Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

2025 Ransomware trend toward built-in Windows tooling and lower ransom payment rates

Target Trend
First reported
Last updated
Happening score
H score 34
1 unique sources, 1 articles

Summary

Hide ▲

Ransomware operators are increasingly leaning on built-in Windows tooling while ransom payment rates continue to decline across 2025, weakening extortion returns for enterprise victims. The same incident set shows more data theft and more targeting of virtualization infrastructure, which raises disruption and double-extortion risk. Attackers are also exploiting VPNs and firewalls for initial access while relying less on tools like Cobalt Strike Beacon. The shift points to a more stealth-oriented operating model that is harder to detect and disrupt.

Related Happenings

ScarCruft sqgame[.]net supply-chain espionage campaign

Campaign
First: 05.05.2026 12:07 Last: 05.05.2026 12:07 Sources 1

About this happening: **ScarCruft**'s **late-2024** supply-chain campaign against **sqgame[.]net** expanded a niche gaming platform compromise into a **multi-platform espionage channel**. The operation...

Open Happening

Instructure hit by cyberattack

Incident
First: 04.05.2026 01:16 Last: 04.05.2026 01:16 Sources 1

About this happening: **Instructure** disclosed a **cybersecurity incident** that exposed user information and prompted an investigation with outside experts and law enforcement. The event matters beca...

Latest development: 14.05.2026 23:19

The House Committee on Homeland Security and the US Senate Committee on Health, Education, Labor, and Pensions sought briefings from Instructure over the Canvas compromise, pressing the edtech vendor on whether it paid a ransom, what data was affected, how it handled the recent attacks, and whether the incident was linked to a prior Salesforce compromise.

Open Happening

Vect 2.0 ransomware wiper-flaw activity

Malware Activity
First: 29.04.2026 18:23 Last: 29.04.2026 18:23 Sources 1

About this happening: The **Vect 2.0** ransomware variant now **permanently destroys large files** instead of encrypting them, which can leave defenders without a recoverable copy. The flaw affects ver...

Open Happening

Vect ransomware flawed ChaCha20 implementation destroys large files

Technical Analysis
First: 29.04.2026 13:45 Last: 29.04.2026 13:45 Sources 1

About this happening: **Vect 2.0 ransomware** was shown to use **raw ChaCha20-IETF (RFC 8439)** without authentication, causing files above **128 KB** to be permanently destroyed across **Windows, Linu...

Open Happening

VECT 2.0 ransomware-branded file destruction malware

Malware Activity
First: 28.04.2026 17:01 Last: 28.04.2026 17:01 Sources 1

About this happening: The **VECT 2.0** malware now behaves like a **wiper** rather than recoverable ransomware, permanently destroying large files and raising the stakes for victims. The destructive fl...

Open Happening

Timeline

  1. 17.03.2026 23:41 2 articles · 2mo ago

    GTIG reports ransomware shift toward native Windows tools

    Initial Disclosure

    Google Threat Intelligence Group published 2025 ransomware research showing threat actors leaning more on built-in Windows capabilities and less on external tooling such as Cobalt Strike Beacon and Mimikatz, while ransom payment rates continue to fall for affected organizations. The findings say suspected data theft appeared in about 77% of attacks, 43% of intrusions targeted virtualization infrastructure, vulnerabilities were used for initial access in one-third of cases, and data leak sites increasingly name victims that do not pay. Google also observed PowerShell used to query Active Directory objects, along with internal Windows utilities such as ipconfig, netstat, ping, and nltest, as part of this evasion-through-normalcy approach.

    Show sources
    Open in new tab