Stay Ahead of Ransomware: What the 2026 Threat Reports Are Telling Us

On the May 2026 episode of the SANS Stay Ahead of Ransomware livestream, hosts Ryan Chapman and Mari DeGrazia dug into four major industry reports to surface the ransomware-specific trends with which defenders need to be aware. The ransomware and cyber extortion landscape continues to evolve at a relentless pace, so delving into and understanding such reports remains critical for us to stay ahead of the game. The hosts synthesized findings from the Mandiant M-Trends 2026 Report, the CrowdStrike Global Threat Report, the Chainalysis 2026 Crypto Crime Report, and the Palo Alto Networks Global Incident Response Report 2026.

Setting the Stage: A Lens Worth Understanding

Before diving in, both hosts offered an important framing note. These reports are written through the lenses of the organizations that produce them. These are firms handling hundreds or thousands of client engagements per year. The trends they surface may or may not mirror what any individual organization or industry vertical is experiencing. That said, taken together, they paint a real-world picture of what is actually happening in the wild. Simply note that statistics are specific to those lenses, while actions taken and behaviors spotted follow suit.

Mandiant M-Trends 2026: Prior Compromises and Stolen Credential Risks

Initial Infection Vectors: Prior Compromise Doubles

When it comes to how attackers are getting in, Mandiant found that prior compromise doubled and now accounts for 30% of initial infection vectors. That is up from 15% in the previous year. This reflects the growing role of Initial Access Brokers (IABs): Specialized threat actors who compromise environments and then hand off that access to other actors, including ransomware affiliates and operators. These IABs are doing the hard work of getting in, and ransomware groups are capitalizing on the results.

Stolen Credentials and the Info Stealer Problem

Ryan emphasized the continued and possibly underreported role of stolen credentials as an initial infection vector. Mandiant’s report attributed stolen credentials as the infection vector for 10% of their 2025 cases, though the true numbers are most likely far higher in practice. The challenge with deriving stronger statistics in this realm pertains to how remote service connections simply appear without brute-force indicators in many cases. This indicates credentials were known, but does not prove as such. Correlation with dark web stealer logs (via services like Intel 471 or Recorded Future) can help, but such correlation is neither uniformly definitive nor available to all analysts.

The host duo noted the importance of user security awareness training, stating that it must go beyond corporate devices. For example, employees who end up with malware, especially infostealers, on their personal devices can be the reason for a successful corporate breach. Per the hosts, if an infostealer is found on a personal machine, all credentials used on that machine should be rotated, which should include any corporate credentials that may have ever been used, even if simply related to accounts that share passwords with corporate devices and/or services.

CrowdStrike Global Threat Report: Actors Continue to Target Unmanaged Devices

Targeting the Gaps in Your Asset Inventory

As more organizations deploy E/XDR solutions, ransomware actors have adapted their tactics. Rather than triggering detections by operating on managed, heavily monitored endpoints, they seek out the corners of the environment where visibility is weakest. This makes asset management, E/XDR coverage, and intra-network monitoring a frontline defensive concern, not just an IT operations issue.

• Hi. You there. Hey! Deploy your critical agents everywhere possible! :)

CrowdStrike documented cases where, during a three-hour attack window, threat actors interacted with only one managed endpoint, deliberately maneuvering through unmonitored systems for the rest of the operation. Such actors were also spotted spinning up virtual machines within compromised environments. They gain access to hypervisors such as vSphere or VMware vCenter, create new VMs, and operate from those new systems entirely outside of E/XDR telemetry.

Perhaps the most striking case study in this section: attackers identified an unpatched webcam on a corporate network and used it as the launchpad for ransomware distribution. This should serve as a vivid reminder that any internet-connected device without agent coverage is a potential attack surface.

Chainalysis 2026 Crypto Crime Report: Cheaper Access is Bad for the Good Team

Chainalysis offers a uniquely valuable perspective because they analyze ransomware payments across blockchain activity, aggregating wallet IDs shared through ransom notes, dark web postings, and IR firm disclosures. This gives them visibility no single organization could achieve on its own.

