Navigating 2026’s Converged Threats: Insights from Flashpoint’s Global Threat Intelligence Report
In this post, we preview the critical findings of the 2026 Global Threat Intelligence Report, highlighting how the collapse of traditional security silos and the rise of autonomous, machine-speed attacks are forcing a total reimagining of modern defense.
The cybersecurity landscape has reached a point of total convergence, where the silos that once separated malware, identity, and infrastructure have collapsed into a single, high-velocity threat engine. Simultaneously, the threat landscape is shifting from human-led attacks to machine-speed operations as a result of agentic AI, which acts as a force multiplier for the modern adversary.
Flashpoint’s 2026 Global Threat Intelligence Report
Our report uncovers several staggering metrics that illustrate the industrialization of modern cybercrime:
AI-related illicit activity skyrocketed by 1,500% in a single month at the end of 2025.
3.3 billion compromised credentials and cloud tokens have turned identity into the primary exploit vector.
From January 2025 to December 2025, ransomware incidents rose by 53%, as attackers pivot from technical encryption to “pure-play” identity extortion.
Vulnerability disclosures surged by 12% from January 2025 to December 2025, with the window between discovery and mass exploitation effectively vanishing.
These findings are derived from Flashpoint’s Primary Source Collection (PSC), a specialized operating model that collects intelligence directly from original sources, driven by an organization’s unique Priority Intelligence Requirements (PIR). The 2026 Global Threat Intelligence Report leverages this ground-truth data to provide a strategic framework for the year ahead. Download to gain:
A Clear Understanding of the New Convergence Between Identity and AI Discover how threat actors are preparing to transition from generative tools to sophisticated agentic frameworks. Learn how 3.3 billion compromised credentials are being weaponized via automated orchestration to bypass legacy defenses and exploit the connective tissue of modern corporate APIs.
Intelligence on the “Franchise Model” of Global Extortion Gain deep insight into the professionalized operations of today’s most prolific threat actors. From the industrial efficiency of RaaS groups like RansomHub and Clop to the market dominance of the next generation of infostealer malware, we break down the economics driving today’s cybercrime ecosystem.
A Blueprint for Proactive Defense and Risk Mitigation Leverage the latest trends, in-depth analysis, and data-driven insights driven by Primary Source Collection to bolster your security posture by identifying and proactively defending against rising attack vectors.
“As attackers automate exploitation of identity, vulnerabilities, and ransomware, defenders who rely on fragmented visibility will fall behind. To keep pace, organizations must ground their decisions in primary-source intelligence that is drawn from adversarial environments, so that decision-makers can get ahead of this accelerating threat cycle.”
Josh Lefkowitz, CEO & Co-Founder at Flashpoint
The Top Threats at a Glance
Our latest report identifies four driving themes shaping the 2026 threat landscape:
2026 Is the Era of Agentic-Based Cyberattacks
Flashpoint identified a 1,500% rise in AI-related illicit discussions between November and December 2025, signaling a rapid transition from criminal curiosity to the active development of malicious frameworks. Built on data pulled from criminal environments and shaped by fraud use cases, these systems scrape data, adjust messaging for specific targets, rotate infrastructure, and learn from failed attempts without the need for constant human involvement.
“2026 is the era of agentic-based cyberattacks. We’ve seen a 1,500% increase in AI-related illicit discussions in a single month, signaling increased interest in developing malicious frameworks. The discussions evolve into vibe-coded, AI-supported phishing lures, malware, and cybercrime venues. When iteration becomes cheap through automation, attackers can afford to fail repeatedly until they find a successful foothold.”
Ian Gray, Vice President of Cyber Threat Intelligence Operations at Flashpoint
Identity Is the New Exploit
Flashpoint observed over 11.1 million machines infected with infostealers in 2025, fueling a massive inventory of 3.3 billion stolen credentials and cloud tokens. The fundamental mechanics of cybercrime have shifted from breaking in to logging in, as attackers leverage stolen session cookies to behave like legitimate users.
The Patching Window Is Rapidly Closing
Vulnerability disclosures surged by 12% in 2025, with 1 in 3 (33%) vulnerabilities having publicly available exploit code. The strategic gap between discovery and weaponization is increasingly vanishing, as evidenced by mass exploitation of zero-day vulnerabilities in as little as 24 hours after discovery.
Ransomware Is Hacking the Person, Not the Code
As technical defenses against encryption harden, ransomware groups are pivoting to the path of least resistance: human trust. This approach has led to a 53% increase in ransomware, with RaaS groups being responsible for over 87% of all ransomware attacks.
Build Resilience in a Converged Landscape
The findings in the 2026 Global Threat Intelligence Report make one thing clear: incremental improvements to legacy security models are no longer sufficient. As adversaries transition to machine-speed operations, the strategic advantage shifts to organizations that can maintain visibility into the adversarial environments where these attacks are born.
Protecting organizations and communities requires an intelligence-first approach. Download Flashpoint’s 2026 Global Threat Intelligence Report to gain clarity and the data-driven insights needed to safeguard critical assets.
Between 2024 and 2026, Flashpoint analysts have observed the financial sector as a top target of threat actors, with 406 publicly disclosed victims falling prey to ransomware attacks alone—representing seven percent of all ransomware victim listings during that period.
However, ransomware is just one piece of the complex threat actor puzzle. The financial sector is also grappling with threats stemming from sophisticated Advanced Persistent Threat (APT) groups, the risks associated with third-party compromises, the illicit trade in initial access credentials, the ever-present danger of insider threats, and the emerging challenge of deepfake and impersonation fraud.
Why Finance?
The financial sector has long been one of the most attractive targets for threat actors, consistently ranking among the most targeted industries globally.
