Industry reporting highlights ransomware shift to stealthy, long-dwell intrusions and increased zero-day exploitation
Multiple security reports and commentary describe ransomware operators shifting from fast “smash-and-grab” encryption to stealthier campaigns that prioritize long-term access, data theft, and operational leverage. VulnCheck’s 2026 exploit intelligence findings indicate that while only a small fraction of newly disclosed vulnerabilities are exploited in the wild, the exploited set drives outsized impact; the report also assesses that ransomware-linked vulnerability exploitation is increasingly zero-day-led, with over half of ransomware-associated CVEs first identified via active exploitation. The same analysis notes rapid weaponization dynamics (including growth in public PoCs and noisy, low-quality AI-generated exploit code) that can distort prioritization while attackers move faster than patch cycles—an issue that is particularly consequential for OT environments where downtime and patch latency are common.
Several other items in the set are not reporting on this specific ransomware/zero-day trend and instead provide general security guidance or leadership content. These include broad, non-incident overviews of financial-sector threats, dark web monitoring decision-making, AI skills discussions, board-level risk/metrics perspectives, and DDoS readiness best practices; they do not add concrete, corroborating detail to the ransomware zero-day/long-dwell access narrative beyond general context that cybercrime is evolving and defenders should focus on actionable risk signals.
Related Entities
Vulnerabilities
Sources
Related Stories
Ransomware and Extortion Trend Reporting and Threat-Activity Roundups
Multiple sources published **trend-focused reporting** on ransomware/extortion rather than describing a single discrete incident. Analyst1’s 2025 year-in-review reports a record rise in ransomware **data leak site (DLS)** postings (7,819 claims in 2025, up ~49.7% YoY), with the **U.S.** representing roughly half of observed claims and a concentration of activity among a small set of groups (e.g., **Qilin**, **Akira**, **CLOP**, **PLAY**). Ransom-DB similarly promotes ongoing “weekly trends” and group analyses (e.g., Qilin and other crews driving high weekly volumes), reinforcing that extortion ecosystems continue to scale and diversify across geographies and sectors. Several other items in the set are **not about ransomware trend reporting** and should be treated as separate stories: Kaspersky-reported supply-chain compromise of Android tablet firmware with the **Keenadu** backdoor (persistence via Android `Zygote`), Dragos reporting continued PRC-linked **Volt Typhoon/Voltzite** activity in U.S. energy/OT environments, and a Check Point weekly bulletin summarizing multiple unrelated breaches (e.g., Odido, BridgePay, Flickr, ApolloMD) plus AI-misuse research. Additional content is either **generic thought leadership** (cybersecurity predictions; secure-by-design op-ed) or **out-of-timeframe/marketing-leaning reposting** (Arete summarizing a 2020 TrickBot healthcare alert; identity-attack discussion based on an IR report), and does not materially contribute to a single cohesive event narrative.
3 weeks ago
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
2 months ago
Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted **82 publicly disclosed ransomware incidents** across **20 countries**, with the **U.S.** most affected (51 incidents) and **healthcare** the most targeted sector (31%). The report attributed publicly claimed attacks to **24 ransomware groups**, led by **Shiny Hunters** (8) and **Qilin** (6), while noting **41%** of incidents were not yet attributed; it also cited individual victim disclosures/claims involving **Nova Biomedical** (PII exposure affecting 10,764 people), **Hosokawa Micron** (files accessed; **Everest** claimed ~30GB theft), and **Iron Mountain** (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential). Separately, Huntress described how investigation of a “routine” **RDP brute-force** success led to discovery of credential-hunting behavior and **geo-distributed infrastructure** consistent with a **ransomware-as-a-service** ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of **heightened cyber risk** following the February 2026 U.S./Israel-Iran escalation (*Operation Epic Fury*), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential **wiper activity, DDoS, targeted intrusions, supply-chain risk**, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
1 weeks ago