This week, we briefed our clients on the findings from Google's 2025 ransomware investigations. We highlighted the key TTPs used by ransomware groups.
KEY TAKEAWAYS
Review the most common ransomware TTPs from 2025 based on Google CTI cases.
Critical and high-severity vulnerabilities in telnet, Ubiquity, ScreenConnect, Oracle, and Citrix, plus updates to CISA KEV, patch now!
Researchers from the Google Threat Intelligence Group recently published a detailed summary of their 2025 ransomware investigation findings. This report covers which ransomware groups are the most active, and breaks down their tactics, techniques, and procedures (TTPs) across the ransomware attack cycle. While the report does show some encouraging findings, such as a decrease in profitability from ransomware attacks, ransomware continues to be a top threat that organizations face. As larger organizations improve their security posture and are able to recover more quickly from ransomware intrusions, this has led to a reduction in payments to ransomware groups. As a result, ransomware groups appear to be shifting towards targeting more small and medium-sized businesses. This enables them to target a higher volume of victims with lower ransom demands, which increases the likelihood of ransom payment. In 2025, almost 60% of victims posted to Data Leak Sites were from companies with less than 200 employees. Additionally, Google observed a sharp increase in data theft during ransomware intrusions. Approximately 77% of intrusions from 2025 involved data theft, compared to 57% in 2024. The total volume of posts on Data Leak Sites set a record in 2025, up almost 50% since 2024.
TTP Breakdown
The report from Google goes into great detail of the TTPs observed during the ransomware attack cycle in 2025 (see the Attack Cycle infographic in Appendix A). Below, we will highlight some of the key TTPs leveraged by ransomware groups.
Initial Access
In 2025, the most common initial access method leveraged by ransomware groups was the exploitation of vulnerabilities, which accounted for a third of all incidents. Most of these instances involved exploitation of VPNs and internet-facing firewalls, including Fortinet (CVE-2024-55591, CVE-2024-21762, and CVE-2019-6693), SonicWall (CVE-2024-40766), Palo Alto (CVE-2024-3400), and Citrix (CVE-2023-4966). See Appendix B for a more comprehensive list of commonly exploited CVEs. Additional services that were commonly exploited include Veritas Backup Exec, Zoho ManageEngine, Microsoft Sharepoint, and SAP Netweaver.
Ransomware groups also commonly leveraged malvertising and SEO tactics to promote compromised or fake software download websites. This tactic is used by both initial access brokers and ransomware groups alike.
Compromised credentials accounted for 21% of ransomware intrusions. These credentials are gathered in a variety of ways, including infostealer malware logs or purchasing credentials from underground (darkweb) forums.
Credential bruteforce attacks also continue to be a notable method. One particular case highlighted by Google shows the Diaxin ransomware group conducting periodic bruteforce attacks against a victim VPN for almost a whole year before successfully gaining access.
Phishing attacks accounted for only 6% of total ransomware intrusions in 2025.
Foothold and Persistence
One of the most common techniques observed in 2025 ransomware cases was the reliance of compromised credentials to establish a foothold in victim environments. Once the threat actor has access to a highly privileged account, they will leverage this to provision or modify other highly privileged accounts to maintain access.
Notably, Cobalt Strike, once used in the majority of intrusions, fell to only 2% of intrusions. However, other command and control (C2) frameworks were observed, including AdaptixC2, Exploration C2, and Mythic C2.
Legitimate remote management tools are also very commonly observed in ransomware intrusions. This includes tools such as AnyDesk, Atera, Splashtop, ScreenConnect, RustDesk, among others.
Privilege Escalation
Mimikatz, an open-source penetration testing tool used to extract passwords from Windows systems, was still observed in 18% of ransomware cases in 2025. Google observed threat actors attempting to dump the Local Security Authority Subsystem Service (LSASS) process memory, copying the Active Directory domain database (NTDS.dit) file, and exporting the Security Account Manager (SAM), SYSTEM, and SECURITY registry hives. In many cases, threat actors simply added compromised accounts to local and domain administrator groups.
Credential harvesting from internal sources, such as backup tools, browsers, password managers, and credentials stored in plaintext were also observed in multiple ransomware intrusions.
Internal Reconnaissance
According to Google, this phase of the intrusion remained mostly the same compared to previous years. Threat actors continue to abuse native system utilities, PowerShell commands, and publicly available (legitimate) software. This includes using command-line utilities such as ipconfig, netstat, ping, nltest, net, among others. Notable 3rd party tools used in ransomware intrusions include Advanced IP Scanner, Softperfect Network Scanner, Angry IP Scanner, PowerSploit, and Impacket.
Lateral Movement
Remote Desktop Protocol (RDP) was leveraged in roughly 85% of ransomware intrusions using either compromised or attacker-created accounts. SMB was also frequently abused to access network shares, stage payloads, and execute remote commands. Common Windows utilities such as PsExec, Windows Remote Management (WinRM), and Windows Management Instrumentation Command-line (WMIC) were used for remote execution and lateral movement.
Data Exfiltration
As noted above, about 77% of ransomware intrusions included data theft. Ransomware groups used a variety of tools and platforms to facilitate this data theft. Legitimate cloud service infrastructure observed for this data exfiltration include, Azure, AWS, Backblaze, Cloudzy, Filemail, Google Drive, MEGA, and OneDrive. Common tools and utilities used by these threat actors to move data to these cloud services include Rclone, MEGAsync, Megatools, AzCopy, restic, FileZilla, and WinSCP. Data compression tools such as WinRar and 7Zip were also observed.
