Huntress Report Reveals Surge in Identity-Based Attacks and Ransomware Evolution
Huntress, a managed cybersecurity platform supporting businesses of all sizes, has released its 2026 Cyber Threat Report, uncovering critical shifts in threat actor behavior. The findings highlight a 277% increase in adversaries exploiting remote monitoring and management (RMM) tools part of a broader trend of "living-off-the-land" tactics, where attackers leverage existing organizational technologies to evade detection.
Key insights from the report include:
- Identity as the new perimeter: Business email compromise (BEC) and identity-related attacks remain the top threats, aligning with warnings from the Australian Cyber Security Centre (ACSC).
- Ransomware consolidation: Over 50% of ransomware incidents or precursors traced back to just four major threat groups, reflecting a market-like ecosystem where multiple actors collaborate to deploy attacks.
- Shift from encryption to extortion: Ransomware groups like Akira and Qilin are prioritizing data exfiltration over immediate encryption, extending the "time to ransom" to maximize leverage. Double extortion threatening to leak stolen data alongside encryption has become a dominant tactic, though some attackers still deploy rapid, disruptive ransomware for immediate impact.
Financial services emerged as a prime target, accounting for 22% of incidents in APAC through April 2024. While large institutions remain at risk, smaller entities such as tax accountants and bookkeepers are particularly vulnerable due to lower cyber resilience. These businesses often handle sensitive client data (e.g., tax documents sent via unencrypted email) but lack robust security measures, making them attractive targets.
The report underscores the financial and reputational stakes: recovery costs for a medium-sized Australian business average $97,000 per attack, while breaches erode customer trust with 60–70% of U.S. consumers surveyed vowing to abandon small businesses after a compromise. Threat actors exploit this pressure, betting on organizations’ willingness to pay to avoid data leaks and operational disruption.
Huntress TPRM report: https://www.rankiteo.com/company/huntress-labs
"id": "hun1780460675",
"linkid": "huntress-labs",
"type": "Cyber Attack",
"date": "4/2026",
"severity": "",
"impact": "",
"explanation": "N/A (Report publisher, not a victim)"{'affected_entities': [{'industry': 'financial services',
'location': 'APAC',
'size': 'large and small entities',
'type': 'financial services'},
{'industry': ['tax accountants', 'bookkeepers'],
'size': 'small',
'type': 'small businesses'}],
'attack_vector': ['exploitation of RMM tools', 'living-off-the-land tactics'],
'data_breach': {'data_encryption': ['partial (ransomware)',
'unencrypted data transmission'],
'data_exfiltration': True,
'personally_identifiable_information': True,
'sensitivity_of_data': 'high',
'type_of_data_compromised': ['sensitive client data',
'tax documents',
'personally identifiable '
'information']},
'date_publicly_disclosed': '2026',
'description': 'Huntress released its 2026 Cyber Threat Report, highlighting '
'a 277% increase in adversaries exploiting remote monitoring '
"and management (RMM) tools as part of 'living-off-the-land' "
'tactics. The report emphasizes identity-based attacks, '
'ransomware consolidation, and a shift from encryption to '
'extortion. Financial services were a prime target, with '
'smaller entities like tax accountants and bookkeepers being '
'particularly vulnerable due to lower cyber resilience.',
'impact': {'brand_reputation_impact': '60–70% of U.S. consumers vow to '
'abandon small businesses after a '
'compromise',
'data_compromised': True,
'financial_loss': '$97,000 (average recovery cost per attack for '
'medium-sized Australian businesses)',
'identity_theft_risk': True,
'operational_impact': 'operational disruption'},
'lessons_learned': 'Identity-based attacks and ransomware evolution require '
'enhanced monitoring of RMM tools and improved cyber '
'resilience, especially for smaller entities handling '
'sensitive data. Threat actors are consolidating and '
'shifting tactics toward data extortion over immediate '
'encryption.',
'motivation': ['financial gain', 'data extortion', 'operational disruption'],
'post_incident_analysis': {'root_causes': ['exploitation of RMM tools',
'living-off-the-land tactics',
'low cyber resilience in smaller '
'entities']},
'ransomware': {'data_encryption': True,
'data_exfiltration': True,
'ransomware_strain': ['Akira', 'Qilin']},
'recommendations': ['Enhance monitoring of RMM tools and living-off-the-land '
'tactics',
'Improve cyber resilience for smaller businesses handling '
'sensitive data',
'Adopt robust security measures to prevent identity-based '
'attacks',
'Prepare for ransomware threats focusing on data '
'exfiltration and extortion'],
'references': [{'source': 'Huntress 2026 Cyber Threat Report'},
{'source': 'Australian Cyber Security Centre (ACSC)'}],
'threat_actor': ['Akira', 'Qilin', 'four major threat groups'],
'title': 'Huntress 2026 Cyber Threat Report: Surge in Identity-Based Attacks '
'and Ransomware Evolution',
'type': ['identity-based attacks',
'ransomware',
'business email compromise (BEC)']}