Extortion groups are adjusting their methodologies, increasingly favoring built-in system tools as ransomware payment rates continue to decline.
Recent research published by the Google Threat Intelligence Group (GTIG) evaluated the 2025 ransomware ecosystem, detailing the most frequent tactics, techniques, and procedures (TTPs) observed during incident response engagements conducted by Google Cloud's Mandiant group.
The analysis identified several key shifts in threat actor behavior. Suspected unauthorized data access occurred in approximately 77% of incidents, an increase from 57% the previous year. Additionally, 43% of unauthorized access events targeted virtualization infrastructure, up from 29%. Known vulnerabilities were leveraged as the initial access vector in one-third of the cases, with VPNs and firewalls frequently targeted. Furthermore, posts on data leak sites reached record highs in 2025.
GTIG noted that data leak sites typically only publish information from affected organizations that decline ransom demands. This observation aligns with reporting from incident response firm Coveware by Veeam, which recorded a substantial decrease in the frequency of ransom payments. Coveware’s Q4 2025 findings indicate that only 20% of impacted organizations chose to pay, marking an all-time low since the firm began tracking this metric. While the report noted an increase in average and median payment amounts, it attributed these spikes to a small number of high-impact incidents rather than a broader willingness to pay.
Organizations are demonstrably improving their ability to prevent and recover from ransomware events. Alongside enhanced recovery capabilities, factors such as law enforcement interventions and internal disputes among threat groups have significantly disrupted the extortion ecosystem over the past year.
Transitioning to native system administration tools
GTIG’s telemetry indicates that malicious actors are adapting to improved security postures by reducing their reliance on external software and instead using built-in Windows capabilities.
For instance, the use of Cobalt Strike Model appeared in only 2% of ransomware incidents last year, down from 11% in 2024 and approximately 60% in 2021. The use of Mimikatz also decreased by 2% from the previous year, appearing in 18% of incidents.
As custom tooling declines, the abuse of internal Windows utilities is rising. While leveraging unpatched vulnerabilities remains the most common method for initial access, stolen credentials account for 21% of initial access events and are consistently used to maintain a foothold within environments.
Unauthorized parties frequently use PowerShell commands, publicly available software, and standard system utilities for network reconnaissance.
"Threat actors consistently used PowerShell to query Active Directory (AD) objects for running processes, network shares, and user group memberships. This activity ranged including using native cmdlets like Get-ADComputer and Get-ADUser to using script blocks and query other system data," GTIG detailed. "Threat actors [also] continued to rely heavily on internal Windows utilities in this phase of the attack lifecycle, including ipconfig, netstat, ping, and nltest, among others."
For lateral movement, standard protocols including Remote Desktop Protocol (RDP), Server Message Block (SMB), and Secure Shell (SSH) are standard procedure. RDP in particular was observed in 85% of documented incidents.
Evasion through normalcy
The data points to a clear operational shift: threat actors are minimizing custom malware in favor of built-in system capabilities.
Ray Umerley, field chief information security officer (CISO) at Veeam, confirmed that his firm observes this ongoing trend, noting that tools like Mimikatz still appear in specific cases. He characterizes the strategy as "evasion through normalcy."
"It's not that 'classic' offensive tooling has disappeared; rather, many threat actors are leaning more heavily on built-in Windows capabilities (PowerShell, WMI, cmd/batch, etc.) to reduce the need to introduce additional binaries that are more likely to stand out," Umerley notes.
"Purpose-built tooling like Mimikatz and Model is widely signatured and behaviorally modeled by [endpoint detection and response, or EDR], so deploying it can create clear detection opportunities and cause operations to fail earlier," he adds. "By contrast, abusing native tooling blends into the organization's baseline and is harder to distinguish from legitimate administration without strong contextual correlation and identity controls. This aligns with how many of the threat actors we observe operate at speed and scale: optimizing for repeatability, reliability, and minimizing friction (and detection) as they move through an environment to achieve their objectives."
Bavi Sadayappan, senior threat intelligence analyst at Google and co-author of the research, affirmed the migration to built-in tools over recent years.
"Over the past several years we've seen ransomware actors continuously reduce their reliance on malware and common intrusion tools for various phases of the attack lifecycle, including an almost complete lack of Cobalt Strike Symbol use in 2025," Sadayappan says. "This shift toward native utilities and publicly available tools for their operations is likely, at least in part, due to improved security postures and endpoint detection systems that are able to identify and/or block more malicious activity. By relying more heavily on abusing native functionality and legitimate tools, threat actors may be more likely to evade detections and operate under the radar."
About the original author
Alexander Culafi is a Senior News Writer for Dark Reading, based in Boston. With a background writing for independent gaming publications, he graduated from Emerson College in 2016 with a Bachelor of Science in journalism. He has previously been published on VentureFizz, Search Security, Nintendo World Report, and elsewhere.