These institutions manage massive volumes of sensitive data—from high-value financial transactions and confidential customer information to vast sums of capital, making them especially lucrative for threat actors seeking financial gain. Additionally, the urgency and criticality of financial operations increases the chances that victim organizations will succumb to extortion and ransom demands.
Even beyond direct financial incentives, the financial sector remains an attractive target due to its deep interconnectivity with other industries.This means that malicious actors may simply target financial institutions to gain information about another target organization, as a single data breach can have far-reaching and cascading consequences for involved partners and third parties.
The Threat Actors Targeting the Financial Sector
To understand the complexities of the financial threat landscape, organizations need a comprehensive understanding of the key players involved. The following threat actors represent some of the most prominent and active groups targeting the financial sector between April 2024 and April 2025:
Active since March 2023, Akira has demonstrated increasingly sophisticated tactics and has targeted a significant number of victims across various sectors. Between April 2024 and April 2025, they targeted 34 organizations within the financial sector. Evidence suggests a potential link to the defunct Conti ransomware group. Akira commonly gains initial access through compromised credentials, Virtual Private Network (VPN) vulnerabilities, and Remote Desktop Protocol (RDP). They employ a double extortion model, exfiltrating data before encryption.
LockBit Ransomware
A long-standing and highly prolific RaaS group operating since at least September 2019, LockBit continued to be a major threat to the financial sector, claiming 29 publicly disclosed victims between April 2024 and April 2025. LockBit utilizes various initial access methods, including phishing, exploitation of known vulnerabilities, and compromised remote services.
Most notably, in June 2024, LockBit claimed it gained access to the US Federal Reserve, stating that they exfiltrated 33 TB of data. However, Flashpoint analysts found that the data posted on the Federal Reserve listing appears to belong to another victim, Evolve Bank & Trust.
FIN7
This financially motivated threat actor group, originating from Eastern Europe and active since at least 2015, focuses on stealing payment card data. They employ social engineering tactics and create elaborate infrastructure to achieve their goals, reportedly generating over $1 billion USD in revenue between 2015 and 2021. Their targets within the financial sector include interbank transfer systems (SWIFT, SAP), ATM infrastructure, and point-of-sale (POS) terminals. Initial access is often gained through phishing and exploiting public-facing applications.
Scattering Spider
Emerging in 2022, Scattered Spider has quickly become known for its rapid exploitation of compromised environments, particularly targeting financial services, cryptocurrency services, and more. They are notorious for using SMS phishing and fake Okta single sign-on pages to steal credentials and move laterally within networks. Their primary motivation is financial gain.
Lazarus Group
This advanced persistent threat (APT) group, backed by the North Korean government, has demonstrated a broad range of targets, including cryptocurrency exchanges and financial institutions. Their campaigns are driven by financial profit, cyberespionage, and sabotage. Lazarus Group employs sophisticated spear-phishing emails, malware disguised in image files, and watering-hole attacks to gain initial access.
Top Attack Vectors Facing the Financial Sector
Between April 2024 and April 2025, our analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections. How are these prolific threat actor groups gaining a foothold into financial data and systems? Examining Flashpoint intelligence, malicious actors are capitalizing on third-party compromises, initial access brokers, insider threats, amongst other attack vectors:
Third-Party Compromise
Ransomware attacks targeting third-party vendors can have a direct and significant impact on financial institutions through data exposure and compromised credentials. The Clop ransomware gang’s exploitation of the MOVEit vulnerability in December 2024 serves as a stark reminder of this risk.
Initial Access Brokers (IABs)
Initial Access Brokers specialize in gaining initial access to networks and selling these access credentials to other threat groups, including ransomware operators. Their tactics include phishing, the use of information-stealing malware, and exploiting RDP credentials, posing a significant risk to financial entities. Between April 2024 and April 2025, analysts observed 6,406 posts pertaining to financial sector access listings within Flashpoint’s forum collections.
Insider Threat
Malicious insiders, whether recruited or acting independently, can provide direct access to sensitive data and systems within financial institutions. Telegram has emerged as a prominent platform for advertising and recruiting insider services targeting the financial sector.
Deepfake and Impersonation
The increasing sophistication and accessibility of AI tools are enabling new forms of fraud. Deepfakes can bypass traditional security measures by creating convincing audio and video impersonations. While still evolving, this threat vector, along with other impersonation tactics like BEC and vishing, presents a growing concern for the financial sector. Within the past year, analysts observed 1,238 posts across fraud-related Telegram channels discussing impersonation of individuals working for financial institutions.
Defend Against Financial Threats Using Flashpoint
The financial sector remains a high-value target, facing a persistent and evolving array of threats. Understanding the tactics, techniques, and procedures (TTPs) of these top threat actors, as well as the broader threat landscape, is crucial for financial institutions to develop and implement effective security strategies.
Flashpoint is proud to offer a dedicated threat intelligence solution for banks and financial institutions. Our platform combines comprehensive data collection, AI-powered analysis, and expert human insight to deliver actionable intelligence, safeguarding your critical assets and operations. Request a demo today to see how our intelligence can empower your security team.
Flashpoint’s Top 5 Predictions for the 2026 Threat Landscape
Flashpoint’s forward-looking threat insights for security and executive teams, provides the strategic foresight needed to prepare for the convergence of AI, identity, and physical security threats in 2026.
As the global threat landscape accelerates its transformation, 2026 marks an inflection point requiring defensive strategies to fundamentally shift. The volatility observed in 2025 has paved the way for an era soon to be defined by AI-weaponized autonomy, information-stealing malware, systemic instability of public vulnerability systems, and the complete convergence of digital and physical risk.
