TechTarget and Informa Tech’s Digital Business Combine. TechTarget and Informa TechTarget and Informa Tech’s Digital Business Combine. Together, we power an unparalleled network of 220+ online properties covering 10,000+ granular topics, serving an audience of 50+ million professionals with original, objective content from trusted sources. We help you gain critical insights and make more informed decisions across your business priorities. Dark Reading Resource Library Black Hat News Omdia Cybersecurity Advertise Newsletter Sign-Up Newsletter Sign-Up Cybersecurity Topics Related Topics Application Security Cybersecurity Careers Cloud Security Cyber Risk Cyberattacks & Data Breaches Cybersecurity Analytics Cybersecurity Operations Data Privacy Endpoint Security ICS/OT Security Identity & Access Mgmt Security Insider Threats IoT Mobile Security Perimeter Physical Security Remote Workforce Threat Intelligence Vulnerabilities & Threats Recent in Cybersecurity Topics Application Security GlassWorm Malware Evolves to Hide in Dependencies GlassWorm Malware Evolves to Hide in Dependencies by Alexander Culafi Mar 16, 2026 4 Min Read Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read World Related Topics DR Global Middle East & Africa Asia Pacific Latin America Recent in World See All Application Security Real-Time Banking Trojan Strikes Brazil's Pix Users Real-Time Banking Trojan Strikes Brazil's Pix Users by Alexander Culafi Mar 13, 2026 4 Min Read Threat Intelligence Iran's Cyber-Kinetic War Doctrine Takes Shape Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi Mar 6, 2026 4 Min Read The Edge DR Technology Events Related Topics Upcoming Events Podcasts Webinars SEE ALL Resources Related Topics Resource Library Newsletters Podcasts Reports Videos Webinars White Papers Partner Perspectives Dark Reading Resource Library Threat Intelligence Vulnerabilities & Threats Endpoint Security Data Privacy News Less Lucrative Ransomware Market Makes Attackers Alter Methods Ransomware actors are ditching Cobalt Strike in favor of native Windows tools, as payment rates hit record lows and data theft surges. Alexander Culafi , Senior News Writer , Dark Reading March 17, 2026 4 Min Read Source: Yuri Arcurs via Alamy Stock Photo Threat actors are changing their tactics toward built-in tooling, as ransomware payment rates continue to decline. The Google Threat Intelligence Group (GTIG) this week published research related to the ransomware ecosystem across 2025, as well as the most common tactics, techniques, and procedures (TTPs) seen in incidents Google Cloud's Mandiant group responded to. Some of the biggest data points include suspected data theft present in approximately 77% of attacks (up from 57% last year); 43% of intrusions targeting virtualization infrastructure (up from 29%); that vulnerabilities were exploited in one-third of cases as an initial access vector (particularly VPNs and firewalls); and that Dark Web site posts (as in, attackers naming and shaming victims) hit record highs in 2025. To that last statistic, GTIG observed that data leak sites generally only name and publish data belonging to victims that don't pay the ransom, which lines up with reports from entities like incident response firm Coveware by Veeam, which observed a dramatic decrease in both average and median ransom payments . Large enterprises pay less often, while mid-size businesses are paying smaller sums. Related: Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish Moreover, Coveware's latest findings show a continuous decline in frequency of payment (20% of victims paid last quarter, an all-time low since the firm started tracking these numbers). These findings also show an increase in average and median payment, but the report explains that these spikes are caused by a few high-impact incidents rather than any kind of trend. Defenders are getting better at avoiding ransomware attacks but, more specifically, Google observed, also improving at recovering from them. Law enforcement action, a crowded threat-actor ecosystem, and ransomware actor infighting similarly disrupted the ransomware ecosystem last year. Ransomware Threat Actors Live Off the Land Google's research appears to suggest that threat actors have, in part, responded to this disruption by leaning less on external tooling and more on built-in Windows capabilities (as in, living off the land). For example, Cobalt Strike Beacon was seen in only 2% of ransomware attacks last year (down from 11% in 2024); and in 2021, roughly 60% of attacks included Beacon. Mimikatz, meanwhile, was leveraged in 18% of attacks last year, a 2% decrease from 2024. Pair this with the use of internal Windows tooling increasingly observed in attacks. While