How to Protect Your Organization
At a high level, the following steps will go a long way toward protecting from ransomware and data theft:
Multi-factor Authentication - Ensure all VPN and remote access accounts require MFA. This single control can help mitigate brute-force attacks as well as compromised credential abuse.
Password Hygiene - Use strong, unique passwords across all accounts.
Least Privilege - Ensure each account on the network has only the privileges required to fulfill its task, nothing more.
Know Your Environment - Create and enforce a list of known and approved tools in the environment. Any observed deviation from this list should be treated as suspect and investigated.
Network Monitoring - Continuously monitor for suspicious traffic to unapproved cloud storage services.
Endpoint Detection and Response - Ensure all endpoints have fully up-to-date EDR tools deployed.
For more detailed ransomware protection strategies, it is recommended that administrators review Mandiant's Ransomware Protection and Containment Strategies: Practical Guidance for Hardening and Protecting Infrastructure, Identities, and Endpoints.
Resources
https://cloud.google.com/blog/topics/threat-intelligence/ransomware-ttps-shifting-threat-landscape/
https://services.google.com/fh/files/misc/ransomware-protection-and-containment-strategies-report-en.pdf
Vulnerability Roundup
On March 11, a critical vulnerability in GNU InetUtils telnet deamon (telnetd) was reported by a cybersecurity research firm Dream. Per their advisory, the flaw, which is now tracked as CVE-2026-32746, allows an unauthenticated remote attacker to send a specially crafted message during the initial connection handshake (before any login prompt appears). Successful exploitation allows the attacker to execute remote code as root. A single network connection to port 23 is the only prerequisite to trigger the vulnerability. The flaw affects all versions of Telnet through version 2.7. A fix for the vulnerability is not expected to be published until April 1, 2026. Since no patch is currently available, it is highly recommended to disable the telnet service if it is not required, otherwise block port 23 at the perimeter firewall.
https://dreamgroup.com/vulnerability-advisory-pre-auth-remote-code-execution-via-buffer-overflow-in-telnetd-linemode-slc-handler/#
https://lists.gnu.org/archive/html/bug-inetutils/2026-03/msg00031.html
https://thehackernews.com/2026/03/critical-telnetd-flaw-cve-2026-32746.html
https://nvd.nist.gov/vuln/detail/CVE-2026-32746
Ubiquiti recently disclosed several vulnerabilities in their Unify Network Application (also known as UnfiFi Controller). One of these vulnerabilities is a maximum-severity flaw, tracked as CVE-2026-22557, where successful exploitation allows threat actors without privileges who have access to the network to exploit a path traversal vulnerability to access files on the underlying system, allowing the attacker to hijack user accounts. This is a low-complexity attack that does not require user interaction. The vulnerability affects UniFi Network application versions 10.1.85 and earlier. Administrators are urged to patch to version 10.1.89 or later as soon as possible.
https://community.ui.com/releases/Security-Advisory-Bulletin-062-062/c29719c0-405e-4d4a-8f26-e343e99f931b
https://www.bleepingcomputer.com/news/security/ubiquiti-warns-of-unifi-flaw-that-may-enable-account-takeover/
A critical vulnerability was recently disclosed for ConnectWise ScreenConnect. The flaw, tracked as CVE-2026-3564, is a cryptographic signature verification vulnerability that could lead to unauthorized access and privilege escalation. Successful exploitation of the vulnerability allows an attacker to extract and use the ASP.NET machine keys for unauthorized session authentication. Per the advisory, "if the machine key material for a ScreenConnect instance is disclosed, a threat actor may be able to generate or modify protected valiues in ways that may be accepted by the instance as valid...can result in unauthorized access and unauthorized actions within ScreenConnect." The vulnerability affects all ScreenConnect versions prior to version 26.1. Administrators are urged to update to version 26.1 as soon as possible.
Late last week, Oracle released an out-of-band security update for a critical remote code execution flaw in their Identity Manager and Web Services Manager platforms. The vulnerability, tracked as CVE-2026-21992, is low-complexity, can be remotely exploited over HTTP, and does not require authentication or user interaction. Affected products are Oracle Identity Manager and Oracle Web Services Manager versions 12.2.1.4.0 and 14.1.2.1.0. Administrators are urged to patch as soon as possible.
Today, Citrix released a support bulletin for two vulnerabilities affecting Citrix Netscaler ADC and NetScaler Gateway. The most severe of these vulnerabilities is CVE-2026-3055, caused by "insufficient input validation leading to memory overread." The following versions are affected:
Additionally, the device must be configured as a SAML IDP (identity provider) to be vulnerable. Per the Citrix documentation, administrators can check for this configuration by searching for the following string in the NetScaler Configuration:
add authentication samlIdPProfile .*
As Citrix is commonly exploited by threat actors for initial access, it is recommended that administrators apply patches immediately.
The following vulnerabilities were added to CISA's Known Exploited Vulnerabilities Catalog in the last 2 weeks:
Attack Lifecycle Associated with 2025 Ransomware Incidents
Common Vulnerabilities Abused for Initial Access in 2025 Ransomware Incidents
This report is provided FREE to the cybersecurity community.
Visit our Cyber Threat Intelligence Blog for additional reports.
Subscribe to be notified of future Reports:
NOTE
We have enhanced our report with data from SOCRadar. You may need to register to view their threat intelligence content.
DISCLAIMER
Kindly be advised that the information contained in this article is presented with no final evaluation and should be considered raw data. The sole purpose of this information is to provide situational awareness based on the currently available knowledge. We recommend exercising caution and conducting further research as necessary before making any decisions based on this information.