Flashpoint offers a unique window into these complexities, providing organizations with the foresight needed to navigate what lies ahead. Drawing from Flashpoint’s leading intelligence and primary source collections, we highlight five key trends shaping the 2026 threat landscape. These insights aim to help organizations not only understand what’s next but also build the resilience needed to withstand and adapt to emerging challenges.
Prediction 1: Agentic AI Threats Will Weaponize Autonomy, Forcing a New Defensive Standard
2026 will see continued evolution of AI threats, with future attacks centering on autonomy and integration. Across the deep and dark web, Flashpoint is observing threat actors move past experimentation and into operational use of illegal AI.
As attackers train custom fraud-tuned LLMs (Large Language Models) and multilingual phishing tools directly on illicit data, these AI models will become more capable. The criminal intent shaping their misuse will also become more sophisticated. Additionally, 2026 will see a greater marketplace for paid jailbreaking communities and synthetic media kits for KYC (Know Your Customer) bypass.
These advancements are enabling criminals to move beyond simple tools and engage in scaled, autonomous fraud operations, leading to two major shifts:
Agentic AI is becoming the true flashpoint: Threat actors will be using agentic systems to automate reconnaissance, generate synthetic identities, and iterate on fraud playbooks in near real-time. In this SaaS ecosystem, AI will help attackers leverage subscription tiers and customer feedback loops at scale.
The attack surface will shift to focus on AI Integrations: Organizations are increasingly plugging LLMs into live data streams, internal tools, identity systems, and autonomous agents. This practice often lacks the same security vetting, access controls, and monitoring applied to other enterprise systems. As such, attackers will heavily target these integrations, such as APIs, plugins, and system connections, rather than the models themselves.
“The ubiquity of automation has dramatically increased attack tempo, leaving many security teams behind the curve. While automation can replace repetitive tasks across the enterprise, organizations must not make the critical mistake of substituting human judgement for AI at the intelligence level.
This is paramount because a critical threat in 2026 is Agentic AI autonomy weaponized against soft targets—API integrations and identity systems. The only winning defense will be human-led and AI-scaled, prioritizing purposeful use to keep organizations ahead of this exponential risk.”
Josh Lefkowitz, CEO at Flashpoint
These evolving AI threats will force a fundamental shift in defensive strategies. Defenders will have to shift to deploying systems around AI rather than trust them on their own.
Prediction 2: Identity Compromise via Infostealers Will Become the Foundation of Every Attack
Infostealers will become the entry point, the data broker, the reconnaissance layer, and the fuel for everything that comes after a cyberattack. This shift is already in motion and is accelerating rapidly: in just the first half of 2025, infostealers were responsible for 1.8 billion stolen credentials, an 800% spike from the start of the year. However, 2026 will redefine the malware’s role, making its most valuable output being access, rather than disruption.
Infostealers will become the upstream event that powers the rest of the attack chain. Identity and session data will be increasingly targeted, since it gives attackers immediate access into victim environments. Ransomware, fraud, data theft, and extortion will simply be downstream ways to monetize.
This upstream approach defines the new reality of the attack chain, which is already operational. Nearly every major stealer strain Flashpoint observes now exfiltrates the following:
An organization’s attack surface is no longer just composed of their own networks. It is the entire digital identity of their employees and partners. This new reality requires security teams to take a new approach. Instead of attempting to block attacks, they must proactively detect compromised credentials before they are weaponized. This will be the difference between reacting to a data breach and preventing one.
“The infostealer economy has fully industrialized the attack chain, making initial compromise a low-cost commodity. Multiple security incidents in 2025 tie back to credentials found in infostealer logs. This reality has underscored the critical importance of digital trust—specifically, verifying who can access what resources. For 2026, identity is the perimeter to watch, and security teams must proactively hunt for compromised credentials before they’re weaponized.”
Ian Gray, Vice President of Intelligence at Flashpoint
Prediction 3: CVE Volatility Will Force Redundancy in Vulnerability Intelligence
The temporary funding crisis at CVE in April 2025 and the subsequent CISA stopgap extension through March 2026 exposed the systemic fragility of a centralized vulnerability intelligence model. With the future of the CVE/NVD system hanging in the balance, 2026 will be defined by the urgent need for redundancy and diversification in vulnerability intelligence.
In today’s vulnerability intelligence ecosystem, nearly every organization’s vulnerability management framework relies on CVE and NVD—including its “alternatives” such as the EUVD (European Union Vulnerability Database). The CVE system has grown into a critical global cybersecurity utility, relied upon by nearly all vulnerability scanners, SIEM platforms, patch management tools, threat intelligence feeds, and compliance reports. A complete shutdown of CVE would result in a widespread loss of institutional infrastructure.
The next generation of security needs to be built on practices that are resilient, diversified, and intelligence-driven. It should be focused on providing insights that can be used to take action such as threat actor behavior, likelihood of exploitation in the wild, relevance to ransomware campaigns, and business context. Security teams will need to leverage a comprehensive source of vulnerability intelligence such as Flashpoint’s VulnDB that provides full coverage for CVE, while also cataloging more than 100,000 vulnerabilities missed by CVE and NVD.
Prediction 4: Executive Protection Will Remain a Critical Challenge as Cyber-Physical Threats Converge
The continued blurring of lines between cyber, physical, and geopolitical threats will elevate the risk to organizational leadership, turning executive protection into a holistic intelligence function in 2026. The rise of information warfare combined with physical world convergence means the threat to key personnel is no longer purely digital.
In the aftermath of the tragic December 2024 assassination of United Healthcare’s CEO, Flashpoint has seen the continued circulation and glorification of “wanted-style posters” of executives in extremist communities. Additionally, Flashpoint has seen nation-state actors participate, using espionage and influence to target high-value individuals. Organizations must adopt an integrated approach that connects insights from threat actor chatter and a wealth of other OSINT sources. This fusion of intelligence is essential for applying frameworks to ensure the safety of leadership and key personnel.
