Shifting ransomware tactics toward built-in Windows utilities as payment rates decline

Timeline

1. 17.03.2026 23:41 1 articles · 3h ago

   Ransomware actors pivot to native Windows tooling amid declining payment rates

   Analysis of 2025 ransomware incidents shows adversaries increasingly leveraging built-in utilities (PowerShell, RDP, SMB, SSH) and reducing reliance on signatured tools like Cobalt Strike Beacon and Mimikatz. Initial access vectors remain dominated by credential theft and VPN/firewall exploits. Data theft accompanies 77% of attacks, while leak site activity surges despite payment decline to 20% of victims.

   Show sources

   • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

   Open in new tab

Information Snippets

• Suspected data theft occurred in approximately 77% of ransomware incidents in 2025, up from 57% in 2024.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• 43% of intrusions targeted virtualization infrastructure in 2025, compared to 29% in 2024.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Vulnerabilities in VPNs and firewalls were exploited as an initial access vector in one-third of ransomware incidents.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Dark web victim shaming via leak sites reached record highs in 2025, primarily targeting non-paying victims.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Only 20% of ransomware victims paid the ransom last quarter, the lowest rate since tracking began.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Cobalt Strike Beacon was observed in just 2% of ransomware attacks in 2025, down from 11% in 2024 and 60% in 2021.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Mimikatz usage decreased to 18% in 2025, a 2% drop from 2024.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Stolen credentials were used in 21% of attacks for initial access and consistently post-compromise for establishing footholds.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Remote Desktop Protocol (RDP) was used in 85% of attacks for lateral movement.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41

• Threat actors frequently abused native Windows utilities such as PowerShell, WMI, cmd/batch, ipconfig, netstat, ping, and nltest for reconnaissance and post-exploitation activities.

  First reported: 17.03.2026 23:41
  1 source, 1 article
  Show sources

  • Less Lucrative Ransomware Market Makes Attackers Alter Methods — www.darkreading.com — 17.03.2026 23:41