M-Trends 2026: Evolving Ransomware, Persistence, and SaaS Attack Vectors

The cybersecurity landscape witnessed significant shifts in 2025, with adversaries demonstrating increased sophistication and specialization. Mandiant’s M-Trends 2026 report, based on over 500,000 hours of incident investigations, provides critical insights into these evolving TTPs, revealing a divergence in attacker pacing and objectives, as documented in the original Google Cloud blog post. Cybercriminals are optimizing for immediate, high-impact operations and recovery denial, while cyber espionage groups prioritize extreme persistence, often leveraging unmonitored infrastructure.

Key Trends and Technical Analysis

The M-Trends 2026 report highlights several concerning metrics and attack methodologies:

• Global Median Dwell Time: The global median dwell time increased to 14 days, up from 11. For cyber espionage and incidents linked to North Korean IT workers, this figure soared to 122 days, indicating a focus on stealth and long-term access.
• Initial Infection Vectors: Exploits remained the top initial infection vector for the sixth consecutive year, accounting for 32% of intrusions. However, highly interactive voice phishing surged dramatically to 11%, becoming the second most common vector. Prior compromise also emerged as a significant vector, especially for ransomware operations.
• Targeted Industries: The high-tech sector (17%) surpassed the financial sector (14.6%) as the most frequently targeted industry, reflecting a shift in adversary focus.

Collapse of the “Hand-Off” Window

A critical trend identified is the rapid acceleration of the “hand-off” window between initial access brokers and secondary threat groups. In 2022, this median time was over 8 hours; in 2025, it plummeted to just 22 seconds. This means initial access partners are pre-staging malware or tunnels, enabling secondary actors to launch high-impact operations like ransomware almost immediately. This specialized collaboration underlines the need to treat even low-impact alerts as potential precursors to severe intrusions.

Mitigating Voice Phishing MFA Bypass and the SaaS Identity Crisis

Traditional email phishing has declined, now accounting for only 6% of intrusions, largely due to improved automated controls. Adversaries have pivoted to highly interactive, voice-based social engineering, often referred to as vishing. Groups like UNC3944 are actively targeting IT help desks to bypass multi-factor authentication (MFA) and gain initial access to SaaS environments. This involves harvesting long-lived OAuth tokens and session cookies. Furthermore, attackers are compromising third-party SaaS vendors to steal hard-coded keys and personal access tokens, facilitating pivots into downstream customer environments for large-scale data theft, a tactic highlighted in the tracking of ShinyHunters-branded data theft campaigns.

Ransomware Evolving into Recovery Denial Tactics

Modern ransomware campaigns are no longer solely focused on data encryption; they actively aim to destroy an organization’s ability to recover. In 2025, groups such as those using REDBIKE (Akira) and AGENDA (Qilin) systematically targeted backup infrastructure, identity services, and virtualization management planes. This includes exploiting misconfigured Active Directory Certificate Services templates to create persistent administrative accounts, deleting backup objects from cloud storage, and directly encrypting hypervisor datastores to render all associated virtual machines inoperable simultaneously. This fundamental shift poses a significant resilience problem for organizations, forcing a choice between paying the ransom or undertaking a complete rebuild of systems.

Edge Devices, Zero-Days, and Extreme Persistence

While cybercriminals seek speed, espionage groups, including threat clusters like UNC6201 and UNC5807, are optimizing for extreme persistence. These actors deliberately target edge and core network devices, such as VPNs and routers, which often lack standard endpoint detection and response (EDR) telemetry. The mean time to exploit vulnerabilities has dropped to an estimated -7 days, indicating that exploitation is routinely occurring before patches are even released, underscoring the severity of zero-day usage. Organizations must improve their ability to detect sophisticated cyber espionage on edge devices.

Attackers are deploying custom, in-memory malware like the BRICKSTORM backdoor directly onto network appliances. This establishes deep persistence that often survives remediation efforts and system reboots. These devices’ minimal onboard storage hinders forensic analysis, creating significant visibility gaps. With threats like BRICKSTORM achieving dwell times of nearly 400 days, standard 90-day log retention policies leave organizations vulnerable and blind to the full scope of intrusions.

AI Threat Landscape

Adversaries are integrating artificial intelligence (AI) to accelerate attack lifecycles. Malware families like PROMPTFLUX and PROMPTSTEAL query large language models (LLMs) mid-execution to evade detection. “Distillation attacks” extract proprietary logic from machine learning models. While 2025 was not characterized by breaches directly caused by AI, Mandiant observed actors abusing AI within compromised environments, such as the QUIETVAULT credential stealer searching for local AI command-line tools. Organizations must apply principles from frameworks like the Google Secure AI Framework (SAIF) to secure AI implementations and developer toolchains.

Actionable Recommendations for Defenders

To build operational resilience and counter these advanced TTPs, organizations must adapt swiftly:

• Treat Low-Impact Alerts as Critical Indicators: With hand-off times shrinking, security teams must restructure response playbooks. Treat routine malware alerts as high-priority indicators of an impending secondary intrusion and remediate before interactive hands-on-keyboard operations commence.
• Isolate Critical Control Planes: Virtualization and management platforms must be treated as Tier-0 assets with the strictest access constraints. Decouple backup environments from the corporate Active Directory domain and utilize immutable storage to counter recovery denial tactics.
• Shift to Continuous Identity Verification: Since interactive social engineering bypasses traditional MFA, enforce strict least privilege, regularly audit SaaS integrations, and route all SaaS applications through a central identity provider (IdP).
• Transition from Static IoCs to Behavioral Anomaly Detection: With attackers rapidly changing infrastructure and deploying custom, in-memory malware, static indicators of compromise are insufficient. Implement behavior-based detection models that flag anomalous activity, such as unauthorized access to edge devices, unusual bulk API operations, or suspicious use of SaaS integration tokens.
• Expand Visibility and Extend Log Retention: Deploy advanced threat detection across the entire ecosystem. To close visibility gaps associated with multi-year intrusions, extend log retention policies well beyond standard 90-day windows. Forward critical network device logs—especially application and administrative logs—and hypervisor-level telemetry to centralized, long-term storage.