Prediction 5: Extortion Shifts to Identity-Based Supply Chain Risk
2025 was marked by several large-scale extortion campaigns, demonstrating how the threat landscape is rapidly evolving. Ransomware operations have shifted into a straight extortion play. Flashpoint has observed a surge in new entrants to the ransomware market, accompanied by a decline in the quality and decorum of ransomware groups.
Furthermore, vishing campaigns attributed to “Scattered Spider” have highlighted weaknesses in identity, trust, and verification. Campaigns from “Scattered LAPSUS$ Hunters” have also exposed vulnerabilities in third-party integrations. These attacks culminated in extortion, showcasing that modern attacks will target trusted users and trusted applications for initial access, and will forgo ransomware in place of data access.
As this shift continues into 2026, threat actors will increasingly focus their efforts on exploiting human behavior and identity systems. Instead of attempting to spend resources on breaking network perimeters, attackers will instead socially engineer employees to gain access to corporate systems at scale. This change in TTPs will undoubtedly greatly increase supply chain risk, especially for third parties.
Charting a Path Through an Evolving Threat Landscape with Flashpoint Intelligence
These five predictions highlight the transformative trends shaping the future of cybersecurity and threat intelligence. Staying ahead of these challenges demands more than just reactive measures—it requires actionable intelligence, strategic foresight, and cross-sector collaboration. By embracing these principles and investing in proactive security strategies, organizations can not only mitigate risks but also seize opportunities to enhance their resilience.
As the threat landscape continues to rapidly evolve, staying informed and prepared are critical components of risk mitigation. With the right tools, insights, and partnerships, security teams can navigate the complexities ahead and safeguard what matters most.
The Seven Phases of a Ransomware Attack: A Step-by-Step Breakdown of the Attack Lifecycle
Understanding the anatomy of a ransomware attack empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident
Ransomware attacks are pervasive and devastating, targeting organizations and causing havoc on operations, finances, and reputation. To defend against these threats, security teams must understand the ransomware attack lifecycle.
The 7 Phases: The 7 phases of a ransomware attack include: 1) Recon & target selection 2) Initial access 3) Lateral movement and privilege escalation 4) Deployment of ransomware 5) Encryption & impact 6) Extortion and communication and 7) Recovery & mitigation.
As reliance on digital systems and networks increases, the risk of ransomware attacks grows exponentially. These attacks can cripple businesses, disrupt services, compromise data, and lead to significant financial losses. Cybercriminals continually evolve their tactics, demanding constant adaptation from security teams.
In this blog, we will explore the intricacies of ransomware, breaking down the attack lifecycle. Understanding this anatomy empowers security teams to strengthen defenses, reduce the risk of successful attacks, and protect organizations from the serious consequences of a ransomware incident.
Phase 1 of a ransomware attack involves the threat actor researching and selecting organizations to attack. During this phase, threat actors identify potential targets and gather critical information about them.
Identifying potential targets
Threat actors engage in reconnaissance to identify organizations that are more likely to yield a high return on their malicious activities. They carefully assess factors such as the industry, size, financial stability, and the value of the data held by the potential targets. Organizations that heavily rely on their digital infrastructure and are more likely to pay a ransom to regain access to critical systems and data are prime targets.
Techniques used for reconnaissance
Threat actors employ various techniques to gather information during the reconnaissance phase. These techniques may include passive reconnaissance, where they collect publicly available data from websites, social media platforms, and professional networking sites. They may also utilize active reconnaissance, such as scanning for open ports and vulnerabilities, conducting phishing campaigns to gather employee information, or leveraging third-party sources like leaked databases and dark web forums.
Vulnerability factors
Several factors can make organizations more vulnerable to targeting during the reconnaissance phase:
Lack of Security Awareness: Organizations that do not prioritize cybersecurity awareness and training for their employees may inadvertently provide attackers with valuable information through social engineering tactics.
Inadequate Patch Management: Failure to promptly apply software patches and updates leaves systems vulnerable to known vulnerabilities that threat actors can exploit.
Weak Access Controls: Poorly managed user accounts, weak passwords, and insufficient access controls increase the likelihood of unauthorized access to sensitive systems and data.
Absence of Network Segmentation: If an organization’s network lacks proper segmentation, a successful initial access point can provide attackers with the opportunity to move laterally within the network and escalate privileges.
Lack of Monitoring and Detection: Organizations that lack robust monitoring and detection capabilities may not notice the initial signs of a reconnaissance attempt, allowing threat actors to proceed undetected.
Phase 2: Initial access
Phase 2 of a ransomware attack is the critical stage where threat actors strive to gain initial access to an organization’s network and systems.
During this stage, threat actors employ a range of techniques to achieve initial access, including:
Phishing Emails: One of the most common and successful methods, threat actors craft convincing emails designed to deceive recipients into clicking on malicious links or opening infected attachments.
Exploit Kits: These toolkits contain prepackaged exploits that target vulnerabilities in software, commonly used web browsers, or plugins. By visiting compromised websites, unsuspecting users can unwittingly trigger the exploit kit and grant the attacker initial access.
Vulnerable Software: Exploiting weaknesses in software, particularly outdated or unpatched applications, is another avenue threat actors may exploit to gain a foothold within an organization’s network. This was recently observed through CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities to attack over 100 organizations globally.
VulnDB’s vulnerability intelligence record highlighting the severity and importance of the MOVEit vulnerability.
Social engineering tactics play a significant role in the success of initial access attempts. Threat actors exploit human psychology to deceive individuals and gain access to sensitive information or systems.
