Cyber Daily: So Huntress recently conducted what is quite a fantastic research report. Reece, I’m going to hand it over to you: what’s the background of the report, what are some of the details, and one of the biggest findings that stand out that our readers need to be aware of.
Reece Appleton: I think some context for Huntress is really important for the report.
You’re out of free articles for this month
We’re quite different to some of the enterprise technologies out there that are really built for enterprise and for cyber security teams to manage and build themselves, as a platform always managed by our SOC team. We support, through our partners, customers of a one-person shop through to many thousands, and so the threat report provides insights across that full scope. It’s not just the enterprise lens that we see.
Firstly… Identity is really the new perimeter, or however you want to frame it. And I think according to the ACSC, business email compromise and identity-related attacks are number one for organisations this year.
Reece Appleton: Adversaries are using what’s called living-off-the-land. They’re using technologies that organisations already have or can have within their environment. And interestingly, we saw a 277 per cent increase in threat actors’ use of remote monitoring and management tools.
The other finding… is we’re seeing this kind of consolidation. I think over 50 per cent of the ransomware incidents that we saw, or precursors to, were from four main groups. So there’s that market consolidation.
The groups are really also operating in an economy. There are multiple organisations that work closely together to deploy an attack. And I think the last point on that ransomware piece is that, actually, ransomware, we’re finding, isn’t the main point now. So the time to ransom is actually increasing, as we saw. And that’s because organisations like your Akiraas, your Qilins, are focusing on the exfiltration of data more so than just encrypting. That’s kind of where we see that double extortion technique.
Justin Allen: And it’s interesting because we definitely still see people just coming in and ransoming as quickly as they can as well. We’re definitely seeing more of a play to have that double extortion, have that ability from a business perspective to engage professionally with a ransom business to restore their data and get the money that they’re looking at.
Equally, we still see threat actors coming in within a matter of seconds and ransoming environments; it really depends on their purpose, where they’re actually situated globally and what their actual intent is. A business set up to conduct ransomware is very different from a threat actor seeking to just disrupt operations and wreak havoc.
Cyber Daily: We’re observing a lot of changes in threat actor behaviour at the moment, and I’m wondering if we can discuss the “why?” of that. What are we seeing? Is it broadly a move away from ransomware gangs coming in, financially motivated, and deploying ransomware straight away? What’s the reason behind it?
Justin Allen: That’s still definitely happening, but in terms of the businesses they want to extort, it’s making sure they’ve got the keys to the kingdom, making sure they’ve got access, making sure they’ve got the data, the compromising material that you hold as a collective inside your business, as your crown jewels.
It’s that data, and then the ability to say, “We’re going to release it; we’re going to release all the PII of your customers, we’re not going to make it easy to rebuild your environment”. And still, the cost of instant response is quite high for people; I think it was $97,000 for a medium-sized business in Australia to recover from a single cyber attack. It’s a lot of money.
So people are in this tension of “Am I here to restore my business, or am I going to pay the ransomware operators?” We definitely see both because I think ransomware operators know that the Western economies are willing to pay and have the means to pay in order to restore their business and maintain their business reputation.
Reece Appleton: I was just going to add they’re really leaning into that. The brand and reputational damage that the release of data has on organisations, and obviously the downstream impact that will have on customer retention and revenue and all that sort of thing.
Cyber Daily: I think there was market research done in the United States two years ago: 60, 70 per cent of customers said that they would never work with a small to medium-sized business again if they were caught up in a compromise or a breach. Obviously, that wouldn’t necessarily extend to monopolies. If you’re an enterprise and you’re a monopoly, then people are going to be forced to work with you again.
But where people do have the chance to go and work with your competitors, they will. Which ties into something that I wanted to jump onto. Reece, a big portion of the sample size of your recent Huntress 2026 Cyber Threat Report came from financial services. And that’s not just the big end of the town – large banks and institutions – but also smaller ones, small tax accountants, bookkeepers… Take us through that. What are they seeing? Why are they a data-rich environment, and what’s this going to mean to, not just the company, but – at the end of the day – just regular Aussies that work with them.
Reece Appleton: I think if we look at the APAC statistics from Q1 or up until April this year, 22 per cent of the incidents that we saw were in financial services, which is a massive, massive chunk of incidents. And to your point, when we usually think of financial services we think of the big four banks or big financial institutions; but it’s bookkeepers, tax accountants, it’s those small, small- to mid-sized organisations that generally have a lower degree of cyber resilience than some of those large organisations. And so they’re more susceptible to a business email compromise attack, for example.
Justin Allen: I just think of the amount of times that I’ve just sent my documents directly to my accountant at tax time; it’s sent over unencrypted means via email. There are some businesses definitely moving towards having those secure portals to upload it, but you think about how many mum and dad businesses are out there that don’t understand the actual risk that they’re dealing with.
It’s everywhere in Australia.
You can watch Cyber Daily’s full, live interview with Huntress’ Justin Allen & Reece Appleton, complete with vital business intelligence and hard-won advice to protect Australian businesses, here. Registration is free!
Click Here For The Original Source.
