Stay Ahead of Ransomware Livestream: May 2026
Why It Matters
Understanding these evolving tactics helps organizations prioritize defenses—especially backup resilience and credential security—to reduce ransom payouts and operational disruption.
Key Takeaways
- •Ransomware operators now prioritize backup destruction over data theft.
- •Prior compromised accounts now represent 30% of initial infection vectors.
- •Median dwell time for ransomware incidents dropped to nine days in 2025.
- •CVE‑2025‑61882 and CVE‑2025‑53770 exploited heavily by threat actors in recent attacks.
- •Phishing has risen to the number two initial infection vector.
Summary
The May 2026 SANS Stay Ahead of Ransomware livestream, hosted by Ryan Chapman and Mary Degrazia, dissected the latest ransomware and cyber‑extortion trends using the Mandian M‑Trends 2026 report, which analyzes over 500,000 incident hours from 2025.
Key findings show ransomware groups now aim to destroy backups rather than merely steal data, driving higher ransom demands. Prior‑compromised accounts account for 30 % of initial infection vectors, up from 15 % in 2024, while median dwell time fell to nine days. Two CVEs—CVE‑2025‑61882 (Oracle E‑Business Suite) and CVE‑2025‑53770 (Microsoft SharePoint)—were repeatedly leveraged, and phishing rose to the second‑most common entry point.
Chapman noted, “Operators are focusing on deliberate recovery denial to maximize payoff,” and highlighted KOP’s exploitation of the Oracle vulnerability and LockBit/Warlock’s use of the SharePoint flaw. The report also revealed that 44 % of incidents are first disclosed by attackers, with only 41 % detected internally.
For enterprises, the data underscores the urgency of hardening backup architectures, monitoring for prior credential compromises, accelerating patch cycles for high‑risk CVEs, and reinforcing phishing awareness programs to shrink dwell time and limit extortion leverage.
Comments
Want to join the conversation?
Loading comments...