023-01-06T13:46:39.054248Z", "updated_at": "2026-04-10T02:00:03.197801Z", "deleted_at": null, "main_name": "Tortoiseshell", "aliases": [ "Yellow Liderc", "Imperial Kitten", "Crimson Sandstorm", "Cuboid Sandstorm", "Smoke Sandstorm", "IMPERIAL KITTEN", "TA456", "DUSTYCAVE", "CURIUM" ], "source_name": "MISPGALAXY:Tortoiseshell", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "c3b908de-3dd1-4e5d-ba24-5af8217371f0", "created_at": "2023-10-03T02:00:08.510742Z", "updated_at": "2026-04-10T02:00:03.374705Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "UNC3944", "Scattered Swine", "Octo Tempest", "DEV-0971", "Starfraud", "Muddled Libra", "Oktapus", "Scatter Swine", "0ktapus", "Storm-0971" ], "source_name": "MISPGALAXY:Scattered Spider", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f0f91a2f-ae05-4658-a6df-14938355eecb", "created_at": "2024-03-02T02:00:03.833721Z", "updated_at": "2026-04-10T02:00:03.598612Z", "deleted_at": null, "main_name": "UNC1549", "aliases": [ "Nimbus Manticore" ], "source_name": "MISPGALAXY:UNC1549", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "4fc99d9b-9b66-4516-b0db-520fbef049ed", "created_at": "2025-10-29T02:00:51.949631Z", "updated_at": "2026-04-10T02:00:05.346203Z", "deleted_at": null, "main_name": "Contagious Interview", "aliases": [ "Contagious Interview", "DeceptiveDevelopment", "Gwisin Gang", "Tenacious Pungsan", "DEV#POPPER", "PurpleBravo", "TAG-121" ], "source_name": "MITRE:Contagious Interview", "tools": [ "InvisibleFerret", "BeaverTail", "XORIndex Loader", "HexEval Loader" ], "source_id": "MITRE", "reports": null }, { "id": "e5ff825b-0456-4013-b90a-971b93def74a", "created_at": "2022-10-25T15:50:23.824058Z", "updated_at": "2026-04-10T02:00:05.377261Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "APT33", "HOLMIUM", "Elfin", "Peach Sandstorm" ], "source_name": "MITRE:APT33", "tools": [ "PowerSploit", "AutoIt backdoor", "PoshC2", "Mimikatz", "NanoCore", "DEADWOOD", "StoneDrill", "POWERTON", "LaZagne", "TURNEDUP", "NETWIRE", "Pupy", "ftp" ], "source_id": "MITRE", "reports": null }, { "id": "786139da-4139-49d0-9685-e249c5f89f25", "created_at": "2024-12-30T02:01:48.731055Z", "updated_at": "2026-04-10T02:00:04.763086Z", "deleted_at": null, "main_name": "TA455", "aliases": [ "Bohrium", "DEV-0056", "Operation Iranian Dream Job", "Smoke Sandstorm", "TA455", "UNC1549", "Yellow Dev 13" ], "source_name": "ETDA:TA455", "tools": [ "LIGHTRAIL", "MINIBIKE", "SlugResin", "SnailResin" ], "source_id": "ETDA", "reports": null }, { "id": "d093e8d9-b093-47b8-a988-2a5cbf3ccec9", "created_at": "2023-10-14T02:03:13.99057Z", "updated_at": "2026-04-10T02:00:04.531987Z", "deleted_at": null, "main_name": "Scattered Spider", "aliases": [ "0ktapus", "LUCR-3", "Muddled Libra", "Octo Tempest", "Scatter Swine", "Scattered Spider", "Star Fraud", "Storm-0875", "UNC3944" ], "source_name": "ETDA:Scattered Spider", "tools": [ "ADRecon", "AnyDesk", "ConnectWise", "DCSync", "FiveTran", "FleetDeck", "Govmomi", "Hekatomb", "Impacket", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Lumma Stealer", "LummaC2", "Mimikatz", "Ngrok", "PingCastle", "ProcDump", "PsExec", "Pulseway", "Pure Storage FlashArray", "Pure Storage FlashArray PowerShell SDK", "RedLine Stealer", "Rsocx", "RustDesk", "ScreenConnect", "SharpHound", "Socat", "Spidey Bot", "Splashtop", "Stealc", "TacticalRMM", "Tailscale", "TightVNC", "VIDAR", "Vidar Stealer", "WinRAR", "WsTunnel", "gosecretsdump" ], "source_id": "ETDA", "reports": null }, { "id": "b23e717c-0b27-47e0-b3c8-4defe6dd857f", "created_at": "2023-01-06T13:46:38.367369Z", "updated_at": "2026-04-10T02:00:02.945356Z", "deleted_at": null, "main_name": "APT33", "aliases": [ "Elfin", "MAGNALLIUM", "HOLMIUM", "COBALT TRINITY", "G0064", "ATK35", "Peach Sandstorm", "TA451", "APT 33", "Refined Kitten" ], "source_name": "MISPGALAXY:APT33", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "0dc20eeb-81e3-48ef-9a12-7b38fdcf07b1", "created_at": "2025-09-20T02:04:46.693616Z", "updated_at": "2026-04-10T02:00:03.735806Z", "deleted_at": null, "main_name": "COBALT SMOKEY", "aliases": [ "Nimbus Manticore ", "Smoke Sandstorm ", "Subtle Snail ", "TA455 ", "UNC1549 " ], "source_name": "Secureworks:COBALT SMOKEY", "tools": [ "LIGHTRAIL", "MINIBIKE", "MINIBUS" ], "source_id": "Secureworks", "reports": null }, { "id": "b938e2e3-3d1b-4b35-a031-ddf25b912557", "created_at": "2022-10-25T16:07:23.35582Z", "updated_at": "2026-04-10T02:00:04.55531Z", "deleted_at": null, "main_name": "APT 33", "aliases": [ "APT 33", "ATK 35", "Cobalt Trinity", "Curious Serpens", "Elfin", "G0064", "Holmium", "Magnallium", "Peach Sandstorm", "Refined Kitten", "TA451", "Yellow Orc" ], "source_name": "ETDA:APT 33", "tools": [ "Atros2.CKPN", "AutoIt backdoor", "Breut", "CinaRAT", "DROPSHOT", "DarkComet", "DarkKomet", "DistTrack", "EmPyre", "EmpireProject", "FYNLOS", "FalseFont", "Filerase", "Fynloski", "JuicyPotato", "Krademok", "LOLBAS", "LOLBins", "LaZagne", "Living off the Land", "Mimikatz", "Nancrat", "NanoCore", "NanoCore RAT", "NetWeird", "NetWire", "NetWire RAT", "NetWire RC", "NetWired RC", "Notestuk", "POWERTON", "PoshC2", "PowerBand", "PowerShell Empire", "PowerSploit", "PsList", "Pupy", "PupyRAT", "Quasar RAT", "QuasarRAT", "Recam", "Remcos", "RemcosRAT", "Remvio", "SHAPESHIFT", "Shamoon", "Socmer", "StoneDrill", "TURNEDUP", "Tickler", "Yggdrasil", "Zurten", "klovbot", "pupy" ], "source_id": "ETDA", "reports": null }, { "id": "730dfa6e-572d-473c-9267-ea1597d1a42b", "created_at": "2023-01-06T13:46:38.389985Z", "updated_at": "2026-04-10T02:00:02.954105Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "Pawn Storm", "ATK5", "Fighting Ursa", "Blue Athena", "TA422", "T-APT-12", "APT-C-20", "UAC-0001", "IRON TWILIGHT", "SIG40", "UAC-0028", "Sofacy", "BlueDelta", "Fancy Bear", "GruesomeLarch", "Group 74", "ITG05", "FROZENLAKE", "Forest Blizzard", "FANCY BEAR", "Sednit", "SNAKEMACKEREL", "Tsar Team", "TG-4127", "STRONTIUM", "Grizzly Steppe", "G0007" ], "source_name": "MISPGALAXY:APT28", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d05e8567-9517-4bd8-a952-5e8d66f68923", "created_at": "2024-11-13T13:15:31.114471Z", "updated_at": "2026-04-10T02:00:03.761535Z", "deleted_at": null, "main_name": "WageMole", "aliases": [ "Void Dokkaebi", "WaterPlum", "PurpleBravo", "Famous Chollima", "UNC5267", "Wagemole", "Nickel Tapestry", "Storm-1877" ], "source_name": "MISPGALAXY:WageMole", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "ef59a0d9-c556-4448-8553-ed28f315d352", "created_at": "2025-06-29T02:01:57.047978Z", "updated_at": "2026-04-10T02:00:04.744218Z", "deleted_at": null, "main_name": "Operation Contagious Interview", "aliases": [ "Jasper Sleet", "Nickel Tapestry", "Operation Contagious Interview", "PurpleBravo", "Storm-0287", "Tenacious Pungsan", "UNC5267", "Wagemole", "WaterPlum" ], "source_name": "ETDA:Operation Contagious Interview", "tools": [ "BeaverTail", "InvisibleFerret", "OtterCookie", "PylangGhost" ], "source_id": "ETDA", "reports": null }, { "id": "e3767160-695d-4360-8b2e-d5274db3f7cd", "created_at": "2022-10-25T16:47:55.914348Z", "updated_at": "2026-04-10T02:00:03.610018Z", "deleted_at": null, "main_name": "IRON TWILIGHT", "aliases": [ "APT28 ", "ATK5 ", "Blue Athena ", "BlueDelta ", "FROZENLAKE ", "Fancy Bear ", "Fighting Ursa ", "Forest Blizzard ", "GRAPHITE ", "Group 74 ", "PawnStorm ", "STRONTIUM ", "Sednit ", "Snakemackerel ", "Sofacy ", "TA422 ", "TG-4127 ", "Tsar Team ", "UAC-0001 " ], "source_name": "Secureworks:IRON TWILIGHT", "tools": [ "Downdelph", "EVILTOSS", "SEDUPLOADER", "SHARPFRONT" ], "source_id": "Secureworks", "reports": null }, { "id": "ae320ed7-9a63-42ed-944b-44ada7313495", "created_at": "2022-10-25T15:50:23.671663Z", "updated_at": "2026-04-10T02:00:05.283292Z", "deleted_at": null, "main_name": "APT28", "aliases": [ "APT28", "IRON TWILIGHT", "SNAKEMACKEREL", "Group 74", "Sednit", "Sofacy", "Pawn Storm", "Fancy Bear", "STRONTIUM", "Tsar Team", "Threat Group-4127", "TG-4127", "Forest Blizzard", "FROZENLAKE", "GruesomeLarch" ], "source_name": "MITRE:APT28", "tools": [ "Wevtutil", "certutil", "Forfiles", "DealersChoice", "Mimikatz", "ADVSTORESHELL", "Komplex", "HIDEDRV", "JHUHUGIT", "Koadic", "Winexe", "cipher.exe", "XTunnel", "Drovorub", "CORESHELL", "OLDBAIT", "Downdelph", "XAgentOSX", "USBStealer", "Zebrocy", "reGeorg", "Fysbis", "LoJax" ], "source_id": "MITRE", "reports": null }, { "id": "d2516b8e-e74f-490d-8a15-43ad6763c7ab", "created_at": "2022-10-25T16:07:24.212584Z", "updated_at": "2026-04-10T02:00:04.900038Z", "deleted_at": null, "main_name": "Sofacy", "aliases": [ "APT 28", "ATK 5", "Blue Athena", "BlueDelta", "FROZENLAKE", "Fancy Bear", "Fighting Ursa", "Forest Blizzard", "G0007", "Grey-Cloud", "Grizzly Steppe", "Group 74", "GruesomeLarch", "ITG05", "Iron Twilight", "Operation DealersChoice", "Operation Dear Joohn", "Operation Komplex", "Operation Pawn Storm", "Operation RoundPress", "Operation Russian Doll", "Operation Steal-It", "Pawn Storm", "SIG40", "Sednit", "Snakemackerel", "Sofacy", "Strontium", "T-APT-12", "TA422", "TAG-0700", "TAG-110", "TG-4127", "Tsar Team", "UAC-0028", "UAC-0063" ], "source_name": "ETDA:Sofacy", "tools": [ "ADVSTORESHELL", "AZZY", "Backdoor.SofacyX", "CHERRYSPY", "CORESHELL", "Carberp", "Computrace", "DealersChoice", "Delphacy", "Downdelph", "Downrage", "Drovorub", "EVILTOSS", "Foozer", "GAMEFISH", "GooseEgg", "Graphite", "HATVIBE", "HIDEDRV", "Headlace", "Impacket", "JHUHUGIT", "JKEYSKW", "Koadic", "Komplex", "LOLBAS", "LOLBins", "Living off the Land", "LoJack", "LoJax", "MASEPIE", "Mimikatz", "NETUI", "Nimcy", "OCEANMAP", "OLDBAIT", "PocoDown", "PocoDownloader", "Popr-d30", "ProcDump", "PythocyDbg", "SMBExec", "SOURFACE", "SPLM", "STEELHOOK", "Sasfis", "Sedkit", "Sednit", "Sedreco", "Seduploader", "Shunnael", "SkinnyBoy", "Sofacy", "SofacyCarberp", "SpiderLabs Responder", "Trojan.Shunnael", "Trojan.Sofacy", "USB Stealer", "USBStealer", "VPNFilter", "Win32/USBStealer", "WinIDS", "Winexe", "X-Agent", "X-Tunnel", "XAPS", "XTunnel", "Xagent", "Zebrocy", "Zekapab", "carberplike", "certutil", "certutil.exe", "fysbis", "webhp" ], "source_id": "ETDA", "reports": null } ], "ts_created_at": 1775434412, "ts_updated_at": 1775792270, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/7911c2244b6ca18d513d95c3df58be73447ded4e.pdf", "text": "https://archive.orkl.eu/7911c2244b6ca18d513d95c3df58be73447ded4e.txt", "img": "https://archive.orkl.eu/7911c2244b6ca18d513d95c3df58be73447ded4e.jpg" } }