Ransomware attackers are switching tactics in favor of more stealthy infiltration, as the threat of public exposure of sensitive corporate data is becoming the main mechanism of extortion.
Picus Security’s annual red-teaming report shows attackers shifting away from loud disruption toward quiet, long-term access — or from “predatory” smash-and-grab tactics to “parasitic” silent residency.
Four in five of the most common attack techniques deployed by ransomware strains are designed to stay hidden once attackers gain initial access. For example, ransomware operations are increasingly using defense evasion and persistence techniques as their tradecraft has evolved, according to Picus Security, a cybersecurity firm that specializes in breach and attack simulation.
Attackers are also increasingly routing command-and-control (C2) traffic through trusted enterprise services such as OpenAI and AWS so that malign activity more closely resembles normal business traffic.
Picus Security’s conclusions come from attack simulations combined with an analysis of 1.1 million malicious files and 15.5 million adversarial actions mapped to the MITRE ATT&CK framework.
The Picus findings about attackers favoring stealth and persistence over loud disruption are consistent with the findings of ransomware research by Securin, which reports that attackers are chaining vulnerabilities in their attacks on corporate systems.
“Ransomware groups no longer treat vulnerabilities as isolated entry points,” says Aviral Verma, lead threat intelligence analyst at penetration testing and cybersecurity services firm Securin. “They assemble them into deliberate exploitation chains, selecting weaknesses not just for severity, but for how effectively they can collapse trust, persistence, and operational control across entire platforms.”
AI is now widely accessible to threat actors, but it primarily functions as a force multiplier rather than a driving force in ransomware attacks.
Double jeopardy
Ransomware gangs commonly favor double extortion where blackmail based on the threatened leak of stolen information is combined by the disruption caused by encrypting data after breaking into corporate networks.
Picus reports a 38% drop in encryption over the past 12 months as more cybercriminals turn to silently exfiltrating data for extortion as their main stock in trade.
Picus’ suggestion that the volume of ransomware attacks is dropping is disputed by other experts.
Tony Anscombe, chief security evangelist at endpoint security vendor Eset, offered a contrasting perspective.
“In the recent Eset H2 2025 Threat Report, the detection data shows a 13% increase between H1 and H2, coupled with the number of publicly reported victims increasing by 40% reported via ecrime.ch, then it [ransomware] does not appear to be in decline,” Anscombe tells CSO.
Nick Hyatt, senior threat intelligence consultant at cybersecurity services firm GuidePoint Security, says the data of more than 7,000 victims was publicly posted last year, a figure that likely excludes “victims who paid and were never posted by the threat actor.”
Far from showing any signs of consolidation, the number of active ransomware groups hit an all-time high last year, according to GuidePoint.
“Threat actors streamlined their attack capabilities, using a mix of established techniques, vulnerability exploitation, and novel attacks to execute on their objectives,” says Hyatt.
Rogues gallery
Experts polled by CSO commonly rated Qilin, Cl0p and Akira as among the most active ransomware groups but there was no shortage of other contenders.
“Akira stands out as the No. 1 ransomware group today from Huntress’ 2025 data,” says Dray Agha, senior manager of security operations at managed detection and response firm Huntress. “Their tradecraft is rapidly evolving specifically to neutralize existing security solutions, and we are seeing them aggressively target the hypervisor level to completely bypass traditional endpoint security protections.”
Collin Hogue-Spears, senior director distinguished technical expert at application security firm Black Duck Software, says that ransomware operators have stopped operating like organized crime and started operating like a platform business.
“Qilin posted over 1,000 victims in 2025, a seven-fold increase over the prior year,” according to Hogue-Spears. “LockBit 5.0 clawed back to operational capacity after its takedown.”
Meanwhile the Scattered Spider/Lapsus$/ShinyHunters (SLSH) federation is running extortion-as-a-service, an approach that makes it easier for less technically skilled cybercriminals to make a dishonest living.
SLSH has created a “structural shift” in the cybercrime ecosystem.
“Seventy-three new groups appeared in six months because they no longer need to build their own tooling,” says Hogue-Spears. “They rent it.”
New threat techniques require security rethink
Vasileios Mourtzinos, a member of the threat team at managed detection and response firm Quorum Cyber, says that more groups are moving away from high-impact encryption towards extortion-led models that prioritize data theft and prolonged, low-noise access.
“This approach, popularized by actors such as Cl0p through large-scale exploitation of third-party and supply chain vulnerabilities, is now being mirrored more widely, alongside increased abuse of valid accounts, legitimate administrative tools to blend into normal activity, and in some cases attempts to recruit or incentivize insiders to facilitate access,” Mourtzinos says.
The evolving tradecraft of ransomware groups should prompt a rethink of defensive strategies.
“For CISOs, the priority should be strengthening identity controls, closely monitoring trusted applications and third-party integrations, and ensuring detection strategies focus on persistence and data exfiltration activity,” Mourtzinos advises.