TZUTC: -0500
MSGID: 1801.consprcy@1:2320/105 2d9c2932
PID: Synchronet 3.21a-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
TID: SBBSecho 3.28-Linux master/123f2d28a Jul 12 2025 GCC 12.2.0
BBSID: CAPCITY2
CHRS: ASCII 1
FORMAT: flowed
Threats to watch this year: from data theft and extortion to EDR killers

Date:
Sun, 07 Dec 2025 15:00:00 +0000

Description:
Threat actors have shifted behaviors, refined their tooling and adapted
tactics; here's what you need to know.

FULL STORY

As cybersecurity threats continue to grow in scale, sophistication and 
intent, its vital for organizations to understand the top actors, emerging
risks and evolving techniques shaping the landscape to help strengthen cyber
defenses. 

A recent report by Bridewell highlights just how dynamic the adversarial
environment has become over the past year. 

Threat actors have shifted behaviors, refined their tooling and adapted their
tactics. 

Here are some key takeaways organizations need to know to contend with
imminent threats.

The Rise of Data Theft and Extortion 

Historically, ransomware tactics were primarily centered around encrypting
victim data and demanding payment for decryption keys. However, recent 
attacks highlight a shift in tactics, with threat actors now prioritizing 
data theft and extortion by threatening to publish stolen information unless
ransoms are paid. 

This was witnessed in an attack on UK telecom provider Colt Technology
Services, where the Warlock ransomware group exploited a vulnerability in
Microsoft SharePoint to infiltrate the companys systems. 

The attackers stole several hundred gigabytes of sensitive data, including
employee salary information, financial records, customer contracts and 
network architecture details. As a result of not paying the ransom, the group
subsequently posted a file list on a Russian Tor forum, offering over a
million documents for sale. 

Similarly, the Clop ransomware group demonstrated this shift in May 2023 by
exploiting a zero-day vulnerability in the MOVEit filetransfer software
(CVE202334362) to exfiltrate large volumes of data from hundreds of
organizations, including high-profile companies such as the BBC and Boots.
Rather than just encrypting systems, Clop threatened to publicly publish the
stolen information via its leak site. 

This evolution exploits the growing regulatory and reputational pressures
organizations face, particularly in jurisdictions with strict privacy laws.
While encryption -based attacks often result in larger individual ransom
demands due to the urgency of restoring critical services. Also, improvements
in data recovery and backup controls have inadvertently made data theft and
extortion a more effective alternative for attackers. 

The recent major data theft operations performed by hacker groups such as
Scattered Spider and Shiny Hunters, who are related to a collective known as
the Com or the Community have targeted large software service providers such
as Salesforce and other companies that integrate with their platform. This 
has highlighted again the appetite to use data theft and extortion over
deploying ransomware to encrypt the victims files.

Exploitation of Vulnerabilities and Edge Devices

Unpatched vulnerabilities in internet-facing systems and edge devices remain 
a primary attack vector for ransomware groups. Attackers are exploiting flaws
in widely deployed technologies including VPNs , remote monitoring tools, and
network appliances, to gain initial access into company systems. These
vulnerabilities allow mass compromise at scale and are a major contributor to
successful ransomware campaigns. 

In 2024 infamous ransomware groups, Clop and Termite, emerged as highly
proficient actors in carrying out attacks against managed file transfer
services. Additionally, earlier this year, Clop targeted Cleo, the enterprise
integration and managed file transfer software provider, by exploiting a
zero-day vulnerability (CVE-2024-50623) in its integration software. 

This attack affected over 80 organizations, primarily in the
telecommunications and healthcare sectors, resulting in significant data
exposure and operational disruption. More recently, we have seen several
threat actors conducting widespread attacks targeting unpatched Fortinet,
Cisco and Ivanti devices. This includes access brokers and affiliates
associated with Qilin, Akira and Ransomhub ransomware groups.

VMware Targeting, EDR Killers and Offensive Tooling

Ransomware actors continue to target hypervisors such as VMware ESXi
environments, with the intention of disrupting critical IT infrastructure
quickly. Groups such as VanHelsing and DragonForce have been linked to recent
attacks, actively employing this tactic in ongoing campaigns. 

Meanwhile, the adversaries are shifting their efforts towards developing
capabilities to evade Endpoint Detection and Response (EDR) systems, known as
EDR killers, which is often achieved by the abuse of vulnerable drivers or
native software features. 

The success of these attacks has been amplified by the increased use of
Living-Off-the-Land Binaries (LOLBINs) and Remote Monitoring and Management
(RMM) tools, another method used to evade EDR tools by enabling threat actors
to blend in with normal system or environment operations to remain unnoticed,
making detection and mitigation significantly more difficult for
organizations. 

Offensive security tools remain central to ransomware operations. Despite
combined efforts by Microsofts Digital Crimes Unit (DCU), Fortra, and the
Health Information Sharing and Analysis Center (Health-ISAC) in recent years
to combat the use of authorized, legacy copies of Cobalt Strike, it remains
the most widely used offensive security tool among ransomware operators. 

While Fortra has reported an 80% reduction in unauthorized copies observed in
the wild over the past two years, in reality the situation remains a
cat-and-mouse game as malicious C2 infrastructure is removed from more
reputable hosting providers, operators simply relocate it to less reputable
ones. 

Even so, this shift still presents some tactical advantages for defenders, as
infrastructure hosted on lower-tier providers is more likely to be blocked by
security products such as next-generation firewalls and web proxies. 

Meanwhile, other offensive tools such as Metasploit, Sliver, Brute Ratel and
more recently variants such as Pyramid C2, a Python -based command and 
control (C2) framework and Adaptix C2 are steadily gaining popularity.

Final thoughts

As we move into 2026, its clear that cybercriminals are becoming more agile,
more opportunistic and more determined to exploit both technical weaknesses
and organizational blind spots. With datatheftfirst extortion models on the
rise, increased targeting of edge devices, and the continued refinement of
EDRevading tools, defenders face a rapidly evolving challenge that demands
equal adaptability. 

Organizations must prioritize proactive patching, strengthen monitoring 
across hybrid environments and invest in threat intelligence that keeps pace
with adversaries shifting tactics. Those that build resilience now, through
preparedness, visibility and robust incident response, will be best 
positioned to withstand the threats that lie ahead. 

======================================================================
Link to news story:
https://www.techradar.com/pro/threats-to-watch-this-year-from-data-theft-and-e
xtortion-to-edr-killers

$$
--- SBBSecho 3.28-Linux
 * Origin: capitolcityonline.net * Telnet/SSH:2022/HTTP (1:2320/105)
SEEN-BY: 105/81 106/201 128/187 129/14 305 153/7715 154/110 218/700
SEEN-BY: 226/30 227/114 229/110 134 206 300 307 317 400 426 428 470
SEEN-BY: 229/664 700 705 266/512 291/111 320/219 322/757 342/200 396/45
SEEN-BY: 460/58 633/280 712/848 902/26 2320/0 105 304 3634/12 5075/35
PATH: 2320/105 229/426