Average breakout time has significantly decreased
Right now, it takes attackers just 18 minutes on average to move from initial access to lateral movement inside a compromised network. It doesn’t take a lot of imagination to understand the risk here. In 2024, even the fastest recorded breakout time was 27 minutes. Now, we’re seeing solid evidence it’s dropped by a full third. In an incident involving Akira ransomware, attackers transitioned to lateral movement just six minutes after catching a vulnerability in a SonicWall VPN. These are not one-off anomalies, they’re becoming normal.
What this means for any company is pretty clear: you don’t have time. If part of your detection chain depends on human evaluation, manual triage, or untuned alerting, then you’ve already lost. Response systems must shift toward automation, detection has to be real-time, and escalation has to be automatic. You’re not just reacting to malware anymore, you’re reacting to its speed.
This pressure forces your security operations to make some uncomfortable but necessary changes. Shorten the decision loop. Remove steps that rely on threadbare SOC capacity. Trust automation more. It’s already faster than your adversaries in most cases. That’s the direction we need to move in, fewer human bottlenecks, more data-driven response.
ReliaQuest’s Q3 report confirms all of this in clear terms. Between June and August 2025, breakout times averaged 18 minutes. The Akira six-minute case wasn’t an exception, it was a preview.
Malware campaigns are rapidly evolving initial access tactics
Most breaches still begin at the beginning, initial access. But what we see now is that the shape of this stage is changing, fast. Malware campaigns like Oyster (also known as Broomstick) are leading this shift in attack behavior. Drive-by compromises linked to Oyster now make up 34% of incidents. That’s not a quiet spike, it’s a complete redrawing of the initial access playbook. Last quarter, Oyster was responsible for just over 2% of verified customer incidents. Now, it’s at 45%. That kind of growth signals one thing clearly: the system is unprepared for how fast attackers adapt and scale.
Oyster isn’t the only concern. Gamarue, an older and still very functional malware strain, is making a comeback through USB exploits. It hides code in DLLs and relies on systems where USB autorun hasn’t been disabled. No user action required. It just runs. That’s a problem in high-security, air-gapped environments. These are places where USBs are a necessary evil, and security policies are inconsistently enforced, especially across different departments or partner networks.
There are two takeaways here. First, newer malware families like Oyster are scaling hard because they’re automating distribution and exploiting common web and endpoint weaknesses. Second, older malware families like Gamarue are still succeeding because we haven’t closed off outdated attack surfaces like removable media. Attackers are using both modern and legacy tools simultaneously, and they’re winning on both fronts.
Business leaders need to get serious about revamped device controls and enforce strict policies on USB access across the entire supply chain. You can’t afford variance between offices, geographies, or external partners here. One weak USB policy in a contractor’s laptop is enough to open the door.
The numbers back it up: Oyster-related incidents jumped from 2.17% to 45% in just one quarter, with drive-by compromises leading in initial access at 34%. Gamarue isn’t measured by volume, it’s measured by the stealth it achieves through gaps most companies still ignore. The attacks are evolving. So should your policies.
Defence evasion tactics now exploit legitimate system binaries
Attackers are increasingly relying on what’s already trusted inside your operating system to evade detection. One method that’s grown fast is abusing Rundll32, a legitimate Windows binary used to load and execute dynamic link libraries (DLLs). Both the Gamarue and Oyster malware families are using this binary to persist on systems without triggering traditional alerts. Rundll32 operations don’t raise red flags because they look like normal system behavior. Simple concept, highly effective.
What changed in this quarter is how widespread the tactic has become. Rundll32 now accounts for 11% of all observed defense evasion techniques. That’s not trivial. Last quarter, it didn’t even rank in the top 15. Oyster is again the primary driver here, executing payloads via scheduled tasks and using file names or directory paths that appear legitimate. This bypasses many standard endpoint detection tools because the behavior isn’t inherently malicious, it just behaves like a system-level task.
For executives evaluating security controls, here’s what matters: your tools can’t just detect malware signatures anymore. They have to detect suspicious use of trusted binaries. Behavior over static indicators. Most security solutions were not built with this level of nuance in mind. That means you’ll need to invest in updated endpoint detection and response (EDR) systems that analyze execution context, not just file names or hash values.
