Industry reporting highlights ransomware shift to stealthy, long-dwell intrusions and increased zero-day exploitation
Multiple security reports and commentary describe ransomware operators shifting from fast “smash-and-grab” encryption to stealthier campaigns that prioritize long-term access, data theft, and operational leverage. VulnCheck’s 2026 exploit intelligence findings indicate that while only a small fraction of newly disclosed vulnerabilities are exploited in the wild, the exploited set drives outsized impact; the report also assesses that ransomware-linked vulnerability exploitation is increasingly zero-day-led, with over half of ransomware-associated CVEs first identified via active exploitation. The same analysis notes rapid weaponization dynamics (including growth in public PoCs and noisy, low-quality AI-generated exploit code) that can distort prioritization while attackers move faster than patch cycles—an issue that is particularly consequential for OT environments where downtime and patch latency are common.
Several other items in the set are not reporting on this specific ransomware/zero-day trend and instead provide general security guidance or leadership content. These include broad, non-incident overviews of financial-sector threats, dark web monitoring decision-making, AI skills discussions, board-level risk/metrics perspectives, and DDoS readiness best practices; they do not add concrete, corroborating detail to the ransomware zero-day/long-dwell access narrative beyond general context that cybercrime is evolving and defenders should focus on actionable risk signals.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
CSO Online highlights shift toward stealthier ransomware intrusions
By February 27, 2026, CSO Online highlighted analysis that ransomware groups were moving away from immediate, noisy attacks toward stealthier intrusions and maintaining long-term access in victim environments. The item reflected an industry-observed evolution in ransomware tradecraft rather than a single incident.
VulnCheck publishes 2026 exploit intelligence report
On or before February 26, 2026, VulnCheck released its 2026 exploit intelligence report, stating that more than 48,000 CVEs were disclosed in 2025 but only about 1% were exploited in the wild. The report also noted a 16.5% increase in proof-of-concept availability, a 52% year-over-year rise in China-nexus attributions, and warned that ransomware groups were increasingly relying on zero-days, raising risk for OT environments.
VulnCheck says one-third of known 2025 ransomware CVEs lacked public exploits
As of January 2026, VulnCheck found that roughly one-third of known 2025 CVEs associated with ransomware still had no public or commercial exploit available. The finding suggested many ransomware exploit chains remained private despite active criminal use.
VulnCheck links 39 newly disclosed 2025 CVEs to ransomware activity
During 2025, VulnCheck identified 39 newly disclosed CVEs tied to ransomware operations across at least 17 ransomware families. The report said 56.4% of ransomware-linked 2025 CVEs were first discovered through evidence of active exploitation, indicating increased zero-day use by ransomware actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
Ransomware groups switch to stealthy attacks and long-term access | CSO Online
csoonline.com
Open sourceVulnCheck finds ransomware operators increasingly relying on zero-days, raising risk in OT environments - Industrial Cyber
industrialcyber.co
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Ransomware and initial-access tradecraft evolves with new evasion and extortion techniques
Reporting and research published in mid-January 2026 highlights continued **high ransomware activity** and rapid evolution in initial-access and evasion tradecraft. A Symantec/Carbon Black Threat Hunter Team study cited by *Help Net Security* reports ransomware actors claimed **4,737 attacks in 2025**, with only brief slowdowns after major disruptions; the abrupt April 2025 shutdown of **RansomHub** was followed by affiliates quickly shifting to other operations, while **LockBit** failed to recover after late-2024 law-enforcement action. The same reporting notes a broader shift toward **extortion models that don’t rely on encryption**, emphasizing data theft and coercion as groups diversify pressure tactics. Multiple technical reports describe how attackers are improving delivery and resilience. *BleepingComputer* says **Gootloader** now uses heavily malformed ZIP files—concatenating **500–1,000** ZIP archives and manipulating ZIP structures (e.g., truncated `EOCD`)—to crash or defeat common analysis tools while still extracting via Windows’ default utility, supporting its role as an initial-access vector often preceding ransomware. *The Register* reports **DeadLock** ransomware uses **Polygon smart contracts** to frequently rotate proxy infrastructure for victim communications (via an HTML wrapper pointing victims to the *Session* messenger), complicating blocking and takedown efforts; Group-IB notes DeadLock also departs from typical double-extortion by lacking a public data-leak site and instead threatening underground data sales. Separately, Microsoft-observed phishing described by *KnowBe4* shows threat actors exploiting **email routing/spoofing misconfigurations** to make phishing appear internal (often leveraging **Tycoon2FA**), while ReliaQuest’s trend report and a separate write-up on **CastleLoader** describe human-driven initial access (spearphishing/drive-by) and social-engineering lures such as **ClickFix** being used to stage loaders and follow-on payloads—underscoring that access-broker and loader ecosystems continue to feed ransomware and broader intrusion activity.
