{"id":15873,"date":"2026-02-27T07:08:00","date_gmt":"2026-02-27T07:08:00","guid":{"rendered":"https:\/\/newestek.com\/?p=15873"},"modified":"2026-02-27T07:08:00","modified_gmt":"2026-02-27T07:08:00","slug":"ransomware-groups-switch-to-stealthy-attacks-and-long-term-access","status":"publish","type":"post","link":"https:\/\/newestek.com\/?p=15873","title":{"rendered":"Ransomware groups switch to stealthy attacks and long-term access"},"content":{"rendered":"
\n
\n
\n
\n
\n
\n
<\/div>\n<\/section>\n

Ransomware<\/a> attackers are switching tactics in favor of more stealthy infiltration, as the threat of public exposure of sensitive corporate data is becoming the main mechanism of extortion.<\/p>\n

Picus Security\u2019s annual red-teaming report<\/a> shows attackers shifting away from loud disruption toward quiet, long-term access \u2014 or from \u201cpredatory\u201d smash-and-grab tactics to \u201cparasitic\u201d silent residency.<\/p>\n

Four in five of the most common attack techniques deployed by ransomware strains are designed to stay hidden once attackers gain initial access. For example, ransomware operations are increasingly using defense evasion and persistence techniques as their tradecraft has evolved, according to Picus Security, a cybersecurity firm that specializes in breach and attack simulation.<\/p>\n

Attackers are also increasingly routing command-and-control (C2) traffic through trusted enterprise services such as OpenAI and AWS so that malign activity more closely resembles normal business traffic.<\/p>\n

Picus Security\u2019s conclusions come from attack simulations combined with an analysis of 1.1 million malicious files and 15.5 million adversarial actions mapped to the MITRE ATT&CK framework<\/a>.<\/p>\n

The Picus findings about attackers favoring stealth and persistence over loud disruption are consistent with the findings of ransomware research by Securin<\/a>, which reports that attackers are chaining vulnerabilities in their attacks on corporate systems.<\/p>\n

\u201cRansomware groups no longer treat vulnerabilities as isolated entry points,\u201d says Aviral Verma, lead threat intelligence analyst at penetration testing and cybersecurity services firm Securin. \u201cThey assemble them into deliberate exploitation chains, selecting weaknesses not just for severity, but for how effectively they can collapse trust, persistence, and operational control across entire platforms.\u201d<\/p>\n

AI is now widely accessible to threat actors, but it primarily functions as a force multiplier rather than a driving force in ransomware attacks.<\/p>\n

Double jeopardy<\/h2>\n

Ransomware gangs commonly favor double extortion where blackmail based on the threatened leak of stolen information is combined by the disruption caused by encrypting data after breaking into corporate networks.<\/p>\n

Picus reports a <\/a>38% drop in encryption over the past 12 months as more cybercriminals turn to <\/a>silently exfiltrating data for extortion as their main stock in trade.<\/p>\n

Picus\u2019 suggestion that the volume of ransomware attacks<\/a> is dropping is disputed by other experts.<\/p>\n

Tony Anscombe<\/a>, chief security evangelist at endpoint security vendor Eset, offered a contrasting perspective.<\/p>\n

\u201cIn the recent Eset H2 2025 Threat Report<\/a>, the detection data shows a 13% increase between H1 and H2, coupled with the number of publicly reported victims increasing by 40% reported via ecrime.ch, then it [ransomware] does not appear to be in decline,\u201d Anscombe tells CSO.<\/p>\n

Nick Hyatt, senior threat intelligence consultant at cybersecurity services firm GuidePoint Security, says the data of more than 7,000 victims was publicly posted last year, a figure that likely excludes \u201cvictims who paid and were never posted by the threat actor.\u201d<\/p>\n

Far from showing any signs of consolidation, the number of active ransomware groups hit an all-time high last year, according to GuidePoint.<\/p>\n

\u201cThreat actors streamlined their attack capabilities, using a mix of established techniques, vulnerability exploitation, and novel attacks to execute on their objectives,\u201d says Hyatt.<\/p>\n

Rogues gallery<\/h2>\n

Experts polled by CSO commonly rated Qilin<\/a>, Cl0p and Akira<\/a> as among the most active ransomware groups<\/a> but there was no shortage of other contenders.<\/p>\n

\u201cAkira stands out as the No. 1 ransomware group today from Huntress\u2019 2025 data,\u201d says Dray Agha<\/a>, senior manager of security operations at managed detection and response firm Huntress. \u201cTheir tradecraft is rapidly evolving specifically to neutralize existing security solutions, and we are seeing them aggressively target the hypervisor level to completely bypass traditional endpoint security protections.\u201d<\/p>\n

Collin Hogue-Spears<\/a>, senior director distinguished technical expert at application security firm Black Duck Software, says that ransomware operators have stopped operating like organized crime and started operating like a platform business.<\/p>\n

\u201cQilin posted over 1,000 victims in 2025, a seven-fold increase over the prior year,\u201d according to Hogue-Spears. \u201cLockBit 5.0 clawed back to operational capacity after its takedown.\u201d<\/p>\n

Meanwhile the Scattered Spider\/Lapsus$\/ShinyHunters (SLSH) federation<\/a> is running extortion-as-a-service, an approach that makes it easier for less technically skilled cybercriminals to make a dishonest living.<\/p>\n

SLSH has created a \u201cstructural shift\u201d in the cybercrime ecosystem.<\/p>\n

\u201cSeventy-three new groups appeared in six months because they no longer need to build their own tooling,\u201d says Hogue-Spears. \u201cThey rent it.\u201d<\/p>\n

New threat techniques require security rethink<\/h2>\n

Vasileios Mourtzinos<\/a>, a member of the threat team at managed detection and response firm Quorum Cyber, says that more groups are moving away from high-impact encryption towards extortion-led models that prioritize data theft and prolonged, low-noise access.<\/p>\n

\u201cThis approach, popularized by actors such as Cl0p through large-scale exploitation of third-party and supply chain vulnerabilities, is now being mirrored more widely, alongside increased abuse of valid accounts, legitimate administrative tools to blend into normal activity, and in some cases attempts to recruit or incentivize insiders to facilitate access,\u201d Mourtzinos says.<\/p>\n

The evolving tradecraft of ransomware groups should prompt a rethink of defensive strategies.<\/p>\n

\u201cFor CISOs, the priority should be strengthening identity controls, closely monitoring trusted applications and third-party integrations, and ensuring detection strategies focus on persistence and data exfiltration activity,\u201d Mourtzinos advises.<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n<\/div>\n","protected":false},"excerpt":{"rendered":"

Ransomware attackers are switching tactics in favor of more stealthy infiltration, as the threat of public exposure of sensitive corporate data is becoming the main mechanism of extortion. Picus Security\u2019s annual red-teaming report shows attackers shifting away from loud disruption toward quiet, long-term access \u2014 or from \u201cpredatory\u201d smash-and-grab tactics to \u201cparasitic\u201d silent residency. Four in five of the most common attack techniques deployed by… <\/p>\n

Read More<\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"inline_featured_image":false,"footnotes":""},"categories":[1],"tags":[],"class_list":["post-15873","post","type-post","status-publish","format-standard","hentry","category-uncategorized","is-cat-link-borders-light is-cat-link-rounded"],"_links":{"self":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15873","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=15873"}],"version-history":[{"count":0,"href":"https:\/\/newestek.com\/index.php?rest_route=\/wp\/v2\/posts\/15873\/revisions"}],"wp:attachment":[{"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=15873"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=15873"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/newestek.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=15873"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}