This evasion technique isn’t hypothetical. Oyster was responsible for 48% of incidents involving the use of legitimate-looking file names or file locations to hide malicious activity. These aren’t random attempts, they’re deliberate arsenals being used repeatedly in the wild. The system tools your business relies on are now part of the attacker’s toolkit. Time to update your detection strategies accordingly.
Lateral movement through SMB abuse is increasing
Once attackers are inside the network, their next move is sideways, lateral movement. Remote Desktop Protocol (RDP) is still the most commonly used method here. But Server Message Block (SMB) abuse has surged in recent months. It now features in 29% of lateral movement incidents, up from 10% last quarter. That’s almost a threefold increase. And again, Akira is the spotlight example.
Ransomware groups are using SMB to encrypt files on shared drives remotely. They do this from compromised accounts, often via VPNs or unmanaged devices, allowing them to bypass most endpoint protections. Because SMB is a core file-sharing protocol, abnormal activity can blend easily into normal network traffic, until it’s too late. That’s part of what makes this method so difficult to contain without real-time visibility across internal systems.
Executives should understand what this shift means from a risk management angle. Systems relying on legacy protocols like SMB are now becoming prime attack vectors, not just because of technical flaws, but because visibility is often poor. Devices connected via VPNs, or left unmanaged by IT, are giving ransomware operators blind spots to exploit. These aren’t edge cases, they are your most probable breach surfaces.
Right now, segmentation and more active monitoring of SMB traffic are essential. You also need baseline behavioral metrics around internal data movement. If an identity is copying or encrypting unexpected amounts of data over SMB, that needs to trigger a response. You can’t fix what you can’t see, and attackers are counting on that.
ReliaQuest’s data reinforces this concern. Lateral movement via SMB accounted for 29% of incidents in the last quarter. The method wasn’t theoretical, it was actively used by Akira ransomware groups to lock up files without touching endpoints directly. The ability to move and encrypt data quietly, using conventional corporate network services, is a growing threat, one that’s proven and scaled. Make sure you’re not one of the companies providing the pathway.
IP-KVM devices present mounting security risks
Security threats aren’t limited to software or networks. Hardware is now a growing point of concern, particularly with keyboard-video-mouse over IP devices, commonly known as IP-KVMs. These are remote-access tools designed for legitimate system management, but attackers and even internal staff are increasingly introducing them into corporate environments, intentionally or not. Their presence isn’t always logged, and they often fall outside the reach of endpoint detection tools.
The data points are clear: there was a 328% increase in IP-KVM-related incidents from June to August 2025. That isn’t a trend to ignore. These devices give direct input and screen access to systems with little to no visibility for traditional network security layers. Threat actors, including North Korean groups, have been linked to campaigns exploiting these tools, using them to mask their activity as standard hardware interaction. In BYOD environments, or in units with weak asset management, this becomes a high-risk exposure point.
For executives, this surfaces a critical operational vulnerability. Most organizations have strict protocol for software risks, but fewer have enforceable policies for unauthorized hardware. These devices bypass policy enforcement, user authentication, and monitoring, creating a backdoor that looks like legitimate IT access. The concern here isn’t just what attackers are doing, it’s also about what employees and vendors are unknowingly plugging into your infrastructure.
Mitigation starts with inventory discipline. You need real-time awareness of every device within your network perimeter, software and hardware alike. Asset management must evolve beyond just endpoint agents and software compliance. It should expand to include device-scanning at the physical and firmware level, particularly for unmanaged or atypical inputs. If a JetKVM is plugged into a production workstation and no system detects it, then you’re operating in the dark.
ReliaQuest’s August 2025 report highlights such a case, where an unauthorized JetKVM device was installed internally, escalating the company’s exposure silently. Control wasn’t regained through conventional security escalation, it came through post-incident analysis, followed by new restrictions to prevent recurrence. That’s reactionary. You want to run proactive systems that detect and alert the moment a new and unapproved device is installed. That’s operational maturity in today’s hardware threat landscape.