vulnerability exploitation is still the most common initial access vector, stolen credentials are widely used for initial access (21%) and consistently for establishing a foothold after initial access is gained. Related: Warlock Ransomware Group Augments Post-Exploitation Activities Attackers are also using PowerShell commands, publicly available software, and system utilities to conduct initial reconnaissance. "Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged from using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks to query other system data," Google's blog post read. "Threat actors [also] continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others." Internal tools like Remote Desktop Protocol (RDP), Server Message Block (SMB), and Secure Shell (SSH) were used to gain lateral movement; RDP in particular was seen in 85% of attacks. Ransomware Actors' MO: 'Evasion Through Normalcy' These statistics overall paint a picture of decreased reliance on external tooling and increased reliance on built-in capabilities. Ray Umerley, field chief information security officer (CISO) at Veeam, tells Dark Reading in an email that his firm also sees this as an ongoing trend, with the nuance that some tools like Mimikatz remain prevalent in case data. Related: China-Nexus Hackers Skulk in Southeast Asian Military Orgs for Years "It's not that 'classic' offensive tooling has disappeared; rather, many threat actors are leaning more heavily on built-in Windows capabilities (PowerShell, WMI, cmd/batch, etc.) to reduce the need to introduce additional binaries that are more likely to stand out," he writes, labeling this trend "evasion through normalcy." "Purpose-built tooling like Mimikatz and Beacon is widely signatured and behaviorally modeled by [endpoint detection and response, or EDR], so deploying it can create clear detection opportunities and cause operations to fail earlier," he adds. "By contrast, abusing native tooling blends into the organization's baseline and is harder to distinguish from legitimate administration without strong contextual correlation and identity controls. This aligns with how many of the threat actors we observe operate at speed and scale: optimizing for repeatability, reliability, and minimizing friction (and detection) as they move through an environment to achieve their objectives." Bavi Sadayappan, senior threat intelligence analyst at Google and a co-author of the research, concurs that GTIG has observed this migration to built-in tooling in recent years. "Over the past several years we've seen ransomware actors continuously reduce their reliance on malware and common intrusion tools for various phases of the attack lifecycle, including an almost complete lack of Cobalt Strike Beacon use in 2025," she says. "This shift toward native utilities and publicly available tools for their operations is likely, at least in part, due to improved security postures and endpoint detection systems that are able to identify and/or block more malicious activity. By relying more heavily on abusing native functionality and legitimate tools, threat actors may be more likely to evade detections and operate under the radar." About the Author Alexander Culafi Senior News Writer, Dark Reading Alex is an award-winning writer, journalist, and podcast host based in Boston. After cutting his teeth writing for independent gaming publications as a teenager, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere. In his spare time, Alex hosts the weekly Nintendo podcast Talk Nintendo Podcast and works on personal writing projects, including two previously self-published science fiction novels. See more from Alexander Culafi More Insights Industry Reports Frost Radar™: Non-human Identity Solutions 2026 CISO AI Risk Report Cybersecurity Forecast 2026 The ROI of AI in Security ThreatLabz 2025 Ransomware Report Access More Research Webinars Building a Robust SOC in a Post-AI World Retail Security: Protecting Customer Data and Payment Systems Rethinking SSE: When Unified SASE Delivers the Flexibility Enterprises Need Securing Remote and Hybrid Work Forecast: Beyond the VPN AI-Powered Threat Detection: Beyond Traditional Security Models More Webinars Editor's Choice Cybersecurity Operations Why Stryker's Outage Is a Disaster Recovery Wake-Up Call Why Stryker's Outage Is a Disaster Recovery Wake-Up Call by Jai Vijayan Mar 12, 2026 5 Min Read Want more Dark Reading stories in your Google search results? 2026 Security Trends & Outlooks Threat Intelligence Cybersecurity Predictions for 2026: Navigating the Future of Digital Threats Jan 2, 2026 Cyber Risk Navigating Privacy and Cybersecurity Laws in 2026 Will Prove Difficult Jan 12, 2026 | 7 Min Read Endpoint Security CISOs Fa