What changed in the last 12 months
Between Q2 2025 and Q1 2026, ransomware disclosure sites tracked more than 5,400 named victims — a 38% year-over-year jump. The largest shift is not volume but tactic: over 71% of confirmed intrusions now involve data exfiltration before any encryption payload is deployed, and 44% of victims report a follow-on DDoS or public-shaming campaign if the ransom demand is ignored.
Initial access is dominated by three vectors: exposed remote-management portals (RDP, VPN, IPMI), unpatched edge appliances (SSL-VPN, file transfer and email security gateways), and identity compromise via infostealer logs sold on dark markets. Phishing remains prevalent but is increasingly used to steal session cookies rather than passwords, allowing attackers to bypass MFA entirely.
The quadruple-extortion model
Modern ransomware crews layer four pressure points on victims: (1) data encryption that halts operations, (2) threat to publish exfiltrated data on a leak site, (3) targeted DDoS against customer-facing services during negotiation, and (4) direct notification to regulators, insurers, journalists and end-customers about the breach.
This model is designed to defeat the traditional defense — restoring from backup. Even organizations with excellent recovery capability now face reputational and regulatory consequences that cannot be undone by restoring a VM.
A defensive architecture that works in 2026
Identity is the new perimeter. Enforce phishing-resistant MFA (FIDO2 / passkeys) for every administrator and every remote-access entry point. Rotate and vault local admin credentials with LAPS or an equivalent. Kill legacy protocols (NTLM, SMBv1, basic auth) — they are the single most common lateral-movement enabler in incident reports we see.
Assume exfiltration will happen and instrument for it. DNS egress monitoring, TLS interception on outbound traffic to unknown ASNs, and data-loss-prevention on cloud storage APIs (S3, Blob, Drive) shift detection left. Baseline outbound volume per host and alert on 3x deviations — most exfiltration tools ship data in 50-500 MB bursts that are trivially visible if anyone is looking.
Immutable, air-gapped backups are non-negotiable. Use object-lock (S3 Object Lock, Azure Immutable Blob) with a compliance-mode retention that even the storage admin cannot shorten. Test recovery quarterly against a full production workload — a backup you have never restored is a wish, not a control.
The first 4 hours after detection
Isolate before you investigate. Segment the affected network zone at the switch or firewall — do not shut down endpoints, as this destroys memory-resident evidence needed to identify the strain and lateral-movement path. Preserve volatile data (RAM, network connections, running processes) with an EDR forensic snapshot.
Engage counsel and your cyber-insurance breach coach in parallel with technical response — regulatory clocks (72 hours under GDPR, 4 business days under new US SEC rules for material incidents) start from the moment senior leadership is aware. Do not pay the ransom without legal review; sanctions-list checks are mandatory and payments to designated groups carry criminal liability in most jurisdictions.
Key takeaways
- Assume data was stolen before encryption — plan disclosure, not just recovery.
- Phishing-resistant MFA on every admin and remote-access surface.
- Object-lock immutable backups tested against real workloads quarterly.
- Baseline egress volume and alert on deviation — exfiltration is loud if measured.



