Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued high ransomware activity and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by Help Net Security reports ransomware actors claimed 4,737 attacks in 2025, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of RansomHub was followed by affiliates quickly shifting to other operations, while LockBit failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward extortion models that don’t rely on encryption, emphasizing data theft and coercion as groups diversify pressure tactics.
Multiple technical reports describe how attackers are improving delivery and resilience. BleepingComputer says Gootloader now uses heavily malformed ZIP files—concatenating 500–1,000 ZIP archives and manipulating ZIP structures (e.g., truncated EOCD)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. The Register reports DeadLock ransomware uses Polygon smart contracts to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the Session messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by KnowBe4 shows threat actors exploiting email routing/spoofing misconfigurations to make phishing appear internal (often leveraging Tycoon2FA), while ReliaQuest’s trend report and a separate write-up on CastleLoader describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as ClickFix being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
15 events from the most recent confirmed update back to the earliest known activity.
Warlock ransomware linked to SharePoint zero-day exploitation
Symantec and Carbon Black said a new ransomware strain called Warlock was observed exploiting a SharePoint zero-day. The report noted tooling overlaps with prior Chinese espionage activity, suggesting convergence between extortion and espionage tradecraft.
Researchers describe leadership shifts in ransomware ecosystem
The same January 2026 study reported that LockBit failed to recover after late-2024 law enforcement action and that RansomHub had disappeared, while Akira and Qilin emerged as leading claimants. It also highlighted the growth of encryptionless extortion and continued use of social engineering against cloud and identity systems.
Symantec and Carbon Black report record 2025 ransomware and extortion volumes
A study published in January 2026 said claimed ransomware attacks reached 4,737 in 2025, while total extortion incidents rose to 6,182, up 23% from 2024. The report concluded that ransomware activity kept growing despite takedowns and ecosystem disruption.
Microsoft discloses rise in internal-domain spoofing attacks
Microsoft publicly reported that attackers were increasingly exploiting email authentication and routing misconfigurations to impersonate organizations' own domains in phishing campaigns. The company warned that successful compromise could lead to credential theft, BEC, partner targeting, and financial loss.
Expel publishes Gootloader detection guidance and YARA rule
Expel released technical detection guidance for the new Gootloader ZIP technique, including a YARA rule based on distinctive ZIP header and EOCD characteristics. The guidance also recommended changing the default JScript handler and restricting wscript.exe and cscript.exe for downloaded content.
Gootloader adopts malformed multi-part ZIP delivery
By January 2026, Expel reported that Gootloader operators had adopted a new delivery method using malformed archives made from hundreds to 1,000 concatenated ZIP files. The technique was built to unpack with Windows' native ZIP support while breaking or crashing many analysis and security tools.
Technical analysis reveals CastleLoader's injection chain
Researchers described CastleLoader's infection chain as an Inno Setup installer using AutoIt and a suspended jsc.exe process to perform process-hollowing-like injection. The malware used APIs such as VirtualAllocEx, WriteProcessMemory, SetThreadContext, and ResumeThread to execute payloads in memory while minimizing disk artifacts.
CastleLoader campaigns linked to broad targeting of government and infrastructure
Analysis published in January 2026 said CastleLoader had been used as an initial access mechanism in coordinated campaigns against federal agencies, IT firms, logistics companies, and essential infrastructure providers across North America and Europe. One campaign was reported to have affected about 460 organizations.
ReliaQuest reports late-2025 attacker technique trends
ReliaQuest published findings on attacker behavior from September to November 2025, highlighting trust exploitation, reduced infostealer volume after Lumma takedowns, and continued ransomware success through exploitation of known but unremediated vulnerabilities. The report also noted a 57% increase in victims in the professional, scientific, and technical services sector.
Researchers detail DeadLock's use of Polygon smart contracts
Group-IB reported that DeadLock was using Polygon smart contracts to obscure and rapidly rotate command-and-control or proxy infrastructure, complicating defender blocking efforts. The disclosure also noted that many operational details, including initial access, remained unclear.
Attackers shift toward trust-exploitation techniques in late 2025
From September 1 through November 30, 2025, ReliaQuest observed attackers increasingly relying on social engineering, legitimate tools, and code-signing rather than zero-days. BaoLoader dominated incidents, while ClickFix and Maverick also rose, reflecting a broader move toward human-driven initial access and command obfuscation.
DeadLock ransomware operation first observed
Group-IB first observed the DeadLock ransomware operation in July 2025. The group appeared to favor an encryption-only model and used Session-based victim communications rather than a traditional public leak site.