Pretexting, where a false scenario or pretext is created to gain the target’s trust, and baiting, which offers enticing rewards or incentives, are common social engineering tactics used to manipulate individuals. Moreover, tailgating—or taking advantage of individuals holding doors open for others—can be used to gain unauthorized physical access to secure areas within an organization.
Phase 3: Lateral movement and privilege escalation
Once threat actors have gained initial access to an organization’s network and systems, they proceed to Phase 3 of a ransomware attack: lateral movement and privilege escalation.
This stage involves the navigation and expansion of their reach within the compromised network. Threat actors explore the compromised network to locate valuable data, critical systems, and potential targets for encryption.
They employ lateral movement, traversing through the network to gain control over multiple machines, servers, or devices, which increases the likelihood of finding and encrypting valuable information while making it challenging for defenders to contain the attack.
Threat actors may use several techniques to achieve lateral movement.
Exploiting Misconfigurations: They take advantage of misconfigured network shares, weak or shared passwords, and unsecured remote desktop protocols (RDP) to gain unauthorized access to other systems within the network.
Credential Theft and Reuse: They employ various tactics to steal or acquire legitimate user credentials, such as using keyloggers, credential harvesting, or compromising administrative accounts. These stolen credentials are then reused to move laterally within the network.
Pass-the-Hash: This technique involves stealing hashed credentials from compromised systems and using them to authenticate and gain access to other systems without needing to know the plaintext passwords.
Once within the network, threat actors seek to escalate their privileges. By elevating their access rights, they gain increased control over critical systems and can maneuver more freely within the network. Privilege escalation techniques may include:
Exploiting Vulnerabilities: They identify vulnerabilities in software, operating systems, or network configurations that can be leveraged to elevate their privileges. This may involve exploiting unpatched systems or misconfigured permissions.
Leveraging Stolen Credentials: If threat actors have successfully stolen credentials during the initial access phase, they can use these credentials to escalate their privileges within the network, gaining administrative or higher-level access.
Abusing Trusted Applications or Services: They manipulate trusted applications or services that have higher privileges or access rights to gain elevated permissions within the network.
It is important to note that lateral movement and privilege escalation are not necessarily linear processes. Threat actors adapt their tactics based on the network’s topology, security measures, and available targets, maneuvering opportunistically within the network.
Phase 4: Deployment of ransomware payload
In Phase 4 of a ransomware attack, threat actors execute their ultimate objective: deploying the ransomware payload. This phase involves the encryption of the victim’s files and the subsequent demand for a ransom payment.
Ransomware comes in various forms, each with its own characteristics and objectives. Some common types include:
Encryption Ransomware: This type of ransomware encrypts the victim’s files, rendering them inaccessible until a decryption key is obtained by paying the ransom. Examples include notorious strains like WannaCry and Ryuk.
Locker Ransomware: Locker ransomware locks the victim out of their system or specific applications, denying access to the device or critical functionalities. It often displays a ransom message directly on the victim’s screen, demanding payment to regain access.
Hybrid Ransomware: Hybrid ransomware combines elements of both encrypting and locker ransomware. It encrypts files while simultaneously locking the victim out of the system, amplifying the impact and urgency of the attack.
To deploy the ransomware payload effectively, threat actors may leverage various techniques including:
Email Attachments and Links: Malicious attachments or links embedded within phishing emails are a common delivery method for ransomware. Opening the attachment or clicking on the link initiates the download and execution of the ransomware payload.
Drive-by Downloads: By visiting compromised or malicious websites, victims unknowingly trigger the download and execution of ransomware through vulnerabilities in their web browsers or plugins.
Exploit Kits: Exploit kits can exploit vulnerabilities in software or operating systems to deliver ransomware onto the victim’s system. The kits automatically detect and target vulnerabilities, enabling threat actors to distribute the ransomware payload more efficiently.
Ransomware-as-a-Service (RaaS) and its role in the attack lifecycle
Ransomware-as-a-Service (RaaS) has emerged as a significant contributor to the proliferation of ransomware attacks. RaaS allows less technically skilled threat actors to access ransomware tools and infrastructure developed by more sophisticated actors. It operates on a profit-sharing model, where the developers take a percentage of the ransom payments. RaaS lowers the barrier to entry for cybercriminals, enabling the widespread distribution and execution of ransomware attacks.
RaaS platforms provide aspiring threat actors with user-friendly interfaces, technical support, and even customer service. They often offer customization options, allowing attackers to tailor the ransomware to their specific targets. The availability of RaaS has led to a surge in ransomware attacks globally, as it empowers a wider range of cybercriminals to participate in these lucrative campaigns.
Flashpoint’s monthly ransomware infographic highlighting the most prevalent groups, industries, and nations involved in ransomware events.
Phase 5: Encryption and impact
The true consequences of the attack begin to unfold during the encryption and impact phase. During this phase, threat actors encrypt the victim’s files and inflict significant damage on their systems.
Ransomware employs sophisticated encryption algorithms to lock the victim’s files, rendering them inaccessible without the decryption key. The encryption process typically targets a wide range of file types, including documents, images, videos, databases, and more. Threat actors often use strong encryption algorithms like RSA or AES to ensure the victim cannot decrypt the files without the decryption key.
As the encryption process unfolds, the victim’s files become unusable, with each file typically receiving a unique encryption key. The ransomware may also overwrite or modify the original file, making recovery without the decryption key even more challenging. The impact on the victim’s systems can be severe, leading to operational disruption, data loss, financial consequences, and reputational damage.
