A Year of Strategic Adaptation
Ransomware operators in 2025–2026 demonstrated significant tactical evolution. The SamurAI's threat intelligence practice tracked 1,400+ ransomware incidents across our monitoring network, revealing three major shifts in attacker behavior.
Shift 1: From Encryption to Exfiltration
Double-extortion attacks — where attackers both encrypt data and threaten to leak it — are now the default. But the balance has shifted: 62% of recent attacks prioritize data exfiltration over encryption. Attackers have learned that the threat of public disclosure is often more effective than operational disruption.
Shift 2: Supply Chain as Primary Vector
Direct compromise of target organizations is declining. Instead, attackers target managed service providers, software vendors, and cloud infrastructure partners. A single compromised MSP can provide access to hundreds of downstream victims.
Shift 3: AI-Assisted Social Engineering
Generative AI has dramatically lowered the barrier for convincing phishing campaigns. Attackers now use AI to generate context-aware spear-phishing emails that reference real internal projects, recent company announcements, and even individual communication styles.
Defensive Recommendations
- Implement data loss prevention (DLP) controls that detect bulk data staging and exfiltration
- Require third-party vendors to demonstrate incident response capabilities through tabletop exercises
- Deploy AI-powered email security that analyzes communication patterns, not just content
- Maintain tested, offline backup procedures — encryption-based attacks haven't disappeared
