EN
  • pl
Get in touch
EN
  • pl
Get in touchcontact@cybernite.eu+48 508 404 923

From Initial Compromise to Ransomware in 22 Seconds: Alarming Findings from the Latest Mandiant M‑Trends 2026 Report

The Mandiant M‑Trends 2026 Report is one of the most important publications in the cybersecurity industry, offering an expert perspective on the latest tactics and threats used by cybercriminals. The report is based on the analysis of an extensive dataset collected by Mandiant experts, providing unique insight into real-world security breach incidents observed globally. For businesses and cybersecurity professionals, M‑Trends is a highly valuable source of intelligence. Drawing on frontline incident response experience, it helps organizations strengthen their defenses, support risk assessment processes, and plan effective threat hunting activities.

Grzegorz Strupczewski
7 min

In this article, we take a closer look at the key findings from the latest Mandiant M‑Trends 2026 Report. Many of the conclusions are both surprising and deeply concerning. We invite you to read on.

Key Initial Access Vectors

The report highlights significant changes in how threat actors gain access to victims’ IT environments. Traditional techniques are increasingly replaced by more interactive methods, while the growing specialization of cybercriminal groups significantly reduces the response time available to defenders.

According to the report, the most common initial access vectors were:

  • Exploitation of vulnerabilities (32%): For the sixth consecutive year, exploits remain the most frequently observed infection vector. Attackers primarily target edge and core network devices, which often do not support standard security tools such as EDR. Examples of mass exploitation in 2025 include vulnerabilities in SAP NetWeaver (CVE‑2025‑31324) and Microsoft SharePoint (CVE‑2025‑53770).
  • Vishing (Voice Phishing) (11%): This vector saw the most dramatic growth, becoming the second most common method. Unlike mass email phishing, vishing is an interactive social engineering technique conducted in real time by a live operator, making it highly resistant to automated technical controls.
  • Prior compromise (10%): This model is gaining importance due to the specialization of the cybercrime ecosystem. One entity—an Initial Access Partner (IAP)—obtains access and then “hands it off” to another group that carries out the actual attack, such as ransomware deployment.
  • Stolen credentials (9%): Although still significant, this vector declined from 16% in the previous year. Credentials are often obtained via infostealers or leaks from public code repositories.
  • Email phishing (6%): This method continues a downward trend (from 14% in 2024 and 22% in 2022). Despite this decline, it remains dangerous, particularly when used to expand an attacker’s presence within an organization.

Vectors Specific to Ransomware and Cloud Attacks

The analysis shows that the choice of initial access vector often depends on the attacker’s objective:

  • Ransomware. The most common vector was prior compromise (30%), highlighting the critical role of access brokers in the ransomware ecosystem. This was followed by exploits (27%) and brute-force attacks (20%).
  • Cloud compromise. Vishing (23%) clearly dominates, ahead of third-party compromise (17%) and stolen credentials (16%). Attackers use vishing to impersonate employees and persuade help desk staff to reset passwords or modify MFA settings.

Key Trends and Observations

  • Ultra-fast access hand-off: The time between initial compromise and takeover by the group executing the attack has dropped dramatically. In 2025, the median hand-off time was just 22 seconds, compared to more than 8 hours in 2022. In many cases, this process is fully automated.
  • The role of Artificial Intelligence (AI): While AI was not a direct cause of breaches in 2025, it has become a powerful force multiplier for attackers. It is used to create hyper‑personalized social engineering campaigns and embedded within malware that queries LLMs at runtime to better evade detection.
  • Insider threat: This vector increased to 6%, with a significant portion involving North Korean IT workers using false identities to obtain employment and generate revenue for the regime.
  • Non‑Human Identity (NHI) attacks: In SaaS environments, attackers increasingly bypass MFA by stealing secrets such as OAuth tokens or API keys from code repositories or developers’ workstations.

In summary, the report shows that modern infection vectors are becoming more targeted and interactive, and the line between a “simple infection” and a full‑scale ransomware attack can blur in a matter of seconds.

