Full Report
Ransomware groups made less money in 2025 despite a 47% increase in attacks, driving new tactics: bundled DDoS services, insider recruitment, and gig worker exploitation. Learn the emerging trends defenders must prepare for in 2026.
Analysis Summary
# Tool/Technique: Ransomware-as-a-Service (RaaS) with Bundled DDoS Services
## Overview
This refers to the evolution of Ransomware-as-a-Service (RaaS) offerings where operators bundle complimentary Distributed Denial of Service (DDoS) capabilities as an added value proposition to attract and retain affiliates, especially given the overall decline in average ransomware payments in 2025.
## Technical Details
- Type: Technique/Business Model Evolution
- Platform: Network Infrastructure, Enterprise Targets
- Capabilities: Extortion via data encryption/theft AND network disruption via DDoS.
- First Seen: Tactic is a resurgence; exemplified by the newly formed "Chaos ransomware group."
## MITRE ATT&CK Mapping
* T1486 - Data Encrypted for Impact
- T1484.001 - Ransom Software
* T1498 - Network Denial of Service
- T1498.001 - Direct Network Denial of Service (This applies to the bundled service)
* TA0011 - Command and Control (Implicit, for coordinating the multi-pronged attack)
## Functionality
### Core Capabilities
- Ransomware infection and encryption.
- Offering DDoS capabilities as an incentive for affiliates.
### Advanced Features
- Multi-pronged extortion: Applying immediate pressure through network unavailability (DDoS) simultaneous to or preceding the data encryption/exfiltration demand.
- Affiliate retention strategy: Enhancing the value proposition of the RaaS model in a declining profitability market.
## Indicators of Compromise
- File Hashes: N/A (Focus is on the service model, not a specific malware binary)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: External DDoS activation directed at the victim organization during the ransom negotiation window.
- Behavioral Indicators: Simultaneous discovery of ransomware activity and external volumetric network attacks against the victim.
## Associated Threat Actors
- Chaos ransomware group (newly formed, explicitly bundles DDoS)
- REvil (previously offered similar services)
## Detection Methods
- Signature-based detection: N/A (This is a business/operational technique)
- Behavioral detection: Monitoring for coordinated network saturation attacks coinciding with suspected enterprise intrusion or ransom note discovery.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Robust DDoS mitigation services and edge protection are critical.
- Hardening recommendations: Review and stress-test incident response plans to handle simultaneous encryption/extortion AND network outage scenarios. Implement strong perimeter monitoring.
## Related Tools/Techniques
- Ransomware-as-a-Service (RaaS) models.
- Network Denial of Service tooling.
---
# Tool/Technique: Insider Recruitment for Initial Access/Facilitation
## Overview
A growing trend where ransomware groups actively recruit or coerce corporate insiders—often utilizing native English speakers—to facilitate initial access, provide necessary internal knowledge, or execute actions on the network, moving beyond traditional opportunistic social engineering.
## Technical Details
- Type: Technique (Social Engineering/Human Exploitation)
- Platform: Corporate Employees (Targeting users with existing legitimate access)
- Capabilities: Bypassing perimeter defenses, obtaining credentials, providing physical access, or executing payloads internally.
- First Seen: Trend significantly increased throughout 2025, predicted to accelerate in 2026.
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1566 - Phishing
* T1566.001 - Spearphishing Attachment / Link (Used to target potential insiders)
* TA0006 - Credential Access
* T1078 - Valid Accounts
* T1078.003 - Local Accounts (May be used post-recruitment)
* T1078.001 - Domain Accounts
* TA0003 - Persistence (If the insider maintains access)
## Functionality
### Core Capabilities
- Social engineering to convince an employee to willingly or unknowingly assist the threat actor.
- Leveraging native language skills for more convincing or targeted outreach.
### Advanced Features
- Exploiting employee dissatisfaction (e.g., due to layoffs) to motivate cooperation.
- Gaining validated access without needing to brute-force or phish for credentials initially.
## Indicators of Compromise
- File Hashes: N/A
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: Communication between internal compromised accounts and external C2 infrastructure related to suspicious low-and-slow activity or data staging.
- Behavioral Indicators: Employees engaging in activities outside their normal job scope, unusual external communications, or sudden, unexplained access to sensitive systems.
## Associated Threat Actors
- Various ransomware groups actively expanding recruitment efforts.
- Groups seeking skilled assistance where technical initial access methods have failed.
## Detection Methods
- Signature-based detection: N/A
- Behavioral detection: User and Entity Behavior Analytics (UEBA) systems flagging anomalous access patterns, privilege escalation attempts by legitimate users, or unusual data access volumes by specific employees.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Strengthened Human Resources and Security overlap; rigorous vetting processes for vendor/contractor access.
- Hardening recommendations: Employee awareness training specifically covering recruitment attempts (not just phishing); strong monitoring of high-privilege accounts; zero-trust architecture limiting lateral movement even when an account is compromised.
## Related Tools/Techniques
- Social Engineering (General)
- Vishing/Smishing (As potential precursor contact methods)
- Initial Access using Valid Accounts (T1078)
---
# Tool/Technique: Gig Worker Exploitation for Physical Access
## Overview
A novel, rare but replicable technique where threat actors utilize gig work platforms to recruit seemingly legitimate contractors (e.g., third-party IT support) to gain physical entry into corporate offices to bypass remote security controls and steal data directly.
## Technical Details
- Type: Technique (Physical Access/Third-Party Compromise)
- Platform: Physical/Hybrid Environments, On-site IT Support Roles
- Capabilities: Gaining physical presence inside secure facilities under the guise of legitimate work.
- First Seen: Documented in one specific case via an FBI advisory in 2025.
## MITRE ATT&CK Mapping
* TA0001 - Initial Access
* T1190 - Exploit Public-Facing Application (This is the method used to *recruit* the worker, though the *result* is physical access)
* TA0005 - Defense Evasion (By leveraging the trust associated with a known support role)
* TA000A - Collection
* T1005 - Data from Local System (Physical access facilitates easy data exfiltration)
## Functionality
### Core Capabilities
- Social engineering external gig workers into performing tasks within the target's physical environment.
- Using the established legitimacy of the gig platform to bypass reception/security checks.
### Advanced Features
- Circumventing digital security controls (like endpoint protection or EDR) by performing physical insertion of tools or direct data removal (e.g., via USB drive).
## Indicators of Compromise
- File Hashes: N/A (Focus is on the physical action)
- File Names: N/A
- Registry Keys: N/A
- Network Indicators: N/A
- Behavioral Indicators: Unplanned or unusual physical presence of non-standard contractors (especially those performing basic IT functions) inside sensitive areas; anomalous physical access badge scans.
## Associated Threat Actors
- Groups who have exhausted remote access methods and possess the operational capability to orchestrate physical entry logistics.
## Detection Methods
- Signature-based detection: N/A
- Behavioral detection: Security monitoring systems coupled with physical access control logs to correlate unusual IT service requests with physical entry events.
- YARA rules: N/A
## Mitigation Strategies
- Prevention measures: Strict verification protocols for all on-site third-party vendors, especially those claiming to be emergency IT support.
- Hardening recommendations: Limit physical access privileges; ensure all on-site work requires escort or heightened supervision; implement security education for reception staff regarding social engineering validation.
## Related Tools/Techniques
- Physical Access (T1076)
- Supply Chain Compromise (Focusing narrowly on service workers)