The consequences of a successful ransomware attack can be devastating for both organizations and individuals, and often entails many of the following:
Operational Disruption: Ransomware attacks can cripple an organization’s operations, causing significant disruptions and downtime. Critical systems may become inaccessible, leading to productivity losses, delayed services, and financial repercussions.
Data Loss and Corruption: If proper backups are not in place, victims may lose access to their valuable data permanently. Ransomware may also corrupt files during the encryption process, making recovery even more challenging.
Financial Losses: Organizations may face substantial financial losses due to ransom payments, costs associated with recovery and remediation efforts, and potential regulatory penalties. Moreover, there may be indirect financial impacts stemming from reputational damage and customer loss.
Reputational Damage: Publicly disclosed ransomware attacks can tarnish an organization’s reputation. Clients, partners, and stakeholders may lose trust in the organization’s ability to protect sensitive information, leading to a loss of business opportunities and customer confidence.
Legal and Regulatory Ramifications: Depending on the nature of the compromised data, organizations may face legal and regulatory consequences, especially if personal or sensitive information is involved. Violations of data protection regulations can result in significant fines and legal liabilities.
Phase 6: Extortion and communication
In Phase 6 of a ransomware attack, threat actors establish communication with their victims and begin the process of extortion. At this time, they’ll demand ransom payments in exchange for providing the decryption keys or access to the victim’s systems.
During this phase, threat actors initiate contact with the victim to convey their demands and establish a line of communication. They often use anonymizing technologies, such as the Tor network, to mask their identities and make it difficult to trace their activities. Communication can occur through various channels, including email, instant messaging platforms, or even dedicated ransom negotiation portals set up by the attackers.
Threat actors employ different methods to demand ransom payments from their victims. These may include:
Bitcoin or Cryptocurrency Payments: Threat actors typically demand ransom payments in cryptocurrencies, such as Bitcoin, due to the pseudonymous and decentralized nature of these currencies, which makes them difficult to trace.
Payment Deadlines and Threats: Threat actors often impose strict deadlines for payment, accompanied by threats of permanently deleting the decryption keys or increasing the ransom amount if the deadline is not met. These tactics aim to pressure victims into complying with their demands.
Proof of Data Exfiltration: In some cases, threat actors may claim to have exfiltrated sensitive data from the victim’s systems and threaten to publicly release it unless the ransom is paid. This adds an additional layer of pressure and urgency for victims to comply.
Engaging or not engaging with threat actors during the extortion phase raises legal and ethical considerations. Organizations must carefully evaluate their options:
Legal Considerations: Paying the ransom may be illegal in some jurisdictions or against organizational policies. Additionally, organizations may have legal obligations to report the incident, particularly if personal or sensitive data has been compromised.
Funding Criminal Activities: Paying the ransom may contribute to funding further criminal activities, as the money can be used to finance future attacks. Supporting cybercriminals through ransom payments perpetuates the ransomware ecosystem.
No Guarantee of Decryption: There is no guarantee that threat actors will provide the decryption keys or restore access to the victim’s systems even after the ransom is paid. Organizations must consider the risk of paying the ransom and not receiving the promised outcome.
Cyber Insurance Coverage: Organizations with cyber insurance policies should consult with their insurance providers regarding their coverage and the implications of paying the ransom.
It is crucial for organizations to consult legal counsel, law enforcement agencies, and experienced incident response professionals before making any decisions regarding ransom payment. Each situation is unique, and a thorough evaluation of the risks, legal obligations, and ethical considerations is necessary.
Phase 7: Recovery and mitigation
The recovery and mitigation phase of an attack is where organizations focus on restoring systems, recovering encrypted data, and implementing measures to prevent future attacks.
Recovering from a ransomware attack requires a systematic approach. Key strategies for recovering encrypted data and restoring systems include:
Isolate and Contain: Immediately isolate the affected systems to prevent further spread of the ransomware. Disconnect compromised devices from the network and shut them down to mitigate the risk of re-infection.
Incident Analysis: Conduct a thorough analysis of the incident to identify the ransomware variant, its impact, and the compromised systems. This analysis can help determine the appropriate recovery strategy.
Data Restoration: If backups are available, restore data from clean and secure backups. It is crucial to ensure backups are offline or properly protected to prevent them from being compromised by the ransomware.
Decrypting Data: In some cases, decryption tools may be available from trusted sources, such as law enforcement agencies or security companies. These tools can help decrypt files without paying the ransom. However, this is not always possible, depending on the specific ransomware variant.
System Rebuilding: In situations where data restoration is not feasible or backups are unavailable, organizations may need to rebuild affected systems from scratch using known good configurations and software.
Effectively responding to ransomware incidents requires a well-defined incident response plan, and may include some of these best practices:
Incident Response Plan: Develop a comprehensive incident response plan that outlines the steps to be taken in the event of a ransomware attack. This plan should include roles and responsibilities, communication protocols, and predefined actions for different scenarios.
Rapid Response: Ensure you have the alerting capabilities to act swiftly and decisively to contain the attack, isolate affected systems, and initiate the recovery process. Promptly engage internal IT teams, incident response experts, and relevant stakeholders.
Communication and Notification: Establish clear lines of communication both internally and externally. Notify appropriate personnel, such as legal, PR, and executive teams, and consider legal and regulatory obligations for disclosing incidents involving compromised data.
Forensic Investigation: Conduct a thorough forensic investigation to understand the root cause, identify the attack vector, and collect evidence for potential legal actions or future prevention measures.
Employee Awareness and Training: Continuously educate employees about the risks of ransomware, phishing, and social engineering. Regularly train staff on cybersecurity best practices, including strong password management, recognizing suspicious emails, and reporting incidents promptly.
