RANSOMWARE actors are ditching Cobalt Strike in favour of native Windows tools as payment rates hit record lows and data theft surges. According to Google Threat Intelligence Group (GTIG), data theft features in about 77% of attacks, up from 57% last year, while 43% of intrusions targeted virtualization infrastructure.
The research notes that vulnerabilities were exploited in one‑third of cases as an initial access vector, particularly VPNs and firewalls, and that Dark Web posts naming and shaming victims hit record highs in 2025. Observations from Coveware by Veeam also show a dramatic decrease in both average and median ransom payments, with large enterprises paying less often and mid‑size businesses paying smaller sums.
GTIG’s findings describe a shift toward “living off the land”—threat actors increasingly rely on built‑in Windows capabilities, PowerShell, and internal tools for initial access and movement, reducing the need for external malware binaries.