Less Lucrative Ransomware Market Makes Attackers Alter Methods

THREAT INTELLIGENCE VULNERABILITIES & THREATS ENDPOINT SECURITY DATA PRIVACY NEWS Less Lucrative Ransomware Market Makes Attackers Alter Methods Ransomware actors are ditching Cobalt Strike in favor of native Windows tools, as payment rates hit record lows and data theft surges. Alexander Culafi,Senior News Writer,Dark Reading March 17, 2026 4 Min Read SOURCE: YURI ARCURS VIA ALAMY STOCK PHOTO Threat actors are changing their tactics toward built-in tooling, as ransomware payment rates continue to decline. The Google Threat Intelligence Group (GTIG) this week published research related to the ransomware ecosystem across 2025, as well as the most common tactics, techniques, and procedures (TTPs) seen in incidents Google Cloud's Mandiant group responded to.  Some of the biggest data points include suspected data theft present in approximately 77% of attacks (up from 57% last year); 43% of intrusions targeting virtualization infrastructure (up from 29%); that vulnerabilities were exploited in one-third of cases as an initial access vector (particularly VPNs and firewalls); and that Dark Web site posts (as in, attackers naming and shaming victims) hit record highs in 2025. To that last statistic, GTIG observed that data leak sites generally only name and publish data belonging to victims that don't pay the ransom, which lines up with reports from entities like incident response firm Coveware by Veeam, which observed a dramatic decrease in both average and median ransom payments. Large enterprises pay less often, while mid-size businesses are paying smaller sums. Related:Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish Moreover, Coveware's latest findings show a continuous decline in frequency of payment (20% of victims paid last quarter, an all-time low since the firm started tracking these numbers). These findings also show an increase in average and median payment, but the report explains that these spikes are caused by a few high-impact incidents rather than any kind of trend. Defenders are getting better at avoiding ransomware attacks but, more specifically, Google observed, also improving at recovering from them. Law enforcement action, a crowded threat-actor ecosystem, and ransomware actor infighting similarly disrupted the ransomware ecosystem last year.  Ransomware Threat Actors Live Off the Land Google's research appears to suggest that threat actors have, in part, responded to this disruption by leaning less on external tooling and more on built-in Windows capabilities (as in, living off the land).  For example, Cobalt Strike Beacon was seen in only 2% of ransomware attacks last year (down from 11% in 2024); and in 2021, roughly 60% of attacks included Beacon. Mimikatz, meanwhile, was leveraged in 18% of attacks last year, a 2% decrease from 2024.  Pair this with the use of internal Windows tooling increasingly observed in attacks. While vulnerability exploitation is still the most common initial access vector, stolen credentials are widely used for initial access (21%) and consistently for establishing a foothold after initial access is gained.  Related:Warlock Ransomware Group Augments Post-Exploitation Activities Attackers are also using PowerShell commands, publicly available software, and system utilities to conduct initial reconnaissance.  "Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged from using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks to query other system data," Google's blog post read. "Threat actors [also] continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others." Internal tools like Remote Desktop Protocol (RDP), Server Message Block (SMB), and Secure Shell (SSH) were used to gain lateral movement; RDP in particular was seen in 85% of attacks.  Ransomware Actors' MO: 'Evasion Through Normalcy' These statistics overall paint a picture of decreased reliance on external tooling and increased reliance on built-in capabilities. Ray Umerley, field chief information security officer (CISO) at Veeam, tells Dark Reading in an email that his firm also sees this as an ongoing trend, with the nuance that some tools like Mimikatz remain prevalent in case data. Related:China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years "It's not that 'classic' offensive tooling has disappeared; rather, many threat actors are leaning more heavily on built-in Windows capabilities (PowerShell, WMI, cmd/batch, etc.) to reduce the need to introduce additional binaries that are more likely to stand out," he writes, labeling this trend "evasion through normalcy." "Purpose-built tooling like Mimikatz and Beacon is widely signatured and behaviorally modeled by [endpoint detection and response, or EDR], so deploying it can create clear detection opportunities and cause operations to fail earlier," he adds. "By contrast, abusing native tooling blends into the organization's baseline and is harder to distinguish from legitimate administration without strong contextual correlation and identity controls. This aligns with how many of the threat actors we observe operate at speed and scale: optimizing for repeatability, reliability, and minimizing friction (and detection) as they move through an environment to achieve their objectives." Bavi Sadayappan, senior threat intelligence analyst at Google and a co-author of the research, concurs that GTIG has observed this migration to built-in tooling in recent years. "Over the past several years we've seen ransomware actors continuously reduce their reliance on malware and common intrusion tools for various phases of the attack lifecycle, including an almost complete lack of Cobalt Strike Beacon use in 2025," she says. "This shift toward native utilities and publicly available tools for their operations is likely, at least in part, due to improved security postures and endpoint detection systems that are able to identify and/or block more malicious activity. By relying more heavily on abusing native functionality and legitimate tools, threat actors may be more likely to evade detections and operate under the radar." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report The ROI of AI in Security Cybersecurity Forecast 2026 ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars You May Also Like THREAT INTELLIGENCE Russia Pivots, Cracks Down on Resident Hackers by Nate Nelson, Contributing Writer OCT 22, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 CYBERATTACKS & DATA BREACHES DeepSeek Breach Opens Floodgates to Dark Web by Emma Zaballos APR 22, 2025 THREAT INTELLIGENCE What CISA's Red Team Disarray Means for US Cyber Defenses by Becky Bracken, Senior Editor, Dark Reading MAR 21, 2025 Editor's Choice CYBERSECURITY OPERATIONS Why Stryker's Outage Is a Disaster Recovery Wake-Up Call byJai Vijayan MAR 12, 2026 5 MIN READ CYBER RISK What Orgs Can Learn From Olympics, World Cup IR Plans byTara Seals MAR 12, 2026 THREAT INTELLIGENCE Commercial Spyware Opponents Fear US Policy Shifting byRob Wright MAR 12, 2026 9 MIN READ Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks THREAT INTELLIGENCE Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats JAN 2, 2026 CYBER RISK Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult JAN 12, 2026 ENDPOINT SECURITY CISOs Face a Tighter Insurance Market in 2026 JAN 5, 2026 THREAT INTELLIGENCE 2026: The Year Agentic AI Becomes the Attack-Surface Poster Child JAN 30, 2026 Download the Collection Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Building a Robust SOC in a Post-AI World THURS, MARCH 19, 2026 AT 1PM EST Retail Security: Protecting Customer Data and Payment Systems THURS, APRIL 2, 2026 AT 1PM EST Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need WED, APRIL 1, 2026 AT 1PM EST Securing Remote and Hybrid Work Forecast: Beyond the VPN TUES, MARCH 10, 2026 AT 1PM EST AI-Powered Threat Detection: Beyond Traditional Security Models WED, MARCH 25, 2026 AT 1PM EST More Webinars White Papers Autonomous Pentesting at Machine Speed, Without False Positives Fixing Organizations' Identity Security Posture Best practices for incident response planning Industry Report: AI, SOC, and Modernizing Cybersecurity The Threat Prevention Buyer's Guide: Find the best AI-driven threat protection solution to stop file-based attacks. Explore More White Papers GISEC GLOBAL 2026 GISEC GLOBAL is the most influential and the largest cybersecurity gathering in the Middle East & Africa, uniting global CISOs, government leaders, technology buyers, and ethical hackers for three power-packed days of innovation, strategy, and live cyber drills. 📌 BOOK YOUR SPACE