Prevention is key in mitigating future ransomware attacks. Implementing proactive security measures can significantly reduce the risk and impact of such incidents. Consider these important measures:
Patch Management: Regularly apply security patches and updates to operating systems, software, and firmware to address known vulnerabilities that threat actors often exploit.
Endpoint Protection: Deploy robust antivirus and anti-malware solutions, along with advanced endpoint detection and response (EDR) tools to detect and block malicious activities.
Network Segmentation: Implement network segmentation to restrict lateral movement and contain the impact of an attack. Separating critical systems from the rest of the network helps prevent the rapid spread of ransomware.
Least Privilege Access: Enforce the principle of least privilege, granting users only the necessary access rights required to perform their duties. This minimizes the potential damage that can be caused by compromised accounts.
Regular Data Backups: Maintain regular, encrypted, and secure offline backups of critical data. Regularly test the restoration process to ensure backups are viable for recovery in the event of a ransomware incident.
Know your enemy
Ransomware attacks continue to evolve, becoming more sophisticated and widespread. Threat actors adapt their tactics, techniques, and tools to exploit vulnerabilities and maximize their financial gain. As such, ongoing vigilance and adaptation are essential.
But at each stage of a ransomware attack, robust threat intelligence can stop an emerging risk in its tracks and minimize—or even prevent—damage to your organization.
An effective threat intelligence program enables you to understand threat actors and their TTPs each step of the way. Critical capabilities for your threat intelligence program include:
Vulnerability intelligence that gives practitioners access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack.
A robust alerting system that allows security practitioners o set up customizable, automated ransomware alerts of leaked assets as a result of an extortion incident, and gain insight into the extent of exposure and damage.
Real-time and continuous data collection that includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.
A managed attribution solution that allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations.
Robust risk management practices and incident response plans in place in order to respond effectively and recover from security breaches.
Flashpoint’s ransomware dashboard provides an up-to-date, easy-to-consume view of global ransomware trends, victims, as well as the ransomware groups themselves.
To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, begin a free trial, or watch this video to discover the top ways to prevent an attack at your organization.
Lessons From Clop: Combating Ransomware and Cyber Extortion Events
Recent attacks from Clop emphasize the importance of implementing an organization-wide ransomware and cyber extortion strategy, from preparedness to detection and isolation
When a ransomware or cyber extortion event occurs, security teams are racing against the clock:
What do we know about the cybercriminal group that’s claiming responsibility for an attack or double extortion?
Is our organization affected? If so, what is the extent of the breach and its impact on our systems, networks, people, and data?
How do we respond to and mitigate the situation?
Flashpoint Ignite’s finished intelligence is readily available to all teams to help mitigate risk across the entire organization.
These questions are of vital importance to organizations across the public and private sectors. And the recent Clop attacks—which affected organizations across the globe in nearly every vertical—are yet another example of why it’s vital to have proactive defense measures in place.
Targeting upstream data providers
First, it’s vital to have a deep understanding of the adversary, such as a RaaS (ransomware-as-a-service) group like Clop. Here are five ways that ransomware groups like Clop attack targets, as well as the threat vectors they seen to exploit:
Supply chain attacks. As illustrated through MOVEit, Clop often targets upstream software vendors or service providers so that it can cast a wide net. A number of the known Clop victims are companies who were attacked via a third-party vendor. Attackers like Clop may exploit vulnerabilities in the communication or data exchange between these companies, or compromise the software or hardware components supplied by third-party providers to inject malicious code or backdoors.
Cloud Service Providers (CSP). If a cloud service provider experiences a security breach, it can potentially impact third parties that utilize their cloud services in several ways. Clop successfully breached a cloud service provider, giving them potential access to highly sensitive information.
Managed Service Providers (MSPs), who inherently have access to clients’ IT infrastructure, are also a lucrative target for ransomware groups like Clop as they service a multitude of businesses.
Software vulnerabilities are common,asransomware groups often exploit known vulnerabilities in widely used software. Here, Clop exploited MOVEit, a file transfer software used by organizations globally, to install a malicious web shell called LEMURLOOT.
Zero-days. Ransomware groups may also exploit zero-day vulnerabilities, or previously unknown security flaws, in software leveraged by a wide range of organizations.
Putting vulnerabilities into context
VulnDB’s vulnerability intelligence record highlighting the severity and importance of the MOVEit vulnerability.
CLOP’s use of the MOVEit and GoAnywhere MFT vulnerabilities provide us with two recent high-profile examples of the power and impact of the group’s attacks—as well as the damage they can have on victims.
It also shines a bright light onto the level of information and context that CTI analysts and vulnerability management teams require in order to better prioritize and take action on the vulnerabilities likely to be used in ransomware and other attacks.
Tools such as Flashpoint’s VulnDB can unpack vulnerabilities like MOVEit in order to provide practitioners with access to real-time, comprehensive information so that they can understand the scope of the incident and develop effective response strategies to make faster, informed decisions and mitigate the attack.
This includes information about 300,000 vulnerabilities, including thousands not listed in the public source, as well as robust metadata and numerous prioritization and prediction metrics, including:
supplemental information on which versions of software may be affected
Furthermore, when equipped with this context, vulnerability practitioners should be able to gain an active understanding of how the software, services, and other third-party assets they use are affected.
The combination of threat intelligence and vulnerability intelligence is a powerful weapon against adversaries. For instance, when a ransomware event occurs, vulnerability practitioners should be able to easily raise their awareness levels by using a robust alerting system. From there, they can quickly drill down into supplemental information to identify if exploits are being shared, see which threat actors are discussing the vulnerability across all illicit and open-source communities (forums, chats, ransomware sites, paste sites, blogs, social media, e.g.), and better assess the risk.
Flashpoint’s ransomware dashboard provides an up-to-date, easy-to-consume view of global ransomware trends, victims, as well as the ransomware groups themselves.
