Threat Intel - Faster Attacks and Recovery Denial Ransomware
Basically, attackers are getting quicker and targeting recovery systems to force payments.
Mandiant's latest report reveals a shift in ransomware tactics and faster cyberattacks. Organizations must adapt to these evolving threats to protect their recovery systems. The implications are significant, as attackers increasingly target critical infrastructure.
What Happened
Mandiant's M-Trends 2026 report, unveiled at the RSA Conference, highlights a troubling shift in the cyber threat landscape. Attackers are now moving faster than ever, compressing key phases of the attack lifecycle. The median dwell time, which is the time attackers remain undetected in a system, has increased to 14 days, up from 11 days the previous year. This indicates that while attackers are quicker in executing their plans, they are also becoming more persistent.
The report reveals that voice phishing has surged to 11% of initial infection vectors, overtaking email phishing, which has dropped to 6%. This reflects a broader trend toward more interactive social engineering tactics, making it harder for organizations to defend against these evolving threats.
Who's Being Targeted
Organizations across various sectors are feeling the impact of these faster attacks. The focus has shifted towards critical systems that are essential for recovery after a breach, such as backup infrastructure and identity services. In 2025, ransomware-related incidents accounted for 13% of investigations, while data theft was observed in 40% of cases. This rise in targeted attacks emphasizes the need for organizations to bolster their defenses, particularly in areas that attackers now prioritize.
The report also notes that attackers are increasingly collaborating, with one group gaining access and quickly handing it off to another, often a ransomware group. This hand-off time has dramatically decreased from over 8 hours in 2022 to just 22 seconds in 2025, showcasing the need for organizations to be vigilant at all stages of an attack.
Tactics & Techniques
As attackers refine their strategies, they are focusing on undermining recovery capabilities. The rise of recovery denial ransomware tactics means that attackers are not just encrypting data but also targeting backup systems to ensure that victims are more likely to pay the ransom. This shift poses a significant challenge for organizations, as it forces them into a difficult decision: pay the ransom or attempt to rebuild their systems from scratch.
Moreover, the report highlights the increasing use of AI in early-stage attacks. While AI is not the primary driver of successful breaches, it enhances the efficiency of phishing and reconnaissance efforts. Attackers are leveraging large language models to improve their tactics, making it crucial for organizations to address fundamental gaps in their security measures.
Defensive Measures
To combat these evolving threats, Mandiant recommends that organizations adopt a more dynamic approach to incident response. Security teams should rethink their alert triage processes, as what might seem like a low-level alert could signal the beginning of a more significant incident. Key infrastructure components like identity systems and backup environments must be treated as critical assets and protected accordingly.
Additionally, organizations should implement continuous identity verification and stricter privilege controls to counteract the rise of interactive social engineering. As attackers increasingly rely on legitimate tools, detection strategies must evolve to focus on behavioral anomalies rather than static indicators. By extending log retention and centralizing telemetry, organizations can improve their visibility and better understand the scope of intrusions, ultimately enhancing their resilience against these fast-moving threats.
CSO Online