Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued high ransomware activity and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by Help Net Security reports ransomware actors claimed 4,737 attacks in 2025, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of RansomHub was followed by affiliates quickly shifting to other operations, while LockBit failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward extortion models that don’t rely on encryption, emphasizing data theft and coercion as groups diversify pressure tactics.
Multiple technical reports describe how attackers are improving delivery and resilience. BleepingComputer says Gootloader now uses heavily malformed ZIP files—concatenating 500–1,000 ZIP archives and manipulating ZIP structures (e.g., truncated EOCD)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. The Register reports DeadLock ransomware uses Polygon smart contracts to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the Session messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by KnowBe4 shows threat actors exploiting email routing/spoofing misconfigurations to make phishing appear internal (often leveraging Tycoon2FA), while ReliaQuest’s trend report and a separate write-up on CastleLoader describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as ClickFix being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Related Entities
Vulnerabilities
Threat Actors
Sources
1 more from sources like register security
Related Stories
Data-extortion ecosystem expands as ransomware groups and initial access brokers scale intrusions
**Data-extortion intrusions increased sharply last year**, with Intel 471 tracking roughly **6,800 extortion-driven attacks**—about **63% higher than 2024**—and attributing much of the growth to heightened activity from **Qilin**, **Sp1d3r Hunters**, and **Clop** operations. More than half of impacted organizations were in the **United States**, with frequent targeting of **consumer and industrial product vendors, consulting firms, and manufacturing**; Intel 471 also assessed that **initial access brokers** increasingly focused on **remote access portals** as an entry point. The same analysis noted that attackers abused a significant portion of disclosed vulnerabilities (over **40% of 520** reported bugs) and forecast that **AI** will likely *accelerate* exploitation and enable higher-ROI fraud (e.g., deepfake impersonation), even if it is not yet the primary driver of intrusions. Broader threat reporting described a **fragmenting cybercrime economy** under law-enforcement pressure, with more **new ransomware variants** derived from leaked code and a more **modular “supply chain”** of specialized services (access, laundering, negotiation) that can rapidly reconstitute after disruptions. Separate reporting highlighted how **low-tech social engineering** remains effective—such as help-desk impersonation used to reset credentials and redirect payroll—and how healthcare continues to be a favored extortion target, including the emergence of a new **“Insomnia” data-theft** brand claiming mostly US healthcare-related victims. These trends reinforce that extortion risk is being driven not only by malware families, but by **repeatable access paths** (remote access exposure, credential reuse, and service-desk process weaknesses) that enable fast monetization.
1 months ago
Ransomware Ecosystem Update: Leading Groups, RaaS Expansion, and Termite’s ClickFix Adoption
Reporting highlights a broader shift in the ransomware ecosystem toward **platform-like operations** and **ransomware-as-a-service (RaaS)** models that lower the barrier to entry and accelerate the creation of new crews. Huntress telemetry for 2025 is cited as placing **Akira** as a leading ransomware group, with operators increasingly targeting the **hypervisor layer** to bypass traditional endpoint controls; separate commentary describes rapid victim growth for **Qilin** (claimed to exceed 1,000 victims in 2025) and notes **LockBit** regaining operational capability after prior disruption. The same reporting also points to “**Extortion-as-a-Service**” offerings (including a federation described as **SLSH**—Scattered Spider/Lapsus$/ShinyHunters) that enable affiliates to rent tooling rather than develop it, contributing to a surge in newly formed groups. A separate technical write-up details **Termite** ransomware as a Babuk-derived operation first observed in late 2024 that has matured into a multi-stage intrusion and **double-extortion** threat, claiming dozens of victims across multiple sectors and regions by March 2026. The report emphasizes Termite’s operationalization of **ClickFix** (browser-based social engineering) to bypass traditional phishing defenses, and provides a distinctive forensic marker: encrypted files reportedly have the Babuk-inherited trailing string `"choung dong looks like hot dog"`, positioned as a practical indicator during triage. Another overview article catalogs major active ransomware groups and tactics, including **Lynx** (described as sharing substantial code with INC, using double extortion, appending `.lynx`, and deleting shadow copies) and **Medusa**, while reiterating law-enforcement attribution and indictments tied to **LockBit** leadership and deployment activity.
1 weeks ago
Industry reporting highlights ransomware shift to stealthy, long-dwell intrusions and increased zero-day exploitation
Multiple security reports and commentary describe **ransomware operators shifting from fast “smash-and-grab” encryption to stealthier campaigns** that prioritize long-term access, data theft, and operational leverage. VulnCheck’s 2026 exploit intelligence findings indicate that while only a small fraction of newly disclosed vulnerabilities are exploited in the wild, the exploited set drives outsized impact; the report also assesses that ransomware-linked vulnerability exploitation is increasingly **zero-day-led**, with over half of ransomware-associated CVEs first identified via active exploitation. The same analysis notes rapid weaponization dynamics (including growth in public PoCs and noisy, low-quality AI-generated exploit code) that can distort prioritization while attackers move faster than patch cycles—an issue that is particularly consequential for **OT environments** where downtime and patch latency are common. Several other items in the set are not reporting on this specific ransomware/zero-day trend and instead provide general security guidance or leadership content. These include broad, non-incident overviews of financial-sector threats, dark web monitoring decision-making, AI skills discussions, board-level risk/metrics perspectives, and DDoS readiness best practices; they do not add concrete, corroborating detail to the ransomware zero-day/long-dwell access narrative beyond general context that cybercrime is evolving and defenders should focus on actionable risk signals.
2 weeks ago