Ransomware operations continue to evolve. Our threat research team tracks active campaigns and develops detection strategies for the SenseOn platform. Here is what we are seeing in 2026 and how defenders can adapt.
The shift to data extortion
Pure encryption-based ransomware is declining. Attackers have learned that organisations with good backups can recover without paying. The response has been double and triple extortion: steal data before encrypting, then threaten to publish it regardless of whether the victim pays.
This changes the detection calculus. By the time encryption starts, the most damaging phase, data exfiltration, has already happened. Defenders need to detect the precursor activities: reconnaissance, lateral movement, privilege escalation, and staging data for exfiltration.
Supply chain as initial access
Direct phishing and vulnerability exploitation remain common entry points. But we are seeing increased use of supply chain compromise: targeting managed service providers, software vendors, and cloud service integrations to gain access to multiple downstream victims simultaneously.
The challenge is that supply chain access often looks legitimate. The attacker is using valid credentials and authorised tools. Detection must focus on behavioural anomalies: unusual access patterns, unexpected data flows, and privilege usage that deviates from historical baselines.
Detection strategies that work
Focus on behaviours, not signatures. Ransomware variants change constantly. The underlying behaviours, such as credential harvesting, lateral movement, and data staging, are more consistent and detectable.
Monitor for data exfiltration. Watch for large or unusual data transfers, especially to new external destinations. Correlate these with internal access patterns to identify staging activity.
Track privilege escalation. Most ransomware campaigns require elevated privileges. Monitoring for unexpected privilege changes, service account abuse, and pass-the-hash techniques catches campaigns early in the kill chain.
Correlate across the stack. An endpoint alert alone might be a false positive. The same alert correlated with unusual network traffic and a new cloud storage connection becomes a high-confidence incident.
Building resilience
Detection is one layer. Organisations should also segment networks to limit blast radius, maintain offline backups with tested recovery procedures, and run tabletop exercises that include the data extortion scenario, not just encryption.
The SenseOn platform monitors across endpoints, network, and cloud to detect ransomware precursor behaviours before the damage is done. If you would like to see how our detections work against current campaigns, see it work.