The Cost of Access Is Dropping

One of the most alarming statistics Ryan highlighted was the average cost of initial access on dark web markets: In 2025, average victim access was being offered for approximately $671. For organizations in more targeted sectors, "premium" access to large enterprises was being advertised for amounts that still felt shockingly low. IAB inflows, which are payments to access brokers via cryptocurrency, have increased over the years from around $1 million in 2020 to $14 million in tracked on-chain payments, reflecting the growth and professionalization of this ecosystem.

Palo Alto Networks Global Incident Response Report 2026: Four Trends That Should Keep You Up at Night

Ryan closed the session with a rapid-fire look at the Palo Alto Networks (Unit 42) IR report, highlighting four overarching trends observed across their caseload, all of which have direct ransomware implications.

1. AI has become a force multiplier for threat actors. Early signals of AI adoption by ransomware groups included generated logos embedded in data leak site HTML. More recently, reports, such as Anthropic’s pivotal 2025 report, have documented threat actors using AI to support full-scale ransomware campaign panning and execution. This is no longer theoretical–this is what we’re seeing now and will continue to see.
2. Identity has become a reliable path to attacker success. Too many organizations deploy cloud IAM platforms (AWS, GCP, Entra ID/Azure) without fully understanding or fine-tuning them. Over-permissioned accounts, services and scheduled tasks running as high-privileged service accounts, and LSASS dumping opportunities remain rampant. Zero-trust principles are widely discussed, yet rarely implemented.
3. Supply chain compromise is intersecting with ransomware. Groups like Vect Ransomware and Team PCP are exploiting CI/CD pipeline dependencies, particularly via npm and PyPI package compromise, to pivot from supply chain access into ransomware deployment. This is an emerging and rapidly evolving vector that is keeping defense teams busy seven days a week.
4. Nation-state actors are blending in. Sophisticated threat groups are increasingly using synthetic identities, fake employment schemes, and AI-generated personas to establish persistent, stealthy footholds. Unfortunately, these tactics are beginning to intersect with the ransomware ecosystem.

Key Takeaways for Defenders

Across all four reports, a few consistent themes emerge for defenders to act on:

• Close your E/XDR coverage gaps. Know your asset inventory. If you can't answer the question "what percentage of our hosts have agents?" with confidence, find out today. Threat actors already know the answer… and it’s not a good answer for most orgs!
• Block and alert on dual-use tools. PSExec, NLTest, netscan, RClone, and WinRAR have been on our radar as favored tools by ransomware actors for nearly 10 years now. Yet, the royal “we” are not blocking when appropriate or monitoring their use closely enough. Fix this!
• Treat infostealers seriously, both at work and at home. Credential theft from personal devices is a meaningful ransomware precursor. Update your security awareness training to reflect this.
• Harden your identity infrastructure. Apply least-privilege principles in cloud IAM environments. Audit service account permissions. Look at what's running with elevated privileges in your environment.
• Hunt for unmanaged hosts actively. Look for process-to-IP communications where the remote IP has no associated agent. For example, look for SMB tool use, such as PSExec, originating from IPs with no associated E/XDR agent.

Learning More and Looking Forward

We encourage you to read all four reports covered in this episode:

• Mandiant M-Trends 2026
• CrowdStrike Global Threat Report 2026
• Chainalysis 2026 Crypto Crime Report
• Palo Alto Networks Global IR Report 2026

You can watch the full May 2026 Stay Ahead of Ransomware episode on YouTube. Please also review our YouTube playlist for past episodes. We cover a variety of topics, and would also love your feedback via social media on potential future subjects.

And of course, join us on the first Tuesday of each month at 1:00 PM Eastern for the SANS Stay Ahead of Ransomware livestream. Finally, be sure to check out our upcoming SANS training, including FOR528: Ransomware and Cyber Extortion and FOR563: Applied AI for DFIR.