Ransomware
Malware that encrypts victim data and demands payment for decryption. 2024-2026 variants use double extortion (encrypt + threaten to leak exfiltrated data) and triple extortion (add DDoS or customer notification threats). Average payout in 2025: $1.8 million (Sophos State of Ransomware 2025).
More from Threat Intelligence
Advanced Persistent Threat (APT)
A threat actor. Typically nation-state or well-resourced criminal. That maintains persistent, targeted access to a specific organization over extended time periods (months to years). Named examples: APT28 (Russia), APT29 (Russia), Volt Typhoon (China), Lazarus Group (North Korea), Scattered Spider (mixed affiliate).
Business Email Compromise (BEC)
Fraud schemes where attackers impersonate executives or vendors via email (often using a compromised account or spoofed domain) to trigger fraudulent wire transfers or data disclosure. FBI IC3 reports $2.9 billion in BEC losses for 2024 alone. Larger than all ransomware losses combined.
Zero-Day
A vulnerability unknown to the vendor and for which no patch exists. Zero-day exploits have high value on the broker market. IOS zero-click chains $2M+, iMessage $500K, browser sandbox escape $100K-$1M. "N-day" refers to patched vulnerabilities attackers continue to exploit against un-updated systems.
Supply Chain Attack
An attack targeting a trusted third party to compromise downstream consumers. Major examples: SolarWinds (2020), Kaseya (2021), MOVEit (2023), XZ Utils (2024), npm Axios (2026). Defense requires SBOM, dependency pinning, artifact signing (Sigstore), and verification of signed artifacts.
Infostealer
Malware that harvests credentials, session cookies, cryptocurrency wallets, and browser-stored data from compromised endpoints. Major families: RedLine, Raccoon, Lumma, StealC. Infostealers harvested an estimated 16 billion credentials in 2025. The pipeline between personal-device compromise and corporate ransomware attacks.
Scattered Spider
Threat group responsible for 2023 MGM Resorts and Caesars Entertainment breaches. Specializes in help desk social engineering and identity provider (Okta, Entra ID) targeting. Active in 2026 with refined playbook combining rate-limit bypass and social engineering.
Apply this to your environment
Our engagements address concepts like ransomware in practice — not just definitions, but how the attack patterns apply to your stack and how to remediate.