The Evolution of Ransomware Attacks

The report sheds new light on the evolution of ransomware, pointing to a fundamental shift in attacker strategy - from simple data encryption to systematic recovery denial. Ransomware is no longer just an encryption problem; it has become a business resilience challenge.

The most important trend in this area is the deliberate targeting of Trusted Service Infrastructure (TSI) - systems designed to enable recovery after an attack. Ransomware groups increasingly focus on destroying:

  • Backup infrastructure: Attackers systematically locate and destroy backups (both on‑premises and cloud-based) to maximize pressure for ransom payment.
  • Virtualization layers: Hypervisors are increasingly targeted. By encrypting datastore files (e.g., .VMDK), attackers can disable many virtual machines at once and bypass EDR deployed on guest operating systems.
  • Identity services: Compromising identity layers (e.g., Active Directory) allows attackers to lock out administrators and manipulate certificates, effectively preventing defenders from executing recovery actions.

The Cybercrime Ecosystem and Access Hand-Off

The report emphasizes the growing specialization of cybercriminal groups. Often, one group focuses solely on gaining access (Initial Access Partner), which is then handed off to a ransomware operator.

  • Speed of operations: In 2025, the median time between initial access and ransomware group takeover dropped to 22 seconds, compared to 8 hours in 2022.
  • Collaboration model: This process is frequently automated, meaning that “low-priority” alerts (such as generic malware infections) can escalate into critical ransomware incidents within seconds.

The Concept of Active Resilience

The findings suggest that organizations must move beyond prevention-only strategies toward Active Resilience, which includes:

  • Isolating the recovery path: Backup infrastructure must be completely separated from the primary network and identity services.
  • Hardening the control plane: Strictly limiting access to hypervisors and device fleet management systems.
  • Continuous verification: Treating identity as the new security perimeter that requires constant validation.

In summary, M‑Trends 2026 warns that today’s ransomware attacks are precise operations aimed at seizing control over an organization’s “trust foundations,” forcing a focus on architectures capable of surviving a complete identity system compromise.

Attacks on Network Devices

The report identifies systematic and increasingly sophisticated exploitation of edge and core network devices as a key trend in the 2025 threat landscape. These devices are attractive targets because they represent critical network junctions and often lack traditional security controls such as EDR.

Key reasons why these devices are targeted include:

  • Most common attack vector: Exploits remain the top infection vector (32%) for the sixth year in a row, with internet‑facing network devices as primary targets.
  • Negative Time to Exploit (TTE): In 2025, the median TTE dropped to -7 days, meaning mass exploitation often begins a week before official patches are released.
  • Limited security and infrequent patching: These devices typically have long uptimes, delayed patch cycles, and are often excluded from vulnerability management processes.

Tactical Evolution: From Pivot Point to Data Source

Historically, network devices served mainly as pivot points for lateral movement. In 2025, however, Mandiant observed a shift: attackers increasingly conduct the entire attack lifecycle directly on network devices, using built‑in administrative functions for:

  • Reconnaissance and lateral movement.
  • Privilege escalation by capturing credentials from network traffic.
  • Data collection directly from management planes or transit traffic, allowing them to evade endpoint and server monitoring systems.

Defensive Challenges and Recommendations

Detecting attacks on network devices is difficult due to minimalist operating systems and limited logging capabilities. Recommended actions include:

  • Audit and inventory: Many network devices and hypervisors are incorrectly excluded from centralized asset management systems.
  • Log centralization: Logs from edge and core devices should be forwarded to SIEM systems, with administrative activity logs retained for at least one year.
  • Vulnerability management: Organizations should aim to scan every endpoint for vulnerabilities at least twice per month.
  • Management plane isolation: Administrative traffic should be separated from the corporate network and accessible only via hardened workstations with MFA.

In conclusion, M‑Trends 2026 warns that network devices are becoming a “safe haven” for attackers within organizations, and their protection must be treated as a priority equal to that of workstations and servers.

30.04.2026

Spear Phishing – Why Is It So Dangerous?

In today’s digital landscape, phishing has become a widespread threat. It is a form of fraud that involves...

View full post
03.06.2026

Application Security in the Age of AI

The latest Fortinet 2026 Web Application Security Report reveals a fundamental shift in the web application security...

View full post