Mar 21, 2026
Ransomware Activity and Related Threat Intelligence Updates
Reporting highlighted elevated ransomware activity and evolving access-broker ecosystems. BlackFog’s February ransomware roundup counted **82 publicly disclosed ransomware incidents** across **20 countries**, with the **U.S.** most affected (51 incidents) and **healthcare** the most targeted sector (31%). The report attributed publicly claimed attacks to **24 ransomware groups**, led by **Shiny Hunters** (8) and **Qilin** (6), while noting **41%** of incidents were not yet attributed; it also cited individual victim disclosures/claims involving **Nova Biomedical** (PII exposure affecting 10,764 people), **Hosokawa Micron** (files accessed; **Everest** claimed ~30GB theft), and **Iron Mountain** (Everest claim of 1.4TB theft, while Iron Mountain stated access was limited to a single marketing folder via a compromised credential). Separately, Huntress described how investigation of a “routine” **RDP brute-force** success led to discovery of credential-hunting behavior and **geo-distributed infrastructure** consistent with a **ransomware-as-a-service** ecosystem and associated initial access activity, illustrating how exposed remote access can connect to broader ransomware operations. Arctic Wolf warned of **heightened cyber risk** following the February 2026 U.S./Israel-Iran escalation (*Operation Epic Fury*), advising increased vigilance—especially for sectors historically targeted by Iranian-linked actors (e.g., energy, defense, transportation, healthcare, government)—and anticipating potential **wiper activity, DDoS, targeted intrusions, supply-chain risk**, and possible collaboration with ransomware-affiliate activity amid geopolitical retaliation dynamics.
May 12, 2026
AI and Automation Accelerate Ransomware Operations and Intrusion Speed
Recent reporting and threat research indicate **AI and automation are materially compressing attacker timelines**, reducing defenders’ opportunity to detect and contain intrusions. A ReliaQuest analysis cited by SC Media found **lateral movement can occur in as little as four minutes** (with average lateral movement time dropping from 48 to 34 minutes), and **data exfiltration** in the fastest cases falling to **six minutes** (down from more than four hours previously). The same reporting notes **80% of ransomware groups** are leveraging AI and/or automation for data theft, and highlights **BoaLoader** as an example of converged AI-assisted development, social engineering, and traditional cybercrime activity. Separate ransomware telemetry from NCC Group shows overall **publicly disclosed ransomware incidents** dipped month-over-month in January but remained broadly consistent year-over-year (741 vs. 696), with **North America** accounting for **54%** of activity and **industrials** the most targeted sector (32%). The report identified **Qilin** as the most active group (108 cases), followed by **Akira** and **Sinobi**, and warned that attacker tradecraft is expanding to new initial access paths, including **messaging platforms** (e.g., WhatsApp, Signal, Telegram) via device-linking scams and malicious QR codes. ASEC’s weekly “Ransom & Dark Web Issues” roundup provides additional context on ongoing ransomware and hacktivist activity (e.g., **Morpheus** targeting a South Korean plating company and **Ailock** republishing prior victims), but it is not clearly tied to the same specific datasets or findings on AI-driven acceleration described in the other reporting.
Mar 21, 2026