Infostealer usage dropped post crack down, but major threats persist
Here’s what happened with infostealers: law enforcement took down Lumma’s infrastructure in May 2025. As a result, infostealer activity dropped 67% this quarter. That kind of drop is significant and reflects deliberate, targeted action. But the relief is temporary. Lumma hasn’t disappeared, it’s adapted. It still accounts for 54% of all infostealer-related incidents. That’s more than half of the overall footprint, despite the takedown.
What’s changed is the delivery method. Lumma operators have shifted to fake software cracks, bogus key generators, and tactics like ClickFix, where fake CAPTCHA pages are used to distribute payloads. These attacks don’t require technical sophistication to succeed. They require clicks. That lowers the barrier to entry and increases reach, especially across less-guarded user environments and personal devices.
Other infostealers, Acreed, Vidar, Stealc, are stepping into the space Lumma temporarily occupied. They’re targeting SaaS credentials and minimally monitored platforms like personal productivity accounts and cloud assets. These are high-value surfaces that sit outside legacy detection models. If your security architecture protects only on-premise assets or corporate logins, then you’ve got blind spots attackers can already see.
C-suite leadership needs to address infostealing with the same seriousness as ransomware. The focus should be on credential hygiene, endpoint hardening, and cloud protection policies. Treat every credential as a potential breach vector. If multi-factor authentication isn’t universally enforced, including across contractor chains and third-party platforms, you open the floodgates to these tools.
The numbers make this clear: Lumma was involved in 54% of infostealer incidents even after a major takedown, and overall infostealer activity only dropped after external law enforcement disruption, not through direct enterprise hardening. This signals a need to invest more heavily in internal resilience, rather than hoping suppression from outside will keep pace. Bad actors aren’t slowing down. They’re rebuilding and rearming, fast.
Ransomware victim numbers decreased, but targeting and tactics became more complex
Ransomware operators are shifting from high-volume attacks to more calculated, high-impact campaigns. Public listings of ransomware victims on leak sites dropped by 4.52% in the last quarter. On the surface, that may seem like improvement, but the focus and sophistication of active campaigns tell a different story. Groups like Qilin maintained high activity levels by exploiting unpatched internet-facing vulnerabilities in vulnerable infrastructure, especially Fortinet FortiGate appliances. The sheer reliability of these exploit vectors enables attackers to bypass the need for mass infections.
Sector targeting is changing. The healthcare industry saw a 38% increase in victim count; utilities experienced an 84% spike. These sectors are especially at risk due to operational dependencies. Prolonged downtimes have real-world impact. Attackers understand that, and they’re aligning efforts where disruption brings quick negotiation leverage. Meanwhile, other groups, Akira, SafePay, and Play, recorded notable drops in activity, with victim counts decreasing by 9.42%, 23.14%, and 35.54% respectively. This trend suggests a shift in focus, not a reduction in capability.
For executives, the message is clear. Threat groups are not simply reducing output, they are optimizing it. They’re refining their operations, focusing on sectors with high uptime requirements and historically weak internal patching practices. Legacy software, unmanaged assets, and inconsistent update policies create a perfect foothold for persistent ransomware operators.
Security investment needs to adjust alongside these attacker strategies. Prioritize patch management across externally-facing infrastructure. Build redundancy for business-critical systems in industries with high service level expectations. If you operate in healthcare, energy, or public services, understand that attacker interest is rising due to your risk profile, not falling with broader reductions in leak site numbers.
According to ReliaQuest’s Q3 2025 report, Qilin retained its lead as the most aggressive ransomware group. Healthcare and utility sector targeting rose by 38% and 84%, even while general ransomware publication activity declined slightly. The drop in volume doesn’t mean reduced threat, it signals that smarter, more targeted campaigns are now in play.
Smaller ransomware operations and automation are reshaping the threat landscape
Ransomware is reorganizing. What used to be dominated by a few large syndicates has now splintered into smaller, more agile operations. These groups aren’t just leaner, they’re faster, more adaptable, and built around scalable automation. GLOBAL ransomware is a prime example. It runs an affiliate-based model and leverages AI negotiation bots to handle ransom conversations. That removes the need for manual handling and introduces high consistency into negotiations, regardless of the attacker’s technical background.