Internal email spoofing campaigns surge via mail misconfigurations
Microsoft observed a surge beginning in May 2025 of threat actors abusing mail-routing and spoofing misconfigurations to send phishing emails that appeared to come from inside targeted organizations. The campaigns used lures such as voicemail, HR, shared document, and password notices, often tied to PhaaS tooling including Tycoon2FA.
RansomHub shutdown briefly disrupts ransomware ecosystem
In April 2025, the shutdown of RansomHub caused a short-lived dip in ransomware activity, but affiliates quickly moved to other operations and activity rebounded within weeks. The disruption did not prevent 2025 from reaching record claimed attack volumes.
CastleLoader first identified in the wild
CastleLoader, a multi-stage malware loader later assessed as a serious threat to U.S. government and critical infrastructure organizations, was first identified in early 2025. It was designed for stealthy in-memory payload delivery and evasion of conventional detection.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
6 references tracked. Mallory keeps watching after this page renders.
Ransomware activity never dies, it multiplies - Help Net Security
helpnetsecurity.com
Open sourceGootloader now uses 1,000-part ZIP archives for stealthy delivery
bleepingcomputer.com
Open sourceThreat Actors Exploit Misconfigurations to Spoof Internal Emails
blog.knowbe4.com
Open sourceStealthy CastleLoader Malware Attacking US-Based Government Entities
cybersecuritynews.com
Open sourceWhat’s Trending: Top Cyber Attacker Techniques, September-November 2025
reliaquest.com
Open sourceDeadLock ransomware uses smart contracts to evade defenders • The Register
theregister.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
Mar 21, 2026
Ransomware Ecosystem Update: Leading Groups, RaaS Expansion, and Termite’s ClickFix Adoption
Reporting highlights a broader shift in the ransomware ecosystem toward **platform-like operations** and **ransomware-as-a-service (RaaS)** models that lower the barrier to entry and accelerate the creation of new crews. Huntress telemetry for 2025 is cited as placing **Akira** as a leading ransomware group, with operators increasingly targeting the **hypervisor layer** to bypass traditional endpoint controls; separate commentary describes rapid victim growth for **Qilin** (claimed to exceed 1,000 victims in 2025) and notes **LockBit** regaining operational capability after prior disruption. The same reporting also points to “**Extortion-as-a-Service**” offerings (including a federation described as **SLSH**—Scattered Spider/Lapsus$/ShinyHunters) that enable affiliates to rent tooling rather than develop it, contributing to a surge in newly formed groups. A separate technical write-up details **Termite** ransomware as a Babuk-derived operation first observed in late 2024 that has matured into a multi-stage intrusion and **double-extortion** threat, claiming dozens of victims across multiple sectors and regions by March 2026. The report emphasizes Termite’s operationalization of **ClickFix** (browser-based social engineering) to bypass traditional phishing defenses, and provides a distinctive forensic marker: encrypted files reportedly have the Babuk-inherited trailing string `"choung dong looks like hot dog"`, positioned as a practical indicator during triage. Another overview article catalogs major active ransomware groups and tactics, including **Lynx** (described as sharing substantial code with INC, using double extortion, appending `.lynx`, and deleting shadow copies) and **Medusa**, while reiterating law-enforcement attribution and indictments tied to **LockBit** leadership and deployment activity.
Mar 21, 2026
Industry reporting highlights ransomware shift to stealthy, long-dwell intrusions and increased zero-day exploitation
Multiple security reports and commentary describe **ransomware operators shifting from fast “smash-and-grab” encryption to stealthier campaigns** that prioritize long-term access, data theft, and operational leverage. VulnCheck’s 2026 exploit intelligence findings indicate that while only a small fraction of newly disclosed vulnerabilities are exploited in the wild, the exploited set drives outsized impact; the report also assesses that ransomware-linked vulnerability exploitation is increasingly **zero-day-led**, with over half of ransomware-associated CVEs first identified via active exploitation. The same analysis notes rapid weaponization dynamics (including growth in public PoCs and noisy, low-quality AI-generated exploit code) that can distort prioritization while attackers move faster than patch cycles—an issue that is particularly consequential for **OT environments** where downtime and patch latency are common. Several other items in the set are not reporting on this specific ransomware/zero-day trend and instead provide general security guidance or leadership content. These include broad, non-incident overviews of financial-sector threats, dark web monitoring decision-making, AI skills discussions, board-level risk/metrics perspectives, and DDoS readiness best practices; they do not add concrete, corroborating detail to the ransomware zero-day/long-dwell access narrative beyond general context that cybercrime is evolving and defenders should focus on actionable risk signals.
Mar 21, 2026