Understanding incidents as they unfold
Gaining continuous intelligence and context on ransomware attacks is vital throughout an attack, which often extends for weeks in the public sphere (and undoubtedly longer behind closed doors). It is therefore important to ensure that your organization is being provided with an active understanding of the situation as it unfolds in real-time—beyond vulnerability intelligence.
Flashpoint’s Intelligence Team, for example, delivers to customers incident pages and regular updates that communicate the most important details of an extortion event in progress. This includes background and assessments of the vulnerability, status updates with timelines, known victims, change logs, and intelligence that contributes to a more holistic understanding of a risk and informs decision-making.
Managed attribution for investigations
A managed attribution solution allows intelligence teams to shift from defense to offense by enabling security teams to safely and anonymously conduct investigations. Analysts will often access or download files from a ransomware blog to verify if their organization was impacted in the incident. While doing so, it’s vital to protect and keep your organization safe via a secure research environment that is isolated from analyst browsers, computers and network infrastructure. Flashpoint’s Managed Attribution solution allows security teams to interact with files, conduct online investigations, and browse safely without risk to their organization.
Ransomware response and readiness
To quickly assess, contain, and mitigate the impact of such incidents, it is crucial for organizations to have robust risk management practices in place. This includes conducting thorough due diligence when selecting third-party vendors, assessing their security practices, actively monitoring their security posture, and implementing contractual obligations and security controls to protect the company’s interests.
Additionally, it’s crucial to have incident response plans in place in order to respond effectively and recover from security breaches.In the event that an organization is impacted by ransomware, having a well-practiced incident response plan can greatly minimize damages. This includes:
Creating an Incident Response playbook
Holding mandatory training sessions for employees
Enabling staff members to proactively thwart attacks
Ransomware and cyber extortion events are undoubtedly stressful and challenging, but there are practical and proven ways to lessen that burden to reduce risk across your organization. To learn more about how Flashpoint empowers security teams to prevent and respond to ransomware attacks, contact us, sign up for a free trial, or watch this video to understand the top ways to prevent a ransomware attack at your organization.
Risk Intelligence Index: Cyber Threat Landscape by the Numbers
Flashpoint’s monthly look at the cyber risk ecosystem affecting organizations around the world, including intelligence, news, data, and analysis about ransomware, vulnerabilities, insider threats, and takedowns of illicit forums and shops.
Flashpoint’s latest ransomware infographic paints a sobering picture of the evolving threat landscape, as cybercriminals employ increasingly sophisticated—and effective—tactics. Last month, our analysts observed a total of 397 ransomware attacks.
Key takeaways for the state of ransomware
Organizations in the United States bore the brunt of ransomware attacks, accounting for a staggering 211 incidents—a 66 percent increase compared to last month.
The top three industries targeted by ransomware were Professional Services, Internet Software & Services, and Construction & Engineering.
Clop ransomware has emerged as one of the most active ransomware groups, securing the second spot in March’s top 10 ranking. Last month, Clop garnered attention by exploiting a remote code execution vulnerability—allegedly enabling them to acquire data from over 100 organizations, although they only disclosed a few victim names on their blog.
Key takeaways for the state of vulnerability intelligence
Approximately34 percent of March’s disclosed vulnerabilities are rated as high-to-critical in severity, which if exploited, could pose a significant risk to an organization’s security posture.
Over 78 percent of March’s vulnerabilities are remotely exploitable, meaning that if threat actors are able to leverage these issues, they can execute malicious code no matter where the device is located.
Nearly 29 percent of March’s vulnerabilities already have a documented public exploit, which drastically lessens the difficulty to exploit.
Vulnerability Management teams can potentially lessen workloads by nearly 88 percent by first focusing on actionable, high severity vulnerabilities—i.e., vulnerabilities that are remotely exploitable, that have a public exploit, and a viable solution; 253 of March’s vulnerabilities meet this criteria.
Insider Threat
The tactic of recruiting insiders has become immensely popular amongst threat actors aiming to breach systems and/or commit ransomware attacks.
In March, our analysts collected 5,586 posts advertising insider services—both from threat actors seeking insiders and malicious employees offering their services. Of those, 1,127 were unique posts from individuals in illicit and underground communities.
Key takeaways for the state of insider threat intelligence
In March, Flashpoint tracked 5,586 posts related to insider threats activity—both from threat actors attempting to solicit insider-facilitated access and from disgruntled employees offering their services. Of the total, 1,127 were unique postings.
At this time, the Telecom industry is the most targeted sector, followed by Financial and Retail.
Looking into the state of insider threats further, Flashpoint found that the majority of insider threat related postings originated from inside the organization with malicious insiders offering their services. Most of this activity came from the Telecom sector.
Takedowns
In March 2023, there were numerous takedowns, voluntary shutdowns, and arrests affecting ransomware, markets, account shops, card shops, and individual cybercriminals. Here are the high-profile takedowns.
Breach Forums
On March 21, 2023, mid-tier hacking forum Breach Forums was shut down following the arrest of its administrator, Conor Brian Fitzpatrick (aka “pompompurin”), six days prior.
On March 3, a US Magistrate Judge issued a seizure warrant for Worldwiredlabs[.]com, a domain used by cybercriminals to sell malware, including remote access trojan (RAT) “NetWire,” which is capable of targeting and infecting major computer operating systems.
On March 7, an international law enforcement effort led to the seizure of Worldwiredlabs. The FBI had begun its investigation in 2020, and uncovered that it was the only known online distributor of NetWire.
The following data is derived from the Flashpoint Intelligence Platform and VulnDB, the most comprehensive and timely source of vulnerability intelligence available. Sign up for a free trial today.