We’re also seeing platform-flexibility. Groups like Oyster are using AI to manipulate search engines, what’s referred to as SEO poisoning, to mislead users into downloading malware from seemingly legitimate sources. These tactics don’t rely on human creativity. They rely on machine-learned targeting. They scale rapidly, and they react fast to new opportunities.
This fragmentation and automation present a serious challenge. The average company is still tuning detection rules and chasing SIEM alerts, while attackers are rolling out bot-managed extortion loops and large-scale lure networks with minimal human input. That mismatch in operational pace creates a permanent disadvantage if you don’t evolve your defenses.
C-suite leaders should stop measuring cyber risk purely in terms of reputational fallout. The threat is now economic in structure, driven by automation, distributed through cloud services, and commoditized across affiliate networks. AI-enabled, low-overhead operations can outmaneuver rigid defense systems. This reality demands an agile approach to risk: reduce attack surface, invest in AI-driven detection, and make sure your incident response doesn’t rely on dated workflows.
ReliaQuest’s latest report captures this evolution. GLOBAL is cited as a leading example of automated ransomware operations using AI chatbots. Incorporating tactics like SEO poisoning from groups such as Oyster signals that the most capable adversaries are no longer the largest, they’re the most adaptive. You need to respond with frameworks that match that adaptability.
Foundational security failings remain key enablers of successful attacks
Most security failures still start at the most basic level, unpatched systems, weak policy enforcement, and unmonitored devices. Despite progress in advanced threat detection and AI-driven tooling, attackers continue succeeding because fundamental gaps remain open. ReliaQuest’s analysis of recent incidents connects successful breaches to things your team should already control: outdated software, forgotten configurations, and overlooked compliance.
What’s changing is the scale at which these weaknesses are being exploited. Attackers don’t need to discover zero-days to gain access. Known vulnerabilities, often with available patches, are still being used because they’re consistently left unresolved across environments. Combine that with permissive removable media policies, unmanaged BYOD devices, and fragmented third-party integrations, and you’ve got a landscape filled with friction points that attackers know how to navigate.
From an executive perspective, this is where priorities should shift. Most leaders want to invest in “next-gen” cybersecurity because it feels progressive, and in some cases, that’s necessary. But it doesn’t replace the need for structured discipline around the basics. Patch cadences should be enforced across all operating environments. Asset management should include internal endpoints and contractor devices. Security policies must be uniform, enforceable, and auditable.
The emerging threat landscape, ransomware, infostealers, hardware-level infiltration, makes foundational security more important, not less. You can’t expect automation or detection tools to function properly when critical ports are left open, endpoint controls are weak, or visibility is inconsistent across cloud and on-prem infrastructure.
ReliaQuest’s report doesn’t tie every incident to advanced tactics. Many of the observed breaches would have failed if foundational protections had been in place. That’s the opportunity for improvement. Before pushing further into AI-based or automation-heavy solutions, assess whether your organization is consistently applying the most basic protections.
Eliminate known vulnerabilities. Close off unneeded access. Review your hardware exposure. These actions don’t require new innovation, they require focus, routine, and accountability. That’s where meaningful security starts.
In conclusion
This isn’t just about malware, breakout times, or new tools. It’s about pace, precision, and posture. Threat actors are moving faster, automating smarter, and hitting where it hurts, critical services, outdated assets, and unsecured endpoints. Most defenses aren’t failing because they’re weak. They’re failing because they’re slow, fragmented, or overly reliant on legacy thinking.
For executives, the takeaway is clear. Foundational security isn’t optional. Neither is automation. If your response plan still relies on manual triage or reactive patching cycles, you’re already behind. Speed is now part of the threat model. Your security roadmap needs to reflect that, faster decision loops, tighter execution, and better alignment between cyber hygiene and core operations.
Prioritize visibility. Invest in detection that understands behavior, not just signatures. Build muscle memory for rapid response. Enforce controls across endpoints, hardware, cloud, and contractors with the same discipline you apply to financial systems.
Attackers are optimizing. You should be too.
