[ad_1]
Threat actors are changing their tactics toward built-in tooling, as ransomware payment rates continue to decline.
The Google Threat Intelligence Group (GTIG) this week published research related to the ransomware ecosystem across 2025, as well as the most common tactics, techniques, and procedures (TTPs) seen in incidents Google Cloud’s Mandiant group responded to.
Some of the biggest data points include suspected data theft present in approximately 77% of attacks (up from 57% last year); 43% of intrusions targeting virtualization infrastructure (up from 29%); that vulnerabilities were exploited in one-third of cases as an initial access vector (particularly VPNs and firewalls); and that Dark Web site posts (as in, attackers naming and shaming victims) hit record highs in 2025.
To that last statistic, GTIG observed that data leak sites generally only name and publish data belonging to victims that don’t pay the ransom, which lines up with reports from entities like incident response firm Coveware by Veeam, which observed a dramatic decrease in both average and median ransom payments. Large enterprises pay less often, while mid-size businesses are paying smaller sums.
Moreover, Coveware’s latest findings show a continuous decline in frequency of payment (20% of victims paid last quarter, an all-time low since the firm started tracking these numbers). These findings also show an increase in average and median payment, but the report explains that these spikes are caused by a few high-impact incidents rather than any kind of trend.
Defenders are getting better at avoiding ransomware attacks but, more specifically, Google observed, also improving at recovering from them. Law enforcement action, a crowded threat-actor ecosystem, and ransomware actor infighting similarly disrupted the ransomware ecosystem last year.
Ransomware Threat Actors Live Off the Land
Google’s research appears to suggest that threat actors have, in part, responded to this disruption by leaning less on external tooling and more on built-in Windows capabilities (as in, living off the land).
For example, Cobalt Strike Beacon was seen in only 2% of ransomware attacks last year (down from 11% in 2024); and in 2021, roughly 60% of attacks included Beacon. Mimikatz, meanwhile, was leveraged in 18% of attacks last year, a 2% decrease from 2024.
Pair this with the use of internal Windows tooling increasingly observed in attacks. While vulnerability exploitation is still the most common initial access vector, stolen credentials are widely used for initial access (21%) and consistently for establishing a foothold after initial access is gained.
Attackers are also using PowerShell commands, publicly available software, and system utilities to conduct initial reconnaissance.
“Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged from using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks to query other system data,” Google’s blog post read. “Threat actors [also] continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others.”
Internal tools like Remote Desktop Protocol (RDP), Server Message Block (SMB), and Secure Shell (SSH) were used to gain lateral movement; RDP in particular was seen in 85% of attacks.
Ransomware Actors’ MO: ‘Evasion Through Normalcy’
These statistics overall paint a picture of decreased reliance on external tooling and increased reliance on built-in capabilities.
Ray Umerley, field chief information security officer (CISO) at Veeam, tells Dark Reading in an email that his firm also sees this as an ongoing trend, with the nuance that some tools like Mimikatz remain prevalent in case data.
“It’s not that ‘classic’ offensive tooling has disappeared; rather, many threat actors are leaning more heavily on built-in Windows capabilities (PowerShell, WMI, cmd/batch, etc.) to reduce the need to introduce additional binaries that are more likely to stand out,” he writes, labeling this trend “evasion through normalcy.”
“Purpose-built tooling like Mimikatz and Beacon is widely signatured and behaviorally modeled by [endpoint detection and response, or EDR], so deploying it can create clear detection opportunities and cause operations to fail earlier,” he adds. “By contrast, abusing native tooling blends into the organization’s baseline and is harder to distinguish from legitimate administration without strong contextual correlation and identity controls. This aligns with how many of the threat actors we observe operate at speed and scale: optimizing for repeatability, reliability, and minimizing friction (and detection) as they move through an environment to achieve their objectives.”
Bavi Sadayappan, senior threat intelligence analyst at Google and a co-author of the research, concurs that GTIG has observed this migration to built-in tooling in recent years.
“Over the past several years we’ve seen ransomware actors continuously reduce their reliance on malware and common intrusion tools for various phases of the attack lifecycle, including an almost complete lack of Cobalt Strike Beacon use in 2025,” she says. “This shift toward native utilities and publicly available tools for their operations is likely, at least in part, due to improved security postures and endpoint detection systems that are able to identify and/or block more malicious activity. By relying more heavily on abusing native functionality and legitimate tools, threat actors may be more likely to evade detections and operate under the radar.”